By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA
A Health Care Provider Defense and Compliance Firm
The latest HIPAA enforcement action by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) serves as a wake-up call to small and solo health care providers: failing to conduct a security risk analysis is not just a regulatory oversight—it’s a breach waiting to happen.
On May 15, 2025, OCR announced a $5,000 settlement with Vision Upright MRI, a small radiology provider in California, after an unsecured server containing sensitive imaging data for 21,778 individuals was compromised by an unauthorized third party. The breach involved the provider’s Picture Archiving and Communication System (PACS), which stores and manages radiology images.
OCR’s investigation revealed that Vision Upright MRI had never conducted the required HIPAA Security Rule risk analysis and failed to notify affected individuals in the required 60-day timeframe.
Small Provider, Big Oversight
This case is not about the size of the practice or the amount of the financial penalty—it’s about the principle. Vision Upright MRI’s failure to conduct a basic HIPAA risk analysis placed the electronic protected health information (ePHI) of over 21,000 patients at risk. While $5,000 may seem like a slap on the wrist, the real penalty lies in the mandatory two-year corrective action plan and the reputational damage from federal enforcement.
OCR Acting Director Anthony Archeval put it plainly: “Cybersecurity threats affect large and small covered health care providers. Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
Corrective Action: The Cost of Complacency
In addition to the $5,000 penalty, Vision Upright MRI must now:
- Submit a complete risk analysis to OCR
- Implement a risk management plan
- Develop and revise HIPAA-compliant policies and procedures
- Train its workforce on HIPAA and breach procedures
- Complete all required breach notifications, years after the fact
These are not optional steps; they are regulatory obligations that any HIPAA-covered entity must meet, regardless of size.
Why It Matters to Your Practice
This enforcement action is part of OCR’s larger Risk Analysis Initiative, now in its sixth wave.
Providers of all sizes must understand: compliance isn’t a checklist you delay until there’s a breach—it’s your frontline defense. OCR has repeatedly emphasized that even small health care businesses must meet the same regulatory standards as hospitals and national chains.
For practices using imaging systems, cloud-based EHRs, or off-site data storage, conducting and documenting a full security risk analysis is more than best practice—it’s legally required.
Parrella Health Law Can Help
We’ve counseled dozens of radiology, imaging, and outpatient practices through HIPAA compliance issues, OCR audits, and breach response. Don’t wait until you’re the next headline.
If your practice has never conducted a HIPAA risk analysis or if your policies haven’t been updated since COVID, now is the time.
Contact Parrella Health Law at 857-328-0382 or email me directly at cparrella@parrellahealthlaw.com to schedule a HIPAA risk assessment or policy review.
Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.
Leave a Reply