HIPAA Training for Nurses
HIPAA training for nurses and nursing assistants must be designed to prepare frontline caregivers for the moments in daily patient care when the instinct to be caring, compassionate, or helpful can unintentionally override compliance with HIPAA policies and procedures. Healthcare organizations that qualify as HIPAA covered entities are required to implement policies and procedures with respect to Protected Health Information that are designed to comply with the requirements of the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. They must then train workforce members on the policies and procedures that apply to their roles. However, role-based training on policies and procedures alone can leave knowledge gaps. These gaps can result in impermissible disclosures, inappropriate responses to security incidents, and guesswork when confronted with a compliance situation for which no training has been received. Role-based training can also increase the risk of errors during cross-coverage or task shifting. This is particularly true with regards to HIPAA training for nurses and...
PHI of Almost 93,000 Patients Compromised in Cyberattack on NS Support
NS Support LLC, a Boise, Idaho-based healthcare provider specializing in neurosurgical treatment for conditions such as brain tumors, reported a hacking-related data breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on November 21, 2025, that affected up to 92,845 individuals. Unauthorized access to its computer network was detected on or around May 29, 2025, and third-party digital forensics specialists were engaged to assist with the investigation and ensure the security of its network. The investigation confirmed that there had been unauthorized network access and that files had been exfiltrated from its network. Following a detailed review of the affected files, NS Support determined on November 7, 2025, that patients’ protected health information was involved. The data compromised in the incident included first and last names and medical information in the form of notes that had been transcribed from appointments with a physician. Social Security numbers and financial information were not compromised in the incident, and NS Support has...
OCR Agrees to $112,500 Settlement with Concentra to Resolve HIPAA Right of Access Violation
Concentra Inc. has agreed to settle an alleged violation of the HIPAA Right of Access with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $112,500 financial penalty, despite contesting OCR’s determination that there had been a HIPAA violation. The HIPAA Privacy Rule gives individuals rights over their protected health information (PHI), including the right to obtain a copy of their PHI and only be charged a reasonable, cost-based fee. If a request for a copy of an individual’s medical records is received by a HIPAA-covered entity, the requested records must be provided within 30 days. The records should be provided in the format requested, provided that the covered entity is able to readily produce them in the requested format. OCR launched an enforcement initiative in late 2019 targeting noncompliance with this HIPAA Privacy Rule provision after receiving multiple complaints from individuals who had not been provided with their requested records in a timely manner. Including the latest penalty, OCR has imposed 54...
HIPAA Training for Medical Offices
HIPAA training for medical offices must consist of practical, risk-focused education for workforce members that is applicable to the real-world environment in which they work. This is especially important for small medical practices with highly public-facing workflows that make HIPAA compliance uniquely challenging. Medical offices that qualify as HIPAA covered entities are required to train members of the workforce on applicable policies and procedures implemented to comply with the HIPAA Privacy Rule and HIPAA Breach Notification Rule. They are also required to implement security policies and procedures and provide security awareness training to all members of the workforce. While the HIPAA training requirements for medical offices are no different from the HIPAA training requirements for large healthcare systems, workforce members in medical offices are more likely to perform multiple roles. For example, a workforce member may be responsible for front desk operations, scheduling, billing, clinical support, and patient communications within a single shift. For this reason, HIPAA...
Data Breaches Announced by Expert MRI; McElroy & Associates
Data breaches have recently been announced by the California radiology specialists, Expert MRI, and the small business technology consultancy firm, McElroy & Associates. Expert MRI Expert MRI, a leading radiology provider with 15 locations in California, has recently disclosed a cybersecurity incident that was first identified in August 2025. According to its substitute data breach notice, an unauthorized third party gained access to a computer network containing “a significant portion” of its data between June 2, 2025, and August 24, 2025. The forensic investigation confirmed that data was exfiltrated in the attack, including names, addresses, dates of birth, admission dates, diagnoses, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Expert MRI said data privacy and security are taken extremely seriously, and that “this incident is being used as an opportunity to build upon existing cybersecurity and data privacy tools, practices, and procedures for ourselves and our partners.” The data breach has been reported to...



