Vision Upright MRI LLC agreed to a two-year Corrective Action Plan with the U.S. Department of Health and Human Services after violating HIPAA by exposing patient information, requiring the company to implement stricter privacy and security measures.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $5,000 financial penalty against Vision Upright MRI LLC, a small magnetic resonance imaging (MRI) provider in San Jose, California. The settlement resolves alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), specifically the Security Rule’s risk analysis provision and the Breach Notification Rule.
OCR initiated its investigation into Vision Upright MRI on December 1, 2020, uncovering multiple serious HIPAA violations. Investigators found that the imaging provider had never conducted a comprehensive and accurate risk analysis, a foundational requirement of the HIPAA Security Rule. This failure left the provider ill-equipped to identify and address vulnerabilities to electronic protected health information (ePHI).
In addition, Vision Upright MRI failed to notify both the HHS and affected individuals within the mandated 60-day period following the discovery of a data breach. The breach, which exposed the ePHI, including radiology images, of at least 21,778 individuals, had not been reported to the California Attorney General either. The only public notice from the provider appears in the OCR breach portal dated March 10, 2025, involving 23,031 individuals, though it remains unclear whether this listing is related to the current enforcement action.
OCR’s investigation revealed that the compromised data resided on an unsecured Picture Archiving and Communication System (PACS) server, which was accessed by an unauthorized third party. It is still unknown whether the access was the result of hacking, security research, or inadvertent exposure.
The U.S. Department of Health and Human Services (HHS) issued a Corrective Action Plan (CAP) to Vision Upright MRI LLC (VUM) following a HIPAA violation involving the exposure of protected health information (PHI). Under the CAP, VUM agreed to take several corrective steps. According to the document, “VUM hereby enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services, Office for Civil Rights (HHS).”
Key requirements include:
The CAP is in effect for two years, with possible extensions if violations are found.
“The Compliance Term shall not end until HHS notifies VUM that it has determined that the breach has been cured.”
The case demonstrates the increasing scrutiny by OCR on two important HIPAA compliance areas: risk analysis and breach notification. The HIPAA Breach Notification Rule mandates that covered entities report breaches of unsecured ePHI to OCR, notify affected individuals within 60 days, and issue a media notice for breaches affecting 500 or more individuals.
This is the second enforcement action this year to include a penalty for delayed breach notification, reinforcing OCR’s intent to crack down on such delays, regardless of an organization’s size.
Vision Upright MRI will pay a $5,000 penalty and enter into a two-year corrective action plan (CAP). Under the CAP, the provider must conduct a thorough risk analysis, implement a risk management plan, update HIPAA policies and procedures, train its workforce, and issue overdue breach notifications.
This settlement sends a message that no healthcare provider is too small to fall under OCR’s enforcement radar.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
Investigations may be triggered by complaints, breach reports, media reports, or random audits.
Penalties depend on the nature of the violation, the level of negligence, and the organization's compliance efforts.