25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Jocelyn Samuels Gives Update on OCR Compliance Audits

Since the announcement that the second phase of HIPAA compliance audits would be delayed, the Department of Health and Human Services’ Office for Civil Rights has remained tight-lipped over timescales. Now, a year on from the original proposed start date, many expected OCR Director, Jocelyn Samuels, to give a timescale for the HIPAA audit program at the Safeguarding Health Information: Building Assurance through HIPAA Security HIPAA Security Conference in Washington this month. Samuels gave a keynote address at the National Institute of Standards and Technology (NIST) and Office for Civil Rights (OCR) hosted conference, and while she did not provide a date or a timeline for the compliance audits, she did indicate the audits are now very close to becoming a reality. She explained that the OCR has many roles, with compliance audits a part of its enforcement activities. “Audits are really a critical compliance tool for us because they enable us to get out in front of potential industry problems before they result in a breach … and they enable us to better tailor our guidance and...

Read More

Data Security Report Shows Main Points of Cyberattack by Industry Sector

SurfWatch, a leading provider of cyber risk intelligence analytics and applications, recently released a mid-year cyber risk intelligence report detailing the most common methods used by hackers to gain access to confidential patient and business data, including the main points of cyberattack by industry sector. The company discovered that despite a number of highly sophisticated attacks on healthcare providers in recent months, the majority of hackers are still using the same tried and tested methods to break through security defenses as they have for years. The most common points of attack are poorly secured websites and applications, patient and customer accounts, and endpoints, which account for 77% of all cyberattacks evaluated by SurfWatch analysts. The main aim of the SurfWatch Labs 2015 Mid-Year Report was to identify the most effective ways organizations can reduce the risk of suffering cyberattacks. Big money is being diverted to improve cybersecurity defenses and to protect against hackers; however it is important that organizations look closely at all potential attack...

Read More

Have Your Mitigated Your Mobile Device Security Risks?

Mobile devices have potential to improve efficiency in the healthcare industry, which in turn leads to increased productivity of the workforce and a reduction in operational costs. However, tablets, Smartphones, laptops and other portable networked devices also introduce new security risks, and can potentially give hackers an easy entry point into a healthcare network. Unfortunately, banning the use of mobile devices in the workplace is no longer a feasible option. The only choice for healthcare providers and other HIPAA covered entities is to leverage the benefits of the devices, while mitigating the risks they pose, as far as is practical and possible. Mobile Devices Carry a High Risk of PHI Exposure   Mobile devices carry a high risk of accidental PHI exposure. The devices can be used to connect to healthcare networks and view PHI in many cases, and data can also be stored on the devices; however since they are portable, they are also easily lost or stolen. They can also be used to connect to healthcare networks via insecure public Wi-Fi, and apps are often downloaded to...

Read More

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data needed by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted. HIPAA Does Not Demand Data Encryption Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an informed...

Read More

The UCLA Health Data Breaches Continue: Further 1,242 Records Exposed

The UCLA Health data breaches are continuing: Another security incident has just been announced following the discovery that a faculty member’s laptop was stolen on July 3, 2015. UCLA Health is now in the process of notifying 1,242 patients that a limited amount of Protected Health Information was stored on the unencrypted – but password protected – laptop computer. The data potentially exposed to criminals includes patient names, medical record numbers and health information relating to treatment plans. UCLA confirmed in a press release that no Social Security numbers were stored on the laptop; neither health plan IDS, financial or insurance data; the information thieves seek in order to commit identity fraud and other financial crimes. Since the laptop was password protected the thieves may have been prevented from viewing the data stored on the device. However, passwords can be cracked, and do not offer the same level of security as data encryption so there is a risk that the data could still be viewed and used by the thieves. The healthcare provider was notified of the...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist