After a quiet start, 2019 developed into another active enforcement year for HIPAA, with a notable flurry of activity in the last three months of 2019. One significant enforcement development was OCR’s announcement of two settlements pursuant to its “HIPAA Right of Access Initiative.” Otherwise, OCR remained consistent in its focus on several recurring compliance points, including the importance of: conducting enterprise-wide security risk assessments, remediating identified vulnerabilities, entering compliant business associate agreements, and implementing appropriate policies and procedures. Additional notable HIPAA activity from 2019 and early 2020 included an exercise of enforcement discretion by OCR regarding HIPAA civil money penalties, an update to the Security Risk Assessment tool, and a key January 2020 decision from the U.S. District Court for the District of Columbia vacating controversial portions of the U.S. Department of Health and Human Services’ (“HHS”) regulations and guidance regarding access and copy fees for third party requests for protected health information (“PHI”).