25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
Dec25

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation. The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations. It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA. HIPAA and Its Purpose The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of...

Read More

Hospital, Pharmacy, and Dental Practice Report Hacking Incidents Impact More Than 355,000 Patients

A hacker gained access to the IT network of Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services and accessed files containing sensitive patient data. The intrusion was detected on November 11, 2021, and steps were immediately taken to remove the hacker from its network. Assisted by a third-party computer forensics firm, BioPlus determined its IT environment was compromised on October 25, 2021, and the hacker was removed from its systems on November 11. The investigation confirmed files containing the protected health information of certain patients had been accessed, but it was not possible to rule out the possibility that the hacker accessed the PHI of all of its patients. The decision was therefore taken to notify all 350,000 current and former patients about the breach. Files that were accessible to the hacker included patient names, dates of birth, addresses, medical record numbers, current/former health plan member ID numbers, claims information, diagnoses, and/or prescription information. Some patients also had their Social Security number exposed. Notification...

Read More

PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack

Morgantown, WV-based Monongalia Health System has started notifying almost 400,000 patients that some of their protected health information (PHI) may have been obtained by unauthorized individuals in a recent cyberattack. The security incident came to light when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. The investigation into the incident confirmed this was a business email compromise (BEC) attack. The attacker had used a phishing email to obtain the credentials for a Monongalia Health contractor’s email account, which was used to send a request to Monongalia Health to have the bank account details for an upcoming payment changed to an account controlled by the attacker. Monongalia Health said the investigation revealed several Monongalia Health email accounts had been compromised as a result of employees responding to phishing emails, and emails and email attachments in those accounts contained patients’ protected health information. The purpose of the attack appears to have solely been to obtain funds from Monongalia...

Read More

Hacking Incidents Reported by Southern Orthopaedic Associates and Eduro Healthcare

Paducah, KY-based Southern Orthopaedic Associates (SOA), doing business as the Orthopaedic Institute of Western Kentucky, has started notifying 106,910 patients about a breach of some of their protected health information. SOA detected unauthorized activity in an employee email account on or around July 7, 2021. Steps were immediately taken to secure the account and an investigation was launched to determine the nature and scope of the breach. Assisted by a third-party computer forensics company, SOA determined that several employee email accounts had been compromised between June 24, 2021, and July 8, 2021; however, it was not possible to tell which, if any, emails in the account had been accessed. A comprehensive review was conducted of all emails and attachments in the compromised accounts to determine if they contained any protected health information. The review was completed on October 21, 2021, and confirmed the accounts contained patient names and Social Security numbers. Notification letters were sent to affected individuals starting on December 12, 2021. SOA has offered a...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist