The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently announced three additional enforcement actions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlements—with Vision Upright MRI, BayCare Health System, Inc., and Comstar, LLC—reinforce OCR’s ongoing focus on core compliance obligations including timely breach notification, comprehensive risk analysis, and appropriate access controls for electronic protected health information (ePHI).
Each resolution includes a financial settlement and a corrective action plan (CAP) tailored to the specific compliance gaps identified. While the circumstances vary across the three entities, the common thread is clear: OCR continues to hold covered entities and business associates accountable for failures to proactively assess and manage HIPAA-related risk.
Missed risk analysis leads to $5k settlement
Following a breach involving a server that stored imaging files and related ePHI, OCR initiated a compliance review of Vision Upright MRI LLC (Vision Upright MRI), a small California-based provider of diagnostic imaging services. The breach exposed the data of 21,778 individuals and raised concerns about the provider’s broader privacy and security practices. OCR’s investigation revealed two key failures: Vision Upright MRI had never conducted a risk analysis to assess potential vulnerabilities to ePHI, and it did not issue breach notifications to affected individuals, HHS, or the media within the 60-day timeframe required under the HIPAA Breach Notification Rule.
To resolve the matter, Vision Upright MRI agreed to pay $5,000 and implement a two-year CAP. Required measures under the CAP include providing overdue breach notifications, conducting a comprehensive risk analysis, developing a risk management plan, and training workforce members on updated privacy and security policies.
Inadequate access controls result in $800k settlement
OCR initiated an investigation into BayCare Health System (BayCare) following the receipt of an October 2018 complaint. The complainant alleged that, after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her records on a computer screen.
OCR’s investigation revealed that the credentials used to access the complainant’s records belonged to a former employee of a physician practice affiliated with the health system and that BayCare had not adequately restricted access to ePHI upon the employee’s termination. OCR also determined that BayCare lacked policies to prevent improper credential use and failed to implement sufficient controls to detect or mitigate unauthorized access. The investigation also found that BayCare had not implemented sufficient measures to mitigate security risks or regularly review records of information system activity. These lapses implicated multiple potential violations of the HIPAA Security Rule.
The resolution agreement included an $800,000 financial settlement and a two-year CAP requiring BayCare to conduct a comprehensive risk analysis, develop a responsive risk management plan, review and revise its access control and audit practices, and deliver updated HIPAA training to relevant workforce members.
Ransomware breach sparks $75k risk analysis enforcement action
Comstar, LLC (Comstar), a Massachusetts-based medical billing company serving emergency medical services providers, reported a 2022 ransomware attack that encrypted its network servers and compromised the data of approximately 585,000 individuals. As a HIPAA business associate, Comstar provided services to over 70 HIPAA covered entities.
OCR’s investigation found that Comstar had not conducted an accurate and thorough risk analysis as required by the HIPAA Security Rule. OCR determined that the company also failed to implement sufficient risk management measures to reduce vulnerabilities to a reasonable and appropriate level.
This enforcement marks the ninth action under OCR’s Risk Analysis Initiative, which targets entities that fail to comply with this fundamental HIPAA Security Rule requirement. To resolve the matter, Comstar agreed to pay $75,000 and implement a two-year CAP requiring completion of a full risk analysis, updated risk management protocols, policy revisions, and workforce training.
Proactive HIPAA compliance: Best practices for risk management and breach response
These settlements serve as a reminder that OCR expects HIPAA-regulated entities to take a proactive and documented approach to privacy and security. Whether responding to a breach, managing workforce access, or assessing third-party service providers, regulated entities must be able to demonstrate that they have implemented safeguards tailored to the sensitivity of the data they handle.
OCR’s recent enforcement activity continues to focus on risk analysis, access management, and timely breach response—regardless of an entity’s size, resources, or complexity. Organizations that delay in updating compliance programs, or that rely on informal practices in lieu of written policies, remain vulnerable to regulatory scrutiny.
Now is a good time for covered entities and business associates to reexamine their HIPAA compliance programs, with particular attention to how risks are identified, documented, and addressed.