25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Is ChatGPT for Healthcare HIPAA Compliant?
Jan12

Is ChatGPT for Healthcare HIPAA Compliant?

ChatGPT for Healthcare is an enterprise version of ChatGPT built for regulated healthcare environments. Launched in January 2026, the product is designed to help clinicians, administrators, and researchers apply AI safely and effectively while supporting compliance with HIPAA. However, ChatGPT for Healthcare is not HIPAA compliant “out of the box”. ChatGPT for Healthcare is an AI tool created by OpenAI optimized for healthcare workflows that involve uses and disclosures of Protected Health Information. Unlike consumer and business-facing ChatGPT-based services, ChatGPT for Healthcare has been designed with enterprise-grade security, administrative, and governance features that support HIPAA compliant use of the product. However, no technology is HIPAA compliant by itself. HIPAA compliance depends on how technology is deployed, configured, and used. It is also a requirement of HIPAA that organizations enter into a Business Associate Agreement with OpenAI and train workforce members on the compliant use of the product. In some states, it may also be necessary to have procedures in...

Read More
The Top HIPAA Threats May Not Be What You Think
Jan12

The Top HIPAA Threats May Not Be What You Think

The top HIPAA threats facing healthcare organizations today often originate inside the organization rather than from external attackers. In many organizations, the most common issues involve workforce behaviors, inappropriate access, mishandled credentials, and avoidable mistakes that expose systems to threat actors. Technical safeguards matter, but insider activity remains one of the top HIPAA threats that compliance teams must manage proactively. Many articles describing the top HIPAA threats focus on credential theft, ransomware, and the theft of unencrypted devices. These risks are real, but industry analyses consistently show that a substantial share of healthcare breaches involve insiders, whether through intentional misuse or preventable errors. The exact percentages vary by year, but the trend is stable enough to influence HIPAA compliance planning. Understanding Insider‑Driven HIPAA Risks Insider activity generally falls into two categories that appear repeatedly in discussions of the top HIPAA threats: Malicious insiders These individuals intentionally access or misuse...

Read More

HIPAA Compliance for Medical Centers

HIPAA compliance for medical centers consists of complying with the Administrative Simplification standards of the Health Insurance Portability and Accountability Act (HIPAA). For some medical offices, this can prove more challenging than for others. Some medical centers are well-equipped environments with highly motivated management teams, while others struggle with limited resources to provide the care their communities need. Unfortunately, HIPAA doesn’t distinguish between those who are resource-rich and those who are resource-poor and requires equal HIPAA compliance for medical centers of all shapes and sizes. While this may seem unfair, it is understandable. Individually identifiable health information has to be protected from impermissible uses and disclosures to reduce the likelihood of Protected Health Information being acquired by third parties and used to commit identity theft and insurance fraud. While these events can impact both resource-rich and resource-poor medical centers, resource-poor medical centers will likely feel each impact more if it affects payment...

Read More

What is the Civil Penalty for Knowingly Violating HIPAA?

The civil penalty for knowingly violating HIPAA falls within the range of $14,602 and $2,190,294 per violation, depending on whether or not the reason for the violation is corrected within 30 days (i.e., Tier 3 violation or Tier 4 violation). The civil penalty for knowingly violating HIPAA can also be influenced by an organization’s prior compliance history and its cooperation during a HIPAA compliance investigation.   If you search for the term “knowingly” in the text of HIPAA, you will find multiple references relating to defrauding health plans and embezzling money from healthcare benefit programs (i.e. Medicare), but only one relating to the wrongful disclosure of individually identifiable health information – and this section relates to criminal penalties for knowingly violating HIPAA rather than civil penalties. However, just before this section, the Act gives the Secretary of Health & Human Services (HHS) the authority to impose financial penalties for the failure to comply with the requirements and standards of the Administrative Simplification provisions unless the...

Read More
CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach
Jan12

CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach

CareOregon and Health Share of Oregon have notified certain patients about a data breach and potential insurance fraud. Andover Eye Associates has identified a breach of its email environment. CareOregon and Health Share of Oregon CareOregon and Health Share of Oregon have notified certain patients about unauthorized access to some of their protected health information. It is unclear from the phrasing of the notice whether this was an insider breach or if data was accessed by an external actor. The data breach notice states that, “On October 27, 2025, we learned that one or more people looked at your information without permission.” Social Security numbers and financial information were not accessed. The data viewed and potentially obtained was limited to first and last names, dates of birth, health plan information, Medicaid/Medicare numbers, and primary care provider office. The notice states that there may have been data misuse, warning that the information may have been used to create fake insurance claims. CareOregon and Health Share of Oregon said they were unable to...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist