At the end of February, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two press releases concerning million dollar HIPAA Privacy Rule violations. Under the HIPAA Privacy Rule, health plans, health care clearinghouses and covered health care providers are required, subject to both civil and criminal penalties, to protect the privacy of patient information through the use of constant administrative, physical and technical safeguards. In a February 22 press release, OCR announced its imposition of a $4.3 million civil penalty for Cignet Health’s (Prince George’s County, D) violation of the HIPAA Privacy Rule, which marked the first civil money penalty issued by HHS for HIPAA Privacy Rule Violations. Cignet Health was found to have willfully neglected its duty to comply with the Privacy Rule. Two days later, on February 24, OCR announced in a press release a $1 million settlement with Massachusetts General for alleged violations of the HIPAA Privacy Rule. The settlement payment arose from an OCR investigation following Massachusetts General’s loss of the protected health information (“PHI”) of 192 patients. The investigation indicated that Massachusetts General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI. In connection with the settlement, Massachusetts General also agreed to enter into a Corrective Action Plan to develop, implement, train and enforce privacy policies that ensure PHI is protected. The ramifications of both incidents should serve as a reminder for businesses in the healthcare sector responsibility to protect their pateints' privacy. As noted by OCR Director Georgina Verdugo, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPPA Privacy and Security Rules.”