The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Northeast Radiology, P.C. (NERAD), a medical imaging provider operating in New York and Connecticut, over potential violations of the HIPAA Security Rule.

OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. These rules establish the requirements that covered entities—such as health plans, healthcare providers, and clearinghouses—and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule, in particular, outlines national standards requiring administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). A key component of this rule is the requirement for regulated entities to conduct a comprehensive risk analysis to identify potential threats and vulnerabilities to ePHI.

“A HIPAA risk analysis is essential to identifying where electronic protected health information is stored, and the security measures in place to protect it,” said OCR Acting Director, Anthony Archeval. “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”

This settlement marks the sixth enforcement action under OCR’s Risk Analysis Initiative. It resolves an investigation into a breach involving NERAD’s Picture Archiving and Communication System (PACS)—a server used to store, access, and manage radiology images.

The investigation began after NERAD reported a breach in March 2020, revealing that unauthorized individuals had accessed radiology images on their PACS server between April 2019 and January 2020. Approximately 298,532 patients were notified that their information may have been exposed. OCR’s investigation concluded that NERAD had not conducted an accurate and thorough risk analysis to identify risks to the security of their ePHI systems.

As part of the settlement, NERAD has agreed to pay $350,000 and implement a comprehensive corrective action plan monitored by OCR for two years. This plan includes:

  • Performing a complete risk analysis to assess threats and vulnerabilities to ePHI;

  • Developing and applying a risk management plan to address identified risks;

  • Establishing a formal process to review information system activity (audit logs, access reports, and incident tracking reports);

  • Maintaining and updating HIPAA compliance policies and procedures;

  • Enhancing its HIPAA and security training programs for all staff with access to PHI.

OCR encourages all HIPAA-covered entities and business associates to take proactive steps to prevent cyber threats, including:

  • Identifying where ePHI resides and how it moves through their systems;

  • Integrating risk analysis and management into daily operations;

  • Using audit controls to monitor system activity;

  • Regularly reviewing system activity;

  • Authenticating access to ensure only authorized individuals can access ePHI;

  • Encrypting ePHI in transit and at rest, when appropriate;

  • Learning from past security incidents to strengthen future responses;

  • Providing ongoing, role-specific HIPAA training to workforce members.

For more information, you can view the full resolution agreement and corrective action plan here:
OCR HIPAA Settlement with NERAD (PDF)

You can also access the HHS Breach Portal here:
HHS Breach Portal