medcomply.ai
Intel
The HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy RuleThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleWhat is a Business Associate Agreement (BAA)? · BAAWhat counts as PHI under HIPAA? · Privacy Rule
settlement

OCR Settles Second Case in HIPAA Right of Access InitiativeCorrective action / RA

Resolution Dec 2019

Penalty

Corrective action / RA

Action type

Settlement

Entity profile

Case number

What went wrong

OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019

  • Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process En

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality OCR Settles Second Case in HIPAA Right of Access Initiative The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its second enforcement action and settlement under its HIPAA Right of Access Initiative. OCR announced this initiative earlier this year promising to vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. Korunda Medical, LLC (Korunda) has agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA’s right of access provision. Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually. Read the HHS Press Release Read the HHS Press Release Read the Resolution Agreement* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov. Content last reviewed December 12, 2019

Timeline

  • ResolutionDec 2019
  • Incident and investigation milestones are not consistently published by OCR in machine-readable form.

Key takeaways for your organization

  • Treat internet-facing systems and vendor-hosted environments as in-scope for HIPAA risk analysis and technical safeguards testing.
  • Maintain an actionable risk analysis tied to remediation milestones; evidence should map to Security Rule implementation specifications.
  • Align policies, procedures, and evidence with the specific CFR provisions cited in OCR resolutions affecting your entity type.
  • Run tabletop exercises for breach response, OCR inquiry handling, and privilege-preserving communications with counsel.

Related actions

Security Rule NPRM

Summary of the Security Rule

Security Guidance

Source

U.S. Department of Health and Human Services release

Source: U.S. Department of Health and Human Services, Office for Civil Rights. medcomply.ai aggregates public materials for educational use — not legal advice.