HHS OCR HIPAA settlement with MMG Fusion (business associate) emphasizes risk analysis and breach notification; includes corrective action plan

OCR announced a HIPAA enforcement settlement with MMG Fusion, LLC (described as a software company and business associate). OCR cited alleged gaps including failure to conduct an accurate and thorough Security Rule risk analysis and failure to provide timely breach notification to covered entities. The settlement includes a resolution agreement/corrective action plan with multi-year monitoring. For vendor cybersecurity programs, this reinforces that business associates must maintain documented risk analysis, risk management, policies/procedures, and breach notification processes suitable for regulated timelines and contractual commitments.