Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR’s sixth HIPAA Risk Analysis Initiative settlement announced

      Articles

    Article

    OCR’s sixth HIPAA Risk Analysis Initiative settlement announced

    April 16, 2025

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague, Meredith LaMaster and Grace ConnellyLindsay Vaughn, a legal intern in Nixon Peabody’s Healthcare practice and assisted with the preparation of this article.

    Northeast Radiology settles for $350,000over delayed breach detection, underscoring the need for a comprehensive security risk analysis.

    On April 10, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $350,000 settlement with Northeast Radiology, P.C., marking OCR’s sixth (6th) enforcement action under its Risk Analysis Initiative. This initiative underscores OCR’s commitment to ensuring that healthcare entities conduct thorough and accurate security risk analyses to protect electronic protected health information (ePHI).

    Delayed breach detection emphasizes need for risk analysis

    In March 2020, Northeast Radiology reported a breach to OCR involving unauthorized access to unsecured ePHI on Northeast Radiology’s Picture Archiving and Communication System (PACS) server, which stores, retrieves, manages, and accesses radiology images, during a period spanning from April 2019 to January 2020. The breach, which resulted in Northeast Radiology providing notice to 298,532 potentially impacted patients, remained undetected by the organization for approximately ten (10) months, a deficiency that may have been caught by more comprehensive security monitoring and security risk analysis processes. OCR’s investigation revealed that Northeast Radiology failed to conduct an accurate and thorough security risk analysis on the ePHI in its information systems, a fundamental requirement under the HIPAA Security Rule.

    Patience remains key during OCR investigations

    Like other recent settlements, this resolution agreement was executed by OCR in 2025 prior to the change in administration. Following its March 2020 breach report, Northeast Radiology signed the resolution agreement at the end of 2024, illustrating the multi-year timeline often involved in HIPAA enforcement matters. The length of time between breach notification and enforcement remains a common theme in OCR investigations—often due to the complexity of these reviews as well as the volume of reported breaches and complaints alleging HIPAA violations.

    Corrective Action Plan imposes familiar but meaningful obligations

    As part of the resolution agreement, Northeast Radiology has agreed to a two-year Corrective Action Plan (CAP) that aligns closely with those seen in other recent Risk Analysis Initiative settlements, including those with Northeast Surgical Group, VPN Solutions, and Elgon, Inc.

    All four CAPs require the HIPAA-regulated entities to: 

    • Conduct and document a HIPAA-compliant security risk analysis
    • Implement a written risk management plan
    • Revise or create HIPAA policies and procedures
    • Train workforce members and submit ongoing reports to OCR

    However, slight variations exist. For instance, the CAPs differ in the frequency in which entities must submit implementation reports and the level of detail required in documenting training completion or internal evaluations. These differences reflect OCR’s tailoring of oversight to the nature and scale of each entity’s compliance gaps.

    Key takeaways: Continued emphasis on security risk analysis enforcement

    This settlement further reinforces OCR’s intent to ensure HIPAA-regulated entities take their security risk analysis and management obligations seriously. As we move away from settlements finalized under the prior administration, it will be important to monitor whether the Risk Analysis Initiative remains a central pillar of the agency’s enforcement strategy in 2025 and beyond.

    Even if other aspects of HIPAA compliance rise to the forefront of OCR’s agenda, healthcare providers, health plans, and healthcare vendors would be wise to conduct comprehensive security risk analyses in order to understand key vulnerabilities, especially if an organization maintains ePHI on multiple servers.  Eradicating or mitigating risks to ePHI can prevent or limit not only OCR enforcement but also potential data incidents and costly class action litigation.

    OCR Action

    Practices

    HealthcareHealthcare Regulatory & ComplianceHealth Information - Privacy, Security & Data Sharing

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      CMS proposes updates to the Transforming Episode Accountability Model

      May 2, 2025
    • Alert

      Executive Order targets higher education accreditors with focus on medical education

      April 28, 2025
    • Article

      New administration continues pace of OCR’s HIPAA enforcement

      April 25, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved