After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July.  At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop.  However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA.  Let’s look at each case separately.