A Practice Note addressing settlement agreements entered into between the Department of Health & Human Services (HHS) and covered entities (CEs) or business associates (BAs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to resolve potential violations of HIPAA's privacy, security, and breach notification rules. This resource focuses on the types of violations that are likely to trigger an HHS investigation of a CE's or BA's HIPAA compliance efforts, which in turn can lead to significant penalties and compliance obligations.