25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Stolen Data Found on Dark Web by New Security Startup

You have been attacked by hackers and they have stolen your data, but how can you tell? According to a new security start-up, discovering a breach of healthcare data can be a very quick process: Terbium Labs has developed a method of identifying stolen data within minutes of it being posted online. CEO of Terbium, Danny Rogers, along with CTO, Michael Moore, believe they have developed a system that takes “a large scale, computational approach to finding pilfered data,” and allows stolen data to be identified faster and more securely than was previously possible. Reducing the Risk of a HIPAA Data Breach   In order for a company to identify stolen data, it must first be provided with the confidential records that it needs to search for. This naturally involves some risk. As the past few weeks have shown, passing data to Business Associates increases the risk of a data breach. Medical Management LLC being a good example. Terbium’s new product, called Matchlight, uses an innovative method of identifying data, while ensuring the data the company stores on a HIPAA-covered entity is...

Read More

UPMC Data Breach Not Grounds for Class Action Says Judge

A data breach suffered by the University of Pittsburgh Medical Center in 2014 does not give the victims grounds for a class action claim, even though there have been 817 reported cases of tax fraud as a direct result of the data breach. Civil lawsuits filed against healthcare providers often fail because of a lack of evidence that the stolen data has been used inappropriately. Without any actual harm suffered, a claim is very unlikely to succeed. In this case, there was provable losses suffered by some of the victims, but it was not deemed to warrant a class action claim, at least not under the circumstances. The data breach did not involve any patient data, although all 62,000 employees were affected. The initial data breach report stated only 27,000 individuals had been affected; however, that figure has since been expanded and the data breach is now believed to affect all 62,000 employees. The breach affected the company’s payroll database and exposed highly sensitive information about the employees, including names, addresses, Social Security numbers, salary details and in some...

Read More

Conn. Data Breach Bill Demands Year of ID Theft Protection for Victims

Gov. Dannel P. Malloy is poised to sign Senate Bill 949 which will introduce even stricter data privacy and security requirements in Connecticut, as well as for any organization doing business with Connecticut residents. The bill has been introduced to increase protection for consumers in the wake of the high volume of data breaches that have affected the state – and the country as a whole – over the past few years. Current state laws require organizations to notify breach victims of an information breach ”without unreasonable delay.” Some organizations, such as those covered under the Health Insurance Portability and Accountability Act (HIPAA), have stricter reporting requirements. Federal laws will continue to preempt state laws on healthcare data breaches. Connecticut Residents to be Better Protected by Mandatory Data Breach Response HIPAA requires covered entities to issue data breach notification letters to all affected individuals “without reasonable delay”, although a maximum time limit of 60 days is allowed. However, some industries do not face the same strict regulations...

Read More

Patients Want to Share Their PHI, Says ONC Study

A new study released by the Office of the National Coordinator for Health IT (ONC) this week – Individuals’ Perceptions of the Privacy and Security of Medical Records – suggests that patients are happy with their healthcare data being shared; they just don’t want that information shared with unauthorized individuals. Healthcare Data Privacy Protections under HIPAA The sharing of healthcare data is highly restricted under the Health Insurance Portability and Accountability Act (HIPAA). The information can only be viewed by authorized individuals for the purpose of providing medical care or other essential healthcare purposes such as billing. Protected Health Information (PHI) cannot even be shared for the purposes of medical research, unless the data is first de-identified or patient permission is obtained. This may be about to change, certainly for the purposes of research, but how do patients actually feel about the use of their data by healthcare providers? Do they have concerns about the growth in use of Electronic Health Records (EHRs)? Vaishali Patel, PhD MPH and...

Read More

Jocelyn Samuels Questioned on OCR HIPAA Audits

The Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing HIPAA Rules on data privacy, security, and breach notifications. As part of this duty, it is required to conduct HIPAA compliance audits on HIPAA-Covered Entities (CEs) to ensure the legislation is being followed and the Privacy and Security Rules are put into practice. The task is a difficult one. It is hugely labor intensive, and involves the collection and collation of mountains of paperwork and an army of staff to assess compliance. The job requires highly trained personnel, which the OCR has; unfortunately, it just does not have enough of them. The role of the OCR is considerable, with the department required to ensure compliance with a number of legislative acts, in addition to HIPAA. The huge workload, which also includes the issuing of guidance as well as taking enforcement actions and conducting audits, places a considerable strain on the agency’s 650-strong workforce of attorneys, auditors, and staff. Budgetary constraints are a long-running problem with the department, and while...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist