As RPP was going to press, the HHS Office for Civil Rights (OCR) announced a new settlement with a Tennessee-based medical imaging firm for a host of violations dating back to 2013 or earlier. OCR alleged Touchstone Medical Imaging LLC exposed protected health information for more than 307,000 individuals via the internet, failed to notify affected patients within the required time period, and did not have appropriate business associate agreements in place (and apparently still doesn’t in one case), among other issues. OCR, which recently lowered its maximum penalty tiers, provided no information on how it arrived at the $3 million (“Easy Win for MD Anderson? OCR Drops Annual Caps, Issues Warning on Right-of-Access Denials,” RPP 19, no. 5). The imaging firm did not admit liability but agreed to a two-year corrective action plan. The June issue of RPP will explore the settlement in more detail. See the announcement at http://bit.ly/2YcrK7g.