25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Take the Guesswork out of HIPAA Compliance for Small Practices
Jul01

Take the Guesswork out of HIPAA Compliance for Small Practices

Removing guesswork from HIPAA compliance means replacing assumptions about what a practice has covered with a documented process that maps directly to the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Small practices frequently operate on inherited assumptions: a predecessor set up a policy years ago, a staff member attended a training session at some point, or a binder was purchased and filled out once. None of those assumptions can be verified on demand, and an inability to verify is treated the same as noncompliance during a regulatory review. A defined process removes that ambiguity by producing evidence rather than relying on memory or informal practice. The Uncertainty Small Practices Face Under HIPAA Owners and office managers at small practices commonly cannot answer basic questions about their own compliance status without checking multiple sources or guessing. Common uncertainty includes whether the Security Risk Analysis on file reflects the practice’s current systems, whether every staff member has...

Read More
Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software
Jul01

Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software

A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant. Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings. One of the vulnerabilities is rated critical with a...

Read More
HIPAA Compliance Made Easy for Small Practices
Jul01

HIPAA Compliance Made Easy for Small Practices

HIPAA compliance for a small practice means meeting the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule through a documented, current program rather than a single training session or a policy binder assembled once and left unchanged. Small practices are held to the same regulatory standard as hospitals and health systems, and the Department of Health and Human Services Office for Civil Rights does not scale its expectations down based on staff count or patient volume. A practice that has never been investigated is not necessarily compliant, it has simply not yet been tested. The path to a program that holds up under scrutiny is more structured than most owners and office managers assume, and it does not require becoming a regulatory expert to get there. What HIPAA Compliance Requires From a Small Practice A covered entity under HIPAA must maintain administrative, physical, and technical safeguards for protected health information under the Security Rule, apply use and disclosure standards for that information under the Privacy...

Read More
Medtronic Notifies 3.8M Individuals About April 2026 Cyberattack
Jul01

Medtronic Notifies 3.8M Individuals About April 2026 Cyberattack

Medtronic has started issuing notifications to individuals affected by an April 2026 cyberattack. The ShinyHunters threat group claimed responsibility for the cyberattack and alleges that more than 9 million records containing personally identifiable information (PII) were stolen. Medtronic explained in the notification letters that it learned about the intrusion on April 15, 2026, when suspicious activity was identified within certain corporate IT systems. Assisted by leading third-party cybersecurity experts, Medtronic confirmed unauthorized access to certain IT systems from April 13 to April 19, 2026. The medical devices manufactured by Medtronic collect patient data. The review of that data confirmed that names, contact information, dates of birth, Social Security numbers, and health-related information may have been impacted. At the time of issuing the notification letters, Medtronic said it was unaware of any release of the stolen data on the public Internet. Medtronic confirmed that it takes privacy and security seriously and had implemented many safeguards to protect its...

Read More
DOJ’s Using Advanced Data Analytics and AI Tools to Combat Healthcare Fraud Before Payment
Jun30

DOJ’s Using Advanced Data Analytics and AI Tools to Combat Healthcare Fraud Before Payment

The U.S. government has announced record-breaking Medicaid fraud charges as part of its 2026 National Health Care Fraud Takedown, with the enforcement action resulting in charges for 455 defendants, including more than 90 doctors and other licensed medical professionals, in connection with more than $6.5 billion in healthcare fraud and opioid abuse claims. The enforcement action involved a whole-government approach, including U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG), HHS Centers for Medicare and Medicaid Services (CMS), and Drug Enforcement Administration (DEA), with cases in 56 federal districts, 45 U.S. states and territories, and 50 state Medicaid Fraud Control Units participated, more than ever before. There was also unprecedented international cooperation over the two-week takedown. The DOJ seized more than $182 million in cash, luxury vehicles, jewelry, and other assets. “We are aggressively scaling our offensive against anyone using health care as a front to steal from the American people,” said Assistant Attorney General Colin M....

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist