The Raleigh Orthopedic Clinic, P.A. in North Carolina agreed to pay $750,000 to the Department of Health and Human Services to settle claims that it did not enter into a written business associate agreement (BAA) before sharing patient data with a third-party vendor, as required by the Health Insurance Portability and Accountability Act (HIPAA). The settlement underscores how aggressive HHS has become in going after entities that fail to comply with HIPAA, even where the entities self-report the violation and there is no evidence of any harm to patients or their privacy. This is the second settlement in recent months involving failure to have a BAA, with North Memorial Health Care of Minnesota settling with HHS for $1.55 million in March. However, unlike the North Memorial case, which also involved security failures, the allegations against Raleigh Orthopedic appear to focus solely on the lack of a BAA, highlighting the importance of ensuring that BAAs are in place wherever necessary.