25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Can A Patient Sue for A HIPAA Violation?
Jan02

Can A Patient Sue for A HIPAA Violation?

A patient can sue for a HIPAA violation – and there are an increasing number of class action suits for protected health information data breaches – although not under the provisions of HIPAA laws. There is no private cause of action in HIPAA, so it is not possible for a patient to directly sue for a HIPAA violation under HIPAA. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA laws. So, if it is not possible for a patient to directly sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered...

Read More
What are the Penalties for HIPAA Violations?
Jan02

What are the Penalties for HIPAA Violations?

The penalties for HIPAA violations include civil monetary penalties ranging from $145 to $2,190,294 per violation, depending on the level of culpability. Criminal penalties can also be imposed for intentional HIPAA violations, leading to fines and potential imprisonment. In addition to financial penalties, corrective action plans may be required to address compliance deficiencies. The Department of Health and Human Services (HHS) Office for Civil Rights cannot compel a HIPAA-regulated entity to adopt a corrective action plan when a civil monetary penalty is imposed, but settlements almost always include one. State attorneys general can also bring civil actions, resulting in civil monetary penalties. Settlements are usually the preferred choice, and in such cases, there may be a requirement to pay a financial penalty and invest in cybersecurity. In this article, we provide a detailed explanation of penalties for HIPAA violations. You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use...

Read More
BA Exemption: The HIPAA Conduit Exception Rule and Transmission of PHI
Jan02

BA Exemption: The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule applies to organizations that would normally be considered business associates, but who are exempted from complying with HIPAA because they only have transient access to PHI. For the benefit of HIPAA compliance, it is important to understand the difference between transient access, persistent access, and no view access. The HIPAA Omnibus Final Rule and Business Associates On January 25, 2013, the HIPAA Omnibus Final Rule was published in the Federal Register. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including updates attributable to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are...

Read More
How to Report a HIPAA Violation
Jan02

How to Report a HIPAA Violation

How you report a HIPAA violation varies depending on the nature of the violation and whether you are a member of the public, a member of a covered entity’s workforce, or a covered entity. There are also various channels for reporting a HIPAA violation. These channels include the Privacy Officer at the organization where the violation occurred, your State Attorney General, and HHS’ Office for Civil Rights. It is important for all employees in the healthcare and health insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in HIPAA training, as should the correct person to direct a report to. This person then has the responsibility to determine whether or not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Potential HIPAA violations must be investigated internally by HIPAA covered entities and – where applicable – by business associates to determine the severity of the violation and...

Read More
How to Make Your Email HIPAA Compliant
Jan02

How to Make Your Email HIPAA Compliant

Making your email HIPAA compliant has the advantage of enabling you to communicate PHI in emails with patients, colleagues, and authorized third parties without risking a violation of HIPAA for impermissibly disclosing unsecured PHI. You can make your email HIPAA compliant by following three easy steps. First, if you are communicating ePHI to a patient or plan member, warn the recipient of the risks of communicating ePHI by email, obtain their consent to receive communications by email, and document both the warning and the consent. Secondly, use a HIPAA compliant email service that encrypts emails in transit and at rest. These are discussed in greater detail below. Thirdly, implement a secure email retention system to ensure the availability of immutable ePHI when copies are requested by an individual exercising  their HIPAA Rights. How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist