Northeast Radiology Settles Alleged Risk Analysis HIPAA Violation with OCR
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its fourth financial penalty for a HIPAA violation under the Trump administration – its 6th financial penalty under its risk analysis HIPAA enforcement initiative. Northeast Radiology, P.C., the operator of medical imaging centers in New York and Connecticut, has agreed to pay a $350,000 financial penalty to settle the alleged HIPAA violation and adopt a corrective action plan to address the issues identified by OCR during its investigation. Under the settlement agreement, OCR will monitor Northeast Radiology for compliance with the corrective action plan for two years.
The OCR investigation was initiated in response to a network server hacking incident and data breach reported by Northeast Radiology on March 11, 2020. The incident involved the electronic protected health information (ePHI) of 298,532 individuals. As background, in 2019, security researchers identified vulnerabilities in the Picture Archiving and Communication Systems (PACS) used by hospitals, clinics, and radiology centers to share medical images, and Northeast Radiology and its vendor Alliance HealthCare Services were among the healthcare organizations affected. The researchers notified both entities about the vulnerabilities in December 2019.
The vulnerabilities potentially allowed unauthorized individuals to access medical images such as X-rays, CT scans, and MRIs, as well as the ePHI of patients contained in the PACS. Northeast Radiology investigated and determined that Alliance HealthCare Services had exposed medical images and ePHI such as names, test results, medical record numbers, dates of service, and Social Security numbers, and between April 2019 and January 2020, unauthorized individuals had accessed its PACS.
A class action lawsuit was filed against Northeast Radiology and Alliance HealthCare Services in the New York District Court for the Southern District of New York over the data breach, although it was dismissed due to lack of standing. While the breach was reported to OCR as potentially affecting the data of 298,532 individuals, Northeast Radiology was only able to confirm that the data of 29 individuals had been accessed, and the two plaintiffs were not part of that small group.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR’s investigation determined that Northeast Radiology had failed to conduct a HIPAA-compliant risk analysis, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This provision requires HIPAA-regulated entities to conduct a comprehensive and accurate risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Any identified risks must then be subjected to a risk management process and be reduced to a reasonable and appropriate level. “A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it,” said OCR Acting Director Anthony Archeval. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”
The corrective action plan requires Northeast Radiology to conduct a comprehensive and accurate risk analysis, develop a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis, develop and implement a process to regularly review records of activity in information systems containing ePHI, develop and implement policies and procedures to comply with the HIPAA Rules, distribute those policies to members of the workforce, and update and augment its HIPAA and security awareness training program for its workforce members.
