25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

OCR Publishes New HIPAA Audit Protocol

The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...

Read More

Breach Notification Laws in Tennessee Updated

Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened. When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days. Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters. Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are...

Read More

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks. The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure. When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations. When asked about the risk control...

Read More

Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...

Read More

Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH

On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist