The U.S. Department of Health and Human Services’ Office for Civil Rights has had an active start to 2017. The agency announced resolution agreements with MAPFRE Life Insurance of Puerto Rico and Presence Health as well as a final determination against Children’s Medical Center of Dallas that includes a $3.2 million civil monetary penalty. The actions highlight the need for companies to issue timely breach notifications, complete promised actions, and take swift remedial action to address known vulnerabilities. This article explains the three actions, provides advice on working with HHS, and examines 2017 regulatory expectations. “One thing that’s evident from these and other settlements is that once OCR is doing an investigation, it is not going to look only at the issue in question. It will open the door to a wider assessment of your HIPAA policies and procedures and practices. Once you’re in the spotlight, expect the spotlight to shine more broadly.” Lisa Sotto, a partner at Hunton & Williams, told Cybersecurity Law Report. See also “Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS” (Dec. 9, 2015).