25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

New HHS-OIG Exclusions
Jun19

New HHS-OIG Exclusions

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has announced new additions to its List of Excluded Individuals and Entities (LEIE). The LEIE, often referred to as the HHS-OIG exclusion list, is a centralized registry for individuals and entities that have been prohibited from participating in federally funded healthcare programs, including Medicare and state healthcare programs. There are mandatory exclusions for individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud, patient abuse or neglect, and for felony convictions for other health care-related fraud, theft, or other financial misconduct, and felony convictions related to the unlawful manufacture, distribution, prescription, and dispensing of controlled substances. HHS-OIG also has the authority to exclude individuals and entities on other grounds, termed permissible inclusions. Reasons for permissive inclusions include misdemeanor convictions, engaging in unlawful kickbacks, suspension or revocation of a healthcare license, and defaulting on health...

Read More
Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit
Jun19

Multi-million-dollar Settlement Agreed to Resolve MCNA Dental Data Breach Lawsuit

A settlement has been agreed to resolve class action data breach litigation against Managed Care of North America (MCNA), Inc., and MCNA Insurance Company, doing business as MCNA Dental and Healthplex, Inc. The companies were sued in response to a massive data breach in 2023 that affected almost 9 million individuals. In March 2023, the defendants identified unauthorized access to the MCNA network. The LockBit ransomware group was behind the attack and first gained access to the network on February 22, 2023. Access was maintained until March 7, 2023, when ransomware was used to encrypt files. Prior to file encryption, sensitive data was exfiltrated from the network, including personal and protected health information (PHI). MCNA Dental is one of the largest providers of government-sponsored dental benefits to children through state Medicaid and Children’s Health Insurance Programs, and stores a vast amount of PHI. The investigation determined that the ransomware group accessed or exfiltrated the PHI of 8,923,662 individuals, including names, contact information, Social Security...

Read More
Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures
Jun19

Spencer Gifts Pays $450,000 Penalty to Resolve HIPAA Failures

The national retail company Spencer Gifts LLC has agreed to a $450,000 settlement to resolve alleged violations of the HIPAA Rules that OCR identified while investigating a data breach affecting 10,023 members of its employer-sponsored group health plan (Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans). In November 2021, staff were prevented from connecting to the company’s virtual private network. The IT issue was investigated, and the access issues were determined to be due to a ransomware attack. A threat actor had accessed the company’s network between November 24, 2021, and November 26, 2021, and used ransomware to encrypt files, including files on servers that stored plan members’ electronic protected health information (ePHI). Data exposed and potentially stolen in the incident included names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR was notified about the data breach on January 24, 2022. OCR investigates all reported breaches affecting 500 or more individuals to determine whether they were the result of HIPAA...

Read More
HIPAA Violation Fines
Jun18

HIPAA Violation Fines

HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations. In this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules. You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy. The Majority Of HIPAA Violation Fines are from Settlements In the majority of cases, covered entities and business associates accept that there have been potential failures to comply with certain elements of HIPAA Rules, a settlement amount is agreed, and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address the HIPAA failures. HIPAA-covered entities and business associates may disagree with the findings of the investigation and challenge the decision to...

Read More
HIPAA Violation Cases: Types & Consequences
Jun18

HIPAA Violation Cases: Types & Consequences

HIPAA violation cases are compliance investigations that result from a data breach being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or a privacy complaint being submitted to OCR via the complaints portal. When OCR identifies a violation of HIPAA, violation cases can be resolved in multiple ways. OCR may choose to take no action if the HIPAA-regulated entity has identified and voluntarily corrected the HIPAA violation. If the HIPAA violation is not severe, OCR often chooses to provide technical assistance to help the regulated entity correct the violation. When there has been a serious violation of the HIPAA Rules or evidence is found suggesting widespread noncompliance, OCR may initiate a more extensive review. Serious violations are sometimes resolved with a financial penalty. OCR will notify the regulated entity about the findings of the investigation and typically gives the regulated entity an opportunity to settle the alleged violations informally. These settlements involve a reduced financial penalty and generally include...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist