A small MRI clinic has been fined for failing basic HIPAA requirements, proving even minor providers face consequences for neglecting breach notification and risk analysis rules.
What happened
Vision Upright MRI LLC, a small medical imaging provider in San Jose, California, has agreed to pay a $5,000 financial penalty to resolve alleged HIPAA violations. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) cited the company for failing to conduct a proper risk analysis and for not issuing timely breach notifications, as required under the HIPAA Security and Breach Notification Rules.
The settlement marks the eighth HIPAA financial penalty under the Trump administration and the second enforcement action this year involving delayed breach notification.
Going deeper
OCR opened its investigation into Vision Upright MRI in December 2020, though the source of the original breach report remains unclear. According to investigators, the provider failed to report a data breach or notify affected individuals, despite evidence that unauthorized access had occurred.
OCR found that sensitive data, including medical images and associated electronic protected health information (ePHI) of 21,778 individuals, was left exposed on an unsecured Picture Archiving and Communication System (PACS) server. The compromised server, which allowed the storage and retrieval of radiology images, had been accessed by an unknown third party. Whether that access was malicious or incidental remains unconfirmed.
OCR concluded that Vision Upright MRI never conducted a comprehensive risk analysis, which is a foundational HIPAA Security Rule requirement. Additionally, it failed to notify patients or regulators about the breach within the required 60-day timeframe. The only breach reported by the provider was on March 10, 2025, listing 23,031 individuals affected.
What was said
“Cybersecurity threats affect large and small covered health care providers,” said OCR Acting Director Anthony Archeval. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
The resolution includes a corrective action plan (CAP), which OCR will monitor for two years. Under the CAP, Vision Upright MRI must:
- Complete a full risk analysis and implement a risk management plan
- Establish and distribute HIPAA policies and procedures
- Train all workforce members on HIPAA compliance
- Issue all required breach notifications
The big picture
The Vision Upright case proves that HIPAA enforcement applies to providers of all sizes. While large-scale breaches often make headlines, smaller organizations are equally accountable when it comes to safeguarding patient data. OCR’s focus on risk analysis enforcement reflects the growing expectation that all healthcare entities proactively assess and address their cybersecurity vulnerabilities.
FAQs
What is a risk analysis under HIPAA, and why is it important?
A HIPAA risk analysis is a required assessment of potential threats and vulnerabilities to the confidentiality, integrity, and availability of protected health information (PHI). It’s the foundation for building effective safeguards against data breaches.
How does the OCR decide whether to issue a financial penalty?
OCR considers factors like the severity of the violation, the size of the organization, history of noncompliance, and whether timely corrective actions were taken after a breach.
Are small healthcare providers held to the same HIPAA standards as large ones?
Yes. HIPAA applies equally to all covered entities, regardless of size. Smaller providers must implement the same security measures and reporting processes as larger organizations.
What happens after a HIPAA settlement is reached?
In most cases, a resolution includes a corrective action plan (CAP), which may involve ongoing monitoring, mandatory training, updated policies, and periodic reporting to OCR.
What are the consequences of failing to issue timely breach notifications?
Delays can result in financial penalties, reputational damage, and increased scrutiny from regulators, even if the breach affects a relatively small number of patients.
Farah Amod
