HIPAA and Privacy Act Training
When a federal agency provides healthcare services, there may be circumstances in which members of the federal agency’s workforce and onsite contractors are required to be provided with both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training, and state law training. The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions. People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients’ Rights under...
Denton County MHMR Center Data Breach Affects 109,000 Patients
Denton County MHMR Center, a community behavioral health clinic in Denton, Texas, recently reported a major data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR) that involved unauthorized access to the protected health information of 108,967 current and former patients. Unusual activity was identified within its computer network on or around December 24, 2024, with the investigation confirming that an unauthorized third party had access to its network from December 24 to December 25, 2024. Denton County MHMR Center uploaded a substitute breach notice to its website on February 21, 2025, alerting patients about the incident, although at the time, the investigation and data review were ongoing, and it had yet to be determined how many individuals had been affected and the exact data types involved. On October 10, 2025, Denton County MHMR Center confirmed that the information potentially compromised in the incident included patient names, addresses, patients’ identification numbers, dates of birth, diagnosis, medical history information, medical...
Continuum Health Alliance Settles Class Action Data Breach Lawsuit
Marlton, NJ-based Continuum Health Alliance, a provider of health management and patient services, has agreed to a settlement to resolve a consolidated class action lawsuit stemming from an October 2023 data breach that affected more than 377,000 patients of its client, Evesham, NJ-based Consensus Medical Group. Unusual activity was identified within Continuum’s computer network on October 19, 2023. The investigation confirmed unauthorized access between October 18 and October 19, 2023, and the acquisition of files containing patient information, including names and Social Security numbers. The affected individuals were notified about the data breach in April 2024. The first class action lawsuit was filed on May 3, 2024, by plaintiff Jason Corner, followed by several other complaints. The lawsuits had overlapping claims and were consolidated in a single complaint – In re Continuum Health Data Security Incident Litigation – which was filed on March 14, 2025, in the Superior Court of New Jersey Law Division, Burlington County. The consolidated class action lawsuit asserted...
HIPAA Security Officer
All covered entities and business associates are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often designated to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily the case. Although the Technical Safeguards of the HIPAA Security Rule relate to restricting access to systems on which ePHI is maintained and transmission security, only about 30% of a HIPAA Security Officer’s responsibilities are IT-related. The remainder of his or her responsibilities relate to training, auditing, incident management, and overseeing business associate compliance. A HIPAA Security Officer is also responsible for facility security and the preparation of a Disaster Recovery Plan. The Responsibilities of a HIPAA Security Officer The HIPAA Security Rule...
How Should You Respond To An Accidental HIPAA Violation?
How you should respond to an accidental HIPAA violation depends on the nature of the accidental violation and the potential consequences. Examples of accidental HIPAA violations that would require different responses because of their nature and/or potential consequences include: Sending a single email containing PHI to the wrong recipient. Sending 1,000 emails containing PHI to the wrong recipients. Unknowing use of shadow IT for storing PHI without a BAA. Unknowing use of shadow IT for storing PHI insecurely. Failing to obtain an authorization before disclosing SUD records. Disclosing more than the minimum necessary PHI for a permitted use. Allowing a colleague to use login credentials under supervision. Sharing login credentials with multiple colleagues with no supervision. In this article, we outline what exactly to do when there is an accidental HIPAA violation. You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use any form on this page to arrange for your copy of the checklist....



