25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member
Oct10

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member

An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital. The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the...

Read More
California Sets 30-Day Breach Reporting Deadline
Oct10

California Sets 30-Day Breach Reporting Deadline

Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026. Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud. There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law...

Read More
HHS-OIG Announces 10-Year Exclusions for Companies and Individuals
Oct09

HHS-OIG Announces 10-Year Exclusions for Companies and Individuals

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs. Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion. For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10...

Read More
Skagit Regional Health Settles Meta Pixel Class Action Litigation
Oct09

Skagit Regional Health Settles Meta Pixel Class Action Litigation

Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties. Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements. On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used...

Read More
Florida Radiology Practice Announces 171K-record Data Breach
Oct09

Florida Radiology Practice Announces 171K-record Data Breach

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas. Doctors Imaging Group, Florida Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack. Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist