OCR settlement: Cracking down on HIPAA risk analysis gaps

The HHS Office for Civil Rights settled a case with Northeast Radiology over potential HIPAA risk analysis deficiencies. Northeast Radiology, which provides medical imaging services in New York and Connecticut, paid OCR $350,000 and agreed to implement a corrective action plan to improve its HIPAA Security Rule compliance.

OCR's investigation began after it received a notification from Northeast Radiology in March 2020 about a breach of unsecured electronic protected health information (ePHI). Northeast Radiology said that unauthorized individuals had accessed radiology images stored on its Picture Archiving and Communication Systems (PACS) server. The breach impacted more than 298,000 individuals.

OCR found that Northeast Radiology failed to conduct a thorough and accurate risk analysis as required by the HIPAA Security Rule.

In addition to paying $350,000, the settlement terms require Northeast Radiology to conduct a thorough risk analysis to identify potential vulnerabilities to ePHI and develop a written process to review records of information security system activity. In addition, Northeast Radiology will have to ensure that workforce members who have access to ePHI receive proper HIPAA training.

"A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it," Anthony Archeval, OCR's acting director, said in the settlement announcement. "A failure to conduct a risk analysis often foreshadows a future HIPAA breach."

This settlement marked OCR's sixth enforcement action under its risk analysis initiative.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.