In an unprecedented enforcement action, the Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) recently imposed a $4.3 million civil monetary fine and reached a $1 million settlement as punishment for violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The $4.3 million fine was the first civil money penalty issued by HHS for HIPAA Privacy Rule violations and may signify a change by HHS and OCR to enforce violations with a more heavy‐handed approach.