Over 100 Hospital Systems and Provider Associations Call for Withdrawal of Proposed HIPAA Security Rule Update
The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule. The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements. An update to the HIPAA Security Rule was arguably long overdue, given the massive increase in healthcare cyberattacks since the Security Rule was enacted. The proposed update – Notice of Proposed Rulemaking:...
Pharmaceutical Firm Inotiv Discloses Ransomware Attack and Data Breach
The West Lafayette, Indiana-based pharmaceutical research company Inotiv has recently disclosed a ransomware attack and data breach that involved the exfiltration of sensitive data from its network. Inotiv employs around 2,000 people and has an annual revenue of over $510 million. The company specializes in drug discovery, drug development, and research modelling. The ransomware attack was detected on August 8, 2025, when access to certain networks, systems, and data storage was prevented, resulting in disruption to some of its business operations. Inotiv confirmed in a December 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC) that it has successfully restored access to the affected networks and systems and has finished its internal investigation into the attack. The investigation confirmed that a ransomware group had access to its network between approximately August 5 and August 8, 2025, during which time certain data may have been acquired. According to the breach notice filed with the Maine Attorney General, the information of 9,542 individuals was...
Health Insurers Pay Penalty for Mental Health Parity Compliance Failures
The Mental Health Parity and Addiction Equity Act (MHPAEA) requires health insurers and group health plans that offer mental health and substance use disorder (SUD) benefits to ensure that treatment limitations and financial requirements are no more restrictive than those for medical or surgical benefits. The insurance commissioner in Washington state has recently fined Regence BlueShield $550,000 for a lack of transparency around mental health parity, and Anthem Inc. has settled a lawsuit that alleged violations of MHPAEA and the Employee Retirement Income Security Act (ERISA) over the denial of claims for residential mental health and SUD treatment. Regence BlueShield Failed to Provide Sufficient Information to Allow Analysis of Mental Health Parity Compliance Washington State Insurance Commissioner Patty Kuderer has fined Regence Blue Shield $550,000 for alleged violations of MHPAEA. According to Kuderer, Regence BlueShield displayed a lack of transparency about compliance with MHPAEA, failing to provide documentation, as requested, to demonstrate that the benefits for mental...
HIPAA Compliance for HR Departments
HIPAA compliance for HR departments consists of understanding what HIPAA standards are applicable to the department’s activities, and implementing policies and procedures to ensure the privacy and security of individually identifiable health information where appropriate – not forgetting that state privacy and security regulations may also apply. Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan. Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information. Why HIPAA Compliance for HR...
What is a HIPAA Confidentiality Agreement for Employees?
A HIPAA confidentiality agreement for employees is similar to a non-disclosure agreement inasmuch as members of the workforce agree not to disclose any confidential information they encounter in the performance of their functions – unless the disclosure is permissible by the Privacy Rule, relevant to the function they are performing, and limited to the minimum necessary. The agreement should not only relate to the confidentiality of Protected Health Information, but to any information employees encounter that may not be protected by the Privacy Rule. This might include identifying non-health data maintained outside a protected designated record set, billing information, or proprietary information about the organization´s operations. An agreement of this type can also cover the non-disclosure of login credentials for the organization’s systems and the return of the organization’s property (for example, keys, ID badges, access cards, etc.) on termination or completion of employment. Other conditions may be added to the agreement depending on the nature of the...



