If you read the article closely, the health care organizations agreed “to settle charges that they POTENTIALLY violated HIPAA” . Additionally “both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.” All but one of these “remediations” are standard requirements per HIPAA guidelines. The one that is not….progress reports…guess OCR wants to make sure they follow through on what they should have had in place already.

Data breach results in $4.8 million HIPAA settlements.