The Department of Health and Human Services announced that the University of Mississippi Medical Center (UMMC) had agreed to settle allegations that it violated the Heath Insurance Portability and Accountability Act (HIPAA) and to pay $2.75 million.  The allegations stem from the disappearance of a laptop computer containing the protected health information (PHI) of approximately 10,000 people, which led to HHS uncovering a panoply of alleged security management failures.  Under the terms of the settlement, in addition to the hefty fine, UMMC agreed to implement a three-year corrective action plan.  The plan requires designating a person to monitor compliance; drafting an enterprise-wide risk analysis and risk management plan; updating UMMC’s security policies and procedures; and implementing various training, reporting, and document retention requirements.  It also requires UMMC to revise its breach notification policy to state that following the discovery of a breach it must notify each individual that is reasonably believed to have been affected.  And it requires UMMC to assign unique user identification to identify and track users of all information systems that contain PHI