Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: HIPAA Risk Analysis

Top of the World Ranch Treatment Center Settles with OCR

Posted bySuze Shaffer

The U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with Top of the World Ranch Treatment Center (TWRTC) in the amount of $103,000.

The HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI. The Risk Analysis standard requires organizations to assess risks and vulnerabilities to ePHI. Covered entities and business associates must comply with the Risk Analysis requirement.

Organizations must identify where ePHI is stored and transmitted to protect it properly. This is another example of why system wide risk analyses are so important.


OCR opened its investigation after TWRTC reported a breach in March 2023.
A phishing attack allowed an unauthorized party to access ePHI through an employee’s email account. The attack exposed the ePHI of 1,980 patients.

OCR determined that TWRTC failed to conduct an accurate and thorough risk analysis. This failure violated the HIPAA Security Rule.

TWRTC also agreed to implement a corrective action plan monitored for two years.

Under the corrective action plan, TWRTC must:

• Conduct and complete an accurate and thorough risk analysis to identify risks and vulnerabilities to ePHI.

• Develop and implement a risk management plan to address identified security risks and vulnerabilities.

• Create, maintain, and update written policies and procedures to comply with HIPAA Privacy, Security, and Breach Notification Rules.

• Employees serve as the first line of defense against cyber threats. Provide annual HIPAA training to workforce members who access ePHI.

Recommendations:

• Identify where ePHI is stored and how it enters, moves through, and exits your systems.

• Conduct regular risk analyses and update risk management measures to address identified vulnerabilities.

• Implement audit controls to record and examine system activity.

• Review system activity regularly to detect suspicious behavior.

• Use authentication mechanisms to verify users before granting access to ePHI.

• Encrypt ePHI in transit and at rest when appropriate to prevent unauthorized access.

• Incorporate lessons from security incidents into your security management process.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining their risk analyses, up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your organization before an attack happens.

Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Vision Upright MRI fined $25K

Posted bySuze Shaffer

OCR Settlement with Vision Upright MRI: The Risk of Unsecured PACS Servers

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Vision Upright MRI LLC (VUM) after finding that the medical imaging provider exposed patient information online through an unsecured Picture Archiving and Communication System (PACS) server.

This case serves as another reminder that failing to secure medical imaging systems or perform a HIPAA compliant risk analysis can result in costly investigations, corrective action plans, and long-term monitoring by federal regulators.

How the Breach Happened

VUM operated a PACS server used to store and share diagnostic images such as MRIs, CT scans, and X-rays. OCR received reports that this server allowed public access to patients’ protected health information (PHI), including images, metadata, and identifying details.

On December 1, 2020, OCR notified VUM of a formal investigation into potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. The inquiry focused on whether VUM had conducted proper risk assessments, secured its systems, and met notification deadlines required after discovering a breach.

OCR’s Findings

OCR determined that Vision Upright MRI:

  • Failed to conduct a HIPAA risk analysis — VUM had never performed an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), violating 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Failed to issue timely breach notifications — The organization did not notify affected individuals within 60 days of discovering the exposure, violating 45 C.F.R. § 164.404(a).

These lapses demonstrated that VUM lacked essential safeguards and incident-response procedures required under the HIPAA Security Rule.

Settlement Terms and Corrective Actions

As part of the settlement, VUM agreed to pay the Resolution Amount and implement a comprehensive Corrective Action Plan (CAP) overseen by OCR. The CAP requires the practice to:

  • Conduct a full organization-wide risk analysis, including vulnerability scans and penetration testing.
  • Develop a risk management plan to mitigate identified security gaps.
  • Update and distribute HIPAA Privacy, Security, and Breach Notification policies to all workforce members.
  • Provide annual HIPAA training for all staff with access to ePHI.
  • Investigate and report workforce noncompliance events on a quarterly basis.
  • Submit annual compliance reports to OCR and retain related documentation for six years.

This agreement is binding on VUM and its successors, emphasizing OCR’s expectation that covered entities maintain compliance over time—not just during the settlement period.

Lessons for Healthcare Providers and Business Associates

The VUM case highlights several key takeaways for any healthcare organization that handles PHI:

  1. Unsecured PACS servers are a known risk.
    Imaging systems frequently store and transmit PHI yet are often overlooked in IT risk analyses. Ensure every device and data repository is included in your risk inventory and tested for vulnerabilities.
  2. Risk analysis is not optional.
    HIPAA requires ongoing, accurate, and thorough assessments. This is not a one-time checkbox. Document each risk analysis, update it annually, and link findings directly to your risk-management plan.
  3. Breach notifications must be timely.
    Delays beyond 60 days can lead to enforcement actions. Have an incident-response plan ready so you can notify affected individuals and OCR within the required window.
  4. Policies and training are the front line of compliance.
    Workforce awareness is critical. Staff who access PHI must understand how to handle data securely and report potential issues immediately.
  5. OCR oversight can last years.
    Corrective Action Plans often require multi-year reporting and documentation retention. Establishing compliance habits early reduces disruption and risk later.

Summary

This settlement underscores a critical lesson: A thorough, documented risk analysis, an active risk management plan, and appropriate policies and procedures are essential in preventing data breaches. This process is long and grueling and could have easily been avoided.

HIPAA Keeper™ by Aris Medical Solutions simplifies compliance with:

  • Built-in risk analysis and management plans
  • Customizable policies and procedures
  • Workforce training tracking and certificates
  • Secure Breach Notification and Incident Response forms

Stay ahead of OCR investigations—protect your patients, your reputation, and your practice.

Don’t leave patient data exposed.

Schedule your HIPAA Risk Analysis with Aris Medical Solutions today.

©2026 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC