On April 10, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $350,000 settlement with Northeast Radiology, P.C., marking OCR’s sixth (6th) enforcement action under its Risk Analysis Initiative. This initiative underscores OCR’s commitment to ensuring that healthcare entities conduct thorough and accurate security risk analyses to protect electronic protected health information (ePHI).
Delayed breach detection emphasizes need for risk analysis
In March 2020, Northeast Radiology reported a breach to OCR involving unauthorized access to unsecured ePHI on Northeast Radiology’s Picture Archiving and Communication System (PACS) server, which stores, retrieves, manages, and accesses radiology images, during a period spanning from April 2019 to January 2020. The breach, which resulted in Northeast Radiology providing notice to 298,532 potentially impacted patients, remained undetected by the organization for approximately ten (10) months, a deficiency that may have been caught by more comprehensive security monitoring and security risk analysis processes. OCR’s investigation revealed that Northeast Radiology failed to conduct an accurate and thorough security risk analysis on the ePHI in its information systems, a fundamental requirement under the HIPAA Security Rule.
Patience remains key during OCR investigations
Like other recent settlements, this resolution agreement was executed by OCR in 2025 prior to the change in administration. Following its March 2020 breach report, Northeast Radiology signed the resolution agreement at the end of 2024, illustrating the multi-year timeline often involved in HIPAA enforcement matters. The length of time between breach notification and enforcement remains a common theme in OCR investigations—often due to the complexity of these reviews as well as the volume of reported breaches and complaints alleging HIPAA violations.
Corrective Action Plan imposes familiar but meaningful obligations
As part of the resolution agreement, Northeast Radiology has agreed to a two-year Corrective Action Plan (CAP) that aligns closely with those seen in other recent Risk Analysis Initiative settlements, including those with Northeast Surgical Group, VPN Solutions, and Elgon, Inc.
All four CAPs require the HIPAA-regulated entities to:
- Conduct and document a HIPAA-compliant security risk analysis
- Implement a written risk management plan
- Revise or create HIPAA policies and procedures
- Train workforce members and submit ongoing reports to OCR
However, slight variations exist. For instance, the CAPs differ in the frequency in which entities must submit implementation reports and the level of detail required in documenting training completion or internal evaluations. These differences reflect OCR’s tailoring of oversight to the nature and scale of each entity’s compliance gaps.
Key takeaways: Continued emphasis on security risk analysis enforcement
This settlement further reinforces OCR’s intent to ensure HIPAA-regulated entities take their security risk analysis and management obligations seriously. As we move away from settlements finalized under the prior administration, it will be important to monitor whether the Risk Analysis Initiative remains a central pillar of the agency’s enforcement strategy in 2025 and beyond.
Even if other aspects of HIPAA compliance rise to the forefront of OCR’s agenda, healthcare providers, health plans, and healthcare vendors would be wise to conduct comprehensive security risk analyses in order to understand key vulnerabilities, especially if an organization maintains ePHI on multiple servers. Eradicating or mitigating risks to ePHI can prevent or limit not only OCR enforcement but also potential data incidents and costly class action litigation.