25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Background Checks for Healthcare Employees
Dec12

Background Checks for Healthcare Employees

Background checks for healthcare employees are an important safeguard in environments in which the well-being of patients and the integrity of the care are paramount. Pre-employment screening for healthcare workers  – and frequent re-screening thereafter – can also help mitigate the risk of fraud and theft for healthcare organizations. All healthcare providers are required to conduct background checks for healthcare employees. Most often these consist of state-mandated professional credential verification, and checks against criminal record databases and sex offender registries. Some states also mandate background checks against state and federal exclusion lists, or screening for abuse and neglect when prospective employees will have direct access to children or vulnerable adults. In addition to state-mandated background checks for healthcare employees, some healthcare organizations conduct “advisory” background checks. These can include employment and education background checks, drug and addiction screening, credit reports, and driving records – especially when a job...

Read More
U.S. Critical Infrastructure Entities Targeted by Pro-Russia Hacktivists
Dec11

U.S. Critical Infrastructure Entities Targeted by Pro-Russia Hacktivists

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), Canadian Centre for Cyber Security, Europol, and cybersecurity agencies throughout Europe have issued a joint cybersecurity advisory warning of cyberattacks on critical infrastructure by pro-Russian hacktivists. In contrast to attacks by many financially motivated threat actors and advanced persistent threat groups, the attacks are relatively unsophisticated, and aside from attacking critical infrastructure entities in perceived adversaries of Russia, the attacks are opportunistic rather than targeted. According to the authoring agencies, the attacks are opportunity-driven by ease of access, targeting known unpatched vulnerabilities in Internet-facing systems, especially minimally secured virtual network computing (VNC) connections and Internet-facing desktop-sharing systems. The hacktivist groups typically use easily repeatable and unsophisticated methods for initial access. While the attacks are lower impact than those conducted by...

Read More
Is It a HIPAA Violation to Send to Collections?
Dec11

Is It a HIPAA Violation to Send to Collections?

It is not a HIPAA violation to send to collections provided the minimum necessary Protected Health Information is disclosed and – if using an external collection agency – a Business Associate Agreement is in place with the collection agency. However, before sending medical bills to collections, it is important to consider state and local laws relating to medical debt relief. The HIPAA Privacy Rule stipulates when uses and disclosures of Protected Health Information (PHI) are required, permitted, require consent, or require authorization. Permitted uses and disclosures of PHI include “Treatment, Payment, or Healthcare Operations” (§164.506). This section of the Privacy Rule states: “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations”. By reviewing how TPO in HIPAA is defined – particularly how the word payment is defined – it is possible to determine if it is a HIPAA violation to send to collections. §2(iii) of the definition of payment includes “Billing, claims management, collection activities, obtaining...

Read More
AHA: Understand Your Risk Environment to Better Protect Patient Data
Dec10

AHA: Understand Your Risk Environment to Better Protect Patient Data

In the first part of its 2025 review of healthcare cybersecurity, the American Hospital Association (AHA) reports that in the year to October 3, 2025, the health records of 33 million Americans were compromised in 364 hacking incidents. While the figures are appalling, they are at least better than last year, when a new record was set, with 259 million Americans having had their sensitive health data stolen, 190 million of whom had their data stolen in a single incident – the ransomware attack on Change Healthcare. It is too early to tell how bad this year will be in terms of data breaches, but over the previous four years, more than 700 large data breaches have been reported each year, the majority of which were due to hacking incidents. As the AHA points out in the report, 100% of breached records were unencrypted. Had the records been encrypted, there would not have been a data breach, as data breaches only ever involve unencrypted records unless decryption keys are stolen in addition to encrypted data. The AHA analysis revealed that over the past few years, the majority of...

Read More
Data Breaches Announced by North Atlantic States Carpenters Health Benefits Fund & Millcreek Pediatrics
Dec10

Data Breaches Announced by North Atlantic States Carpenters Health Benefits Fund & Millcreek Pediatrics

Data breaches have recently been announced by the North Atlantic States Carpenters Health Benefits Fund in Massachusetts and Millcreek Pediatrics in Delaware. Millcreek Pediatrics, Delaware Millcreek Pediatrics, a Wilmington, Delaware-based pediatric medical practice, has recently reported a data security incident to the HHS Office for Civil Rights involving the protected health information of 14,095 individuals. Unauthorized access to its network was detected on or around February 25, 2025. A leading digital forensics firm was engaged to investigate the activity, which confirmed unauthorized network access between February 17, 2025, and February 25, 2025. On October 27, 2025, the file review confirmed that protected health information had been exposed, including full names, birth dates, medical record numbers, patient identification numbers, driver’s license numbers/state identification numbers, dates of service, claims information, provider information, and clinical/treatment information. A limited number of the affected individuals also had their Social Security numbers exposed....

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist