25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

HIPAA Training for Nurses
Dec17

HIPAA Training for Nurses

HIPAA training for nurses and nursing assistants must be designed to prepare frontline caregivers for the moments in daily patient care when the instinct to be caring, compassionate, or helpful can unintentionally override compliance with HIPAA policies and procedures. Healthcare organizations that qualify as HIPAA covered entities are required to implement policies and procedures with respect to Protected Health Information that are designed to comply with the requirements of the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. They must then train workforce members on the policies and procedures that apply to their roles. However, role-based training on policies and procedures alone can leave knowledge gaps. These gaps can result in impermissible disclosures, inappropriate responses to security incidents, and guesswork when confronted with a compliance situation for which no training has been received. Role-based training can also increase the risk of errors during cross-coverage or task shifting. This is particularly true with regards to HIPAA training for nurses and...

Read More
PHI of Almost 93,000 Patients Compromised in Cyberattack on NS Support
Dec17

PHI of Almost 93,000 Patients Compromised in Cyberattack on NS Support

NS Support LLC, a Boise, Idaho-based healthcare provider specializing in neurosurgical treatment for conditions such as brain tumors, reported a hacking-related data breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on November 21, 2025, that affected up to 92,845 individuals. Unauthorized access to its computer network was detected on or around May 29, 2025, and third-party digital forensics specialists were engaged to assist with the investigation and ensure the security of its network. The investigation confirmed that there had been unauthorized network access and that files had been exfiltrated from its network. Following a detailed review of the affected files, NS Support determined on November 7, 2025, that patients’ protected health information was involved. The data compromised in the incident included first and last names and medical information in the form of notes that had been transcribed from appointments with a physician. Social Security numbers and financial information were not compromised in the incident, and NS Support has...

Read More
OCR Agrees to $112,500 Settlement with Concentra to Resolve HIPAA Right of Access Violation
Dec17

OCR Agrees to $112,500 Settlement with Concentra to Resolve HIPAA Right of Access Violation

Concentra Inc. has agreed to settle an alleged violation of the HIPAA Right of Access with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $112,500 financial penalty, despite contesting OCR’s determination that there had been a HIPAA violation. The HIPAA Privacy Rule gives individuals rights over their protected health information (PHI), including the right to obtain a copy of their PHI and only be charged a reasonable, cost-based fee. If a request for a copy of an individual’s medical records is received by a HIPAA-covered entity, the requested records must be provided within 30 days. The records should be provided in the format requested, provided that the covered entity is able to readily produce them in the requested format. OCR launched an enforcement initiative in late 2019 targeting noncompliance with this HIPAA Privacy Rule provision after receiving multiple complaints from individuals who had not been provided with their requested records in a timely manner. Including the latest penalty, OCR has imposed 54...

Read More
HIPAA Training for Medical Offices
Dec17

HIPAA Training for Medical Offices

HIPAA training for medical offices must consist of practical, risk-focused education for workforce members that is applicable to the real-world environment in which they work. This is especially important for small medical practices with highly public-facing workflows that make HIPAA compliance uniquely challenging. Medical offices that qualify as HIPAA covered entities are required to train members of the workforce on applicable policies and procedures implemented to comply with the HIPAA Privacy Rule and HIPAA Breach Notification Rule. They are also required to implement security policies and procedures and provide security awareness training to all members of the workforce. While the HIPAA training requirements for medical offices are no different from the HIPAA training requirements for large healthcare systems, workforce members in medical offices are more likely to perform multiple roles. For example, a workforce member may be responsible for front desk operations, scheduling, billing, clinical support, and patient communications within a single shift. For this reason, HIPAA...

Read More
Data Breaches Announced by Expert MRI; McElroy & Associates
Dec17

Data Breaches Announced by Expert MRI; McElroy & Associates

Data breaches have recently been announced by the California radiology specialists, Expert MRI, and the small business technology consultancy firm, McElroy & Associates. Expert MRI Expert MRI, a leading radiology provider with 15 locations in California, has recently disclosed a cybersecurity incident that was first identified in August 2025. According to its substitute data breach notice, an unauthorized third party gained access to a computer network containing “a significant portion” of its data between June 2, 2025, and August 24, 2025. The forensic investigation confirmed that data was exfiltrated in the attack, including names, addresses, dates of birth, admission dates, diagnoses, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Expert MRI said data privacy and security are taken extremely seriously, and that “this incident is being used as an opportunity to build upon existing cybersecurity and data privacy tools, practices, and procedures for ourselves and our partners.” The data breach has been reported to...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist