25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Office for Civil Rights Releases HIPAA Audit Results

The introduction of the Security Rule has warranted a round of compliance audits by the Office for Civil Rights of the Department of Health and Human Services. The results of its first round of preliminary HIPAA compliance audits – conducted in March this year – have now been announced. The OCR conducted 20 audits to assess organizations for compliance with new HIPAA regulations, in particular those relating to the Privacy and Security Rules. Only a small number of audits were conducted but the results have given the OCR important insights into the general state of compliance in the healthcare industry. Some of the key findings were announced at the recent OCR and National Institute of Standards and Technology conference. OCR Compliance Audit Findings (March 2012) The results of the audits indicate that while large organizations have by and large made the appropriate updates to their data privacy and security policies, there is a discrepancy between the government’s high expectations of data privacy and security compliance and what the OCR has observed in practice. Healthcare...

Read More
Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital
May27

Attorney General’s Office Confirms HIPAA Settlement Reached with South Shore Hospital

An announcement has been made by the Office of the Massachusetts Attorney General that a settlement has now been reached with South Shore Hospital. The healthcare provider will be required to pay a fine of $750,000 for violations of the state Consumer Protection Act (Massachusetts General Law Chapter 93A) and also violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement was reached for the accidental exposure of Protected Health Information and for failing to securely erase ePHI. The violation occurring when three backup tapes containing unencrypted ePHI were accidentally sent to a data archiving company to be erased and resold; however that company was not informed of the contents of the tapes. Two of those tapes were subsequently lost and have not been recovered. The Attorney General’s investigation revealed that a number of errors had been made by the hospital. The hospital had failed to obtain a signed business agreement and did not determine whether its choice of data company complied with HIPAA regulations. The passing of the Health...

Read More
Boston Children’s Hospital Announces Unencrypted Laptop HIPAA Breach
May23

Boston Children’s Hospital Announces Unencrypted Laptop HIPAA Breach

Boston Children’s Hospital has issued a press release announcing a laptop issued to one of its employees has been lost at a conference in Buenos Aires; potentially exposing the protected health records of 2,159 of its patients. The laptop had basic security protection and access was secured with a password; however the data contained on the laptop was not encrypted. In accordance with federal law, all patients concerned have been issued with a breach notification by mail advising them of the security breach and detailing the data that could possibly have fallen into the hands of others. They have also been given advice on how they can protect their identities and mitigate any damage caused. The breach notification letters were sent out on May 22, 2012. In the letter patients were informed that their data was stored in a spreadsheet attached to an email and that the account was password protected. The information contained in the file included names, medical record numbers, diagnosis codes, procedures performed and dates of past surgery. Dates of birth were included, although no...

Read More
Online Patient Calendars Cause $100K HIPAA Breach
Apr16

Online Patient Calendars Cause $100K HIPAA Breach

Before posting Protected Health Information on any website it is essential that the medium is assessed for security risks. If a website is owned or maintained by a third party or a cloud service is provided, a signed business associate agreement must also be obtained before any information is posted. It may seem obvious that ePHI cannot be posted on publically accessible websites; however it is a mistake that can easily be made if the staff has not been trained on the requirements of the Privacy Rule. Since online calendars and appointment systems also include PHI, these too must be assessed to ensure they are HIPAA-compliant. Using online services can improve efficiency but it cannot be at the expense of data security, as Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ recently discovered. Some members of staff at the clinic were posting clinical and surgical appointments in the online calendar; however the server on which the calendar was hosted was open to the public and did not have the necessary security systems installed to protect the information entered. The...

Read More
Santa Rosa Memorial Hospital Sued Over HIPAA Breach
Apr09

Santa Rosa Memorial Hospital Sued Over HIPAA Breach

A class-action lawsuit has been filed in the Sonoma County Superior Court on behalf of two California residents affected by a data breach suffered by 6 hospitals in the St. Joseph Health System in California. The data breach exposed the records of 31,800 patients throughout the state of California The lawsuit has been filed naming two patients of the Santa Rosa Memorial Hospital, where 6,235 individuals were affected. The breach also exposed the records of 4,263 patients of Queen of the Valley Hospital in Napa and patients from four other hospitals. The suit is being filed on behalf of all 31,800 patients affected by the breach and seeks damages of $1,000 per patient. The HIPAA breach was discovered when a patient, Deanna DeBaek, ran a search in Google and discovered her healthcare information had been listed in the search engines. That was on January 24, with the records she found relating to treatment she had through the St. Joseph hospital system in 2011. The lawsuit alleges that the St. Joseph Health System acted with negligence and unlawfully released medical information...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist