25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Understanding & Applying Risk Assessments
Nov08

Understanding & Applying Risk Assessments

A HIPAA risk assessment for a covered entity or business associate determines whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level. It should include: Threats to the privacy and security of PHI. The likelihood of a threat occurring. The potential impact of each threat. While healthcare compliance officers are often well-versed in theoretical risk assessment needs, there is persistent difficulty in turning this into practical procedures that comprehensively protect organizations. However, the consequences of inadequate risk assessment are severe, and superficial compliance is no longer sufficient. The second requirement appears in the HIPAA Breach Notification Rule (45 CFR § 164.402). This standard only applies when there has been an impermissible acquisition, access, use, or disclosure of unsecured PHI (in any format), and a HIPAA risk assessment is necessary to determine whether the event is notifiable to HHS and the affected individual(s). However, beyond the HIPAA risk assessment...

Read More
Cybersecurity Should be Viewed as a Strategic Enabler of the Business
Nov07

Cybersecurity Should be Viewed as a Strategic Enabler of the Business

The US Healthcare Cyber Resilience Survey from EY and KLAS Research has revealed that more than 7 out of 10 healthcare organizations have experienced significant business disruption due to cyberattacks in the past two years. The survey was conducted on 100 healthcare executives responsible for cybersecurity decisions within their organization. On average, organizations experienced an average of five different cyber threats in the past year, the most common of which was phishing, experienced by 77% of organizations. The next most commonly encountered threats were third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%). Only 3% of respondents reported not experiencing any cyber threats in the past year. These cyber incidents are having a considerable impact on patient care and business operations. 72% of respondents reported that their organization experienced a moderate to severe financial impact due to cyberattacks in the past two years, 60% reported a moderate to severe operational impact, and 59% reported a moderate to severe clinical impact. In...

Read More
Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit
Nov07

Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit

A settlement has been agreed to resolve a class action lawsuit against the Louisiana health system, Willis-Knighton Medical Center. The litigation stems from the use of tracking technologies on its public-facing website. Several lawsuits were filed against Willis-Knighton Medical Center over the use of tracking tools on its website and patient portal, which are alleged to have caused unauthorized transmissions of personally identifiable, non-public information to third parties such as Google and Facebook. The lawsuits were consolidated in a single action – Jacqueline Horton, et al. v. Willis-Knighton Medical Center – which was heard in the 10th Judicial District Court for Natchitoches Parish in Louisiana. Tracking technologies such as pixels are extensively used on the Internet, including by many healthcare providers. The problem is that these tools may collect sensitive data from website visitors, including information classed as protected health information under HIPAA. That information may be transmitted to third parties unauthorized to receive the information. One study...

Read More
Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches
Nov06

Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches

Data breaches have recently been announced by Tri Century Eye Care in Pennsylvania, Pittsburgh Gastroenterology Associates, NAHGA Claims Services, and the Texas revenue cycle management company, Legacy Health. Tri Century Eye Care Tri Century Eye Care, P.C., in Pennsylvania, has recently started notifying patients about a September 2025 data security incident involving the theft of files containing sensitive data. Suspicious network activity was identified on September 3, 2025, and immediate steps were taken to secure its network. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the activity, and on September 19, 2025, Tri Century Eye Care learned that an unknown actor had accessed its network and acquired files. There was no unauthorized access to its electronic medical record system. The files were reviewed and found to contain personal and protected health information of patients and employees. The types of information involved varied from individual to individual and may have included names in combination with one or more...

Read More
Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit
Nov06

Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit

Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook). The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals. Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist