25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

HIPAA Compliance Software

The purpose of HIPAA compliance software is to provide a framework to guide a HIPAA-covered entity or business associate through the process of becoming HIPAA-compliant and support continued compliance with HIPAA. HIPAA compliance software helps administrators, business owners, practice managers, and compliance officers, many of whom manage compliance alongside other responsibilities and without a formal background in healthcare regulation, navigate the nuances of HIPAA and ensure all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied. The software also proves a company has made a good faith effort to comply with HIPAA by maintaining full documentation of compliance activities. This ensures that if a company is audited by the HHS’ Office for Civil Rights (OCR) or is investigated by OCR or state attorneys general over a data breach, the organization can demonstrate no aspect of HIPAA has been missed, all policies and procedures are in order, members of the workforce have received HIPAA training, and appropriate technical, physical, and...

Read More
Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit
Jun26

Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Okanogan Behavioral Healthcare, a provider of holistic behavioral health services in Okanogan County, Washington, has agreed to settle a class action lawsuit stemming from a May 2024 data breach that affected 26,429 individuals. A network intrusion was identified on May 15, 2024, and the forensic investigation determined that an unauthorized third party had access to its network from May 13, 2024, to May 15, 2024. Data exposed in the incident included client names, contact information, dates of birth, Social Security numbers, driver’s license numbers, other identification numbers, and medical information, including diagnosis and treatment information, and health insurance information. The affected individuals started to be notified on August 23, 2024. A lawsuit was filed – Doe v. Okanogan Behavioral Healthcare – in the Superior Court of the State of Washington for the County of Okanogan in response to the data breach, alleging that the data breach was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures, and had they been...

Read More
High-Severity Vulnerability Identified in OHIF Viewers DICOM
Jun26

High-Severity Vulnerability Identified in OHIF Viewers DICOM

A high-severity vulnerability has been identified in OHIF (Open Health Imaging Foundation) Viewers DICOM, which could be exploited to steal an authenticated clinician’s token via a crafted link. The Server-Side Request Forgery (SSRF) vulnerability is tracked as CVE-2026-12473 and has a CVSS base score of 8.2 (v3.1) and 8.3 (v4.0). The vulnerability is due to two data sources – DICOMWebProxy and DICOMJSON –  shipped in the default configuration fetching an arbitrary URL parameter without validation. A global authentication service in OHIF injects the authenticated user’s OIDC Bearer token into the resulting requests, which could be sent to an attacker-controlled server, allowing the OIDC Bearer token to be obtained. The vulnerability does not impact DICOMweb data sources. The vulnerability affects OHIF DICOM Web Viewer Framework prior to v3.12.0. The vulnerability has been fixed by the maintainer in version 3.12.2, which was released on May 18, 2026. The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12). Users are advised to update to the fixed...

Read More
Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant
Jun26

Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant

A small practice owner who cannot define a Security Risk Analysis, has never read the HIPAA Security Rule, and does not know what a Business Associate Agreement must contain can still operate a practice with a complete, documented, provable HIPAA compliance program. The expertise does not have to live in the practitioner’s head. It has to live in the program. A purpose-built compliance program encodes what HIPAA requires and translates a practice owner’s knowledge of their own practice into a complete compliance record. The practitioner does not need to become a compliance expert. They need a structured program built specifically for them. What HIPAA Actually Requires a Small Practice to Have HIPAA’s requirements for a small independent practice are extensive, but they are not open-ended. The HIPAA compliance obligations for a covered entity resolve into four documented outputs that the HHS Office for Civil Rights will look for in any investigation or audit. The first is a current Security Risk Analysis. The Security Rule requires covered entities to conduct an...

Read More
Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches
Jun26

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents. Colorado Health Network Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems. The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code,...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist