25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Over 100 Hospital Systems and Provider Associations Call for Withdrawal of Proposed HIPAA Security Rule Update
Dec09

Over 100 Hospital Systems and Provider Associations Call for Withdrawal of Proposed HIPAA Security Rule Update

The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule. The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements. An update to the HIPAA Security Rule was arguably long overdue, given the massive increase in healthcare cyberattacks since the Security Rule was enacted. The proposed update – Notice of Proposed Rulemaking:...

Read More
Pharmaceutical Firm Inotiv Discloses Ransomware Attack and Data Breach
Dec09

Pharmaceutical Firm Inotiv Discloses Ransomware Attack and Data Breach

The West Lafayette, Indiana-based pharmaceutical research company Inotiv has recently disclosed a ransomware attack and data breach that involved the exfiltration of sensitive data from its network. Inotiv employs around 2,000 people and has an annual revenue of over $510 million. The company specializes in drug discovery, drug development, and research modelling. The ransomware attack was detected on August 8, 2025, when access to certain networks, systems, and data storage was prevented, resulting in disruption to some of its business operations. Inotiv confirmed in a December 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC) that it has successfully restored access to the affected networks and systems and has finished its internal investigation into the attack. The investigation confirmed that a ransomware group had access to its network between approximately August 5 and August 8, 2025, during which time certain data may have been acquired. According to the breach notice filed with the Maine Attorney General, the information of 9,542 individuals was...

Read More
Health Insurers Pay Penalty for Mental Health Parity Compliance Failures
Dec09

Health Insurers Pay Penalty for Mental Health Parity Compliance Failures

The Mental Health Parity and Addiction Equity Act (MHPAEA) requires health insurers and group health plans that offer mental health and substance use disorder (SUD) benefits to ensure that treatment limitations and financial requirements are no more restrictive than those for medical or surgical benefits. The insurance commissioner in Washington state has recently fined Regence BlueShield $550,000 for a lack of transparency around mental health parity, and Anthem Inc. has settled a lawsuit that alleged violations of MHPAEA and the Employee Retirement Income Security Act (ERISA) over the denial of claims for residential mental health and SUD treatment. Regence BlueShield Failed to Provide Sufficient Information to Allow Analysis of Mental Health Parity Compliance Washington State Insurance Commissioner Patty Kuderer has fined Regence Blue Shield $550,000 for alleged violations of MHPAEA. According to Kuderer, Regence BlueShield displayed a lack of transparency about compliance with MHPAEA, failing to provide documentation, as requested, to demonstrate that the benefits for mental...

Read More

HIPAA Compliance for HR Departments

HIPAA compliance for HR departments consists of understanding what HIPAA standards are applicable to the department’s activities, and implementing policies and procedures to ensure the privacy and security of individually identifiable health information where appropriate – not forgetting that state privacy and security regulations may also apply. Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan. Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information. Why HIPAA Compliance for HR...

Read More
What is a HIPAA Confidentiality Agreement for Employees?
Dec08

What is a HIPAA Confidentiality Agreement for Employees?

A HIPAA confidentiality agreement for employees is similar to a non-disclosure agreement inasmuch as members of the workforce agree not to disclose any confidential information they encounter in the performance of their functions – unless the disclosure is permissible by the Privacy Rule, relevant to the function they are performing, and limited to the minimum necessary. The agreement should not only relate to the confidentiality of Protected Health Information, but to any information employees encounter that may not be protected by the Privacy Rule. This might include identifying non-health data maintained outside a protected designated record set, billing information, or proprietary information about the organization´s operations. An agreement of this type can also cover the non-disclosure of login credentials for the organization’s systems and the return of the organization’s property (for example, keys, ID badges, access cards, etc.) on termination or completion of employment. Other conditions may be added to the agreement depending on the nature of the...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist