25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires
Aug28

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires. During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)....

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases, noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identify all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explained how it can assist with the...

Read More

Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen. The security breach occurred on May 16, 2020 and prevented employees from accessing computer systems. In a letter to the Iowa Attorney General, a lawyer representing Dynasplint explained that the company had suffered “an encryption attack” which prevented employees from accessing computer systems. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information may have been accessed and acquired by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by...

Read More

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. This is particularly important for healthcare records that are subject to HIPAA compliance rules. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the...

Read More

Personal and COVID-19 Status Data Stolen from South Dakota Fusion Center in “BlueLeaks” Hacking Incident

The Houston, TX-based web developer Netsential had its web servers hacked and almost 270 gigabytes of data were stolen and was published online on June 19, 2020 by hacktivists and the data stolen was published by Distributed Denial of Secrets (DDoSecrets).  The hack and data leak incident was termed “BlueLeaks” and included 10 years of law enforcement data from around 200 police departments and fusion centers. Fusion centers gather and analyze threat information and share the data with states, government organizations, and private sector firms. The leaked data contained more than 1 million lines and included scanned documents, video and audio files, and emails. The South Dakota Department of Public Safety’s State Fusion Center has recently announced that it has also been impacted by the data breach. The South Dakota Fusion Center developed a secure online portal in the spring of 2020 using Netsential’s services. The portal was developed to allow first responders to identify COVID-19 positive individuals so they would be able to take extra precautions to avoid being infected...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist