This document summarizes recent HIPAA enforcement actions, lessons learned from breaches, and updates on OCR guidance and auditing. It finds that theft and loss account for most large breaches, and laptops and portable devices account for a third of large breaches. Recent enforcement actions targeted entities with security failures during system changes. OCR will expand auditing to include business associates and focus on areas like security and individual rights compliance.