Take the Guesswork out of HIPAA Compliance for Small Practices

Removing guesswork from HIPAA compliance means replacing assumptions about what a practice has covered with a documented process that maps directly to the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Small practices frequently operate on inherited assumptions: a predecessor set up a policy years ago, a staff member attended a training session at some point, or a binder was purchased and filled out once. None of those assumptions can be verified on demand, and an inability to verify is treated the same as noncompliance during a regulatory review. A defined process removes that ambiguity by producing evidence rather than relying on memory or informal practice.

The Uncertainty Small Practices Face Under HIPAA

Owners and office managers at small practices commonly cannot answer basic questions about their own compliance status without checking multiple sources or guessing. Common uncertainty includes whether the Security Risk Analysis on file reflects the practice’s current systems, whether every staff member has completed required training within the correct timeframe, and whether the breach notification procedure matches current regulatory timelines. This uncertainty is not a knowledge problem specific to any one practice. It reflects the fact that HIPAA compliance touches administrative operations, physical security, technology, and workforce management simultaneously, and few practices have a single system that tracks all four areas together.

Three Rules, One Standard: What Compliance Actually Covers

The HIPAA Privacy Rule governs how protected health information is used and disclosed, the HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic protected health information, and the HIPAA Breach Notification Rule sets specific timelines and procedures for notifying affected individuals and regulators when a breach occurs. These three rules are evaluated together during an investigation, not separately. A practice with strong technical safeguards but no documented breach notification procedure has not met its obligations any more than a practice with a written privacy policy that staff were never trained on. Meeting the standard requires all three rules to be addressed in a coordinated, documented way.

Where Guesswork Creates Regulatory Exposure

Regulatory exposure tends to concentrate in a small number of predictable gaps. A Security Risk Analysis completed once and never updated no longer reflects the practice’s actual systems or vulnerabilities. Training records that exist but are not tied to specific policy versions cannot demonstrate that staff were trained on current requirements. Breach response procedures written in general terms, without practice-specific roles and timelines, slow down the notification process when an actual incident occurs. Each of these gaps originates from treating a HIPAA requirement as a one-time task rather than a maintained record, and each one is identifiable and correctable before it becomes a finding in an investigation.

Replacing Assumptions With a Documented Process

A documented compliance process converts uncertainty into a verifiable record. This starts with a current Security Risk Analysis specific to the practice’s systems and physical locations, followed by written policies drawn from that analysis rather than a generic template, individual training records tied to those policies, and a breach response procedure with defined roles and notification timelines under the HIPAA Breach Notification Rule. When these elements exist together and are kept current, a practice can respond to a regulator’s request with a specific answer rather than an estimate. The process itself, not the intention behind it, is what a review evaluates.

A Program Built for the Practice, Not a Generic Template

Generic templates require a practice to adapt broad language to its own operations, and that adaptation is frequently where gaps form, since staff without regulatory training are left to interpret which parts of a template apply to them. Software built specifically for HIPAA compliance management removes that interpretation step by generating a program directly from information about the practice’s own operations, locations, and systems. Abyde produces this kind of program, building the Security Risk Analysis, policies, and training requirements around a specific practice rather than handing over a document to be customized manually. Setup for a complete program of this kind typically takes a matter of hours, with maintenance running to a few minutes a month once the initial analysis and documentation are in place.

Support for Situations a Checklist Cannot Resolve

Not every compliance question has a fixed answer available in a checklist or a template. Determining whether a specific incident meets the threshold for breach notification, or how to handle an unusual request for records, requires judgment applied to the facts of that particular situation. Abyde includes direct access to compliance experts by phone or message as part of its subscription, giving practices a specific answer to a specific situation rather than a general reference document to interpret on their own. This kind of support matters most to the staff member responsible for day-to-day compliance, who needs a reliable answer at the point a question arises rather than a research process that delays a required response.

The post Take the Guesswork out of HIPAA Compliance for Small Practices appeared first on The HIPAA Journal.

Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software

A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant.

Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings.

One of the vulnerabilities is rated critical with a CVSS v 3.1 base score of 9.8 (critical), and the other four vulnerabilities are rated high severity, with CVSS base scores ranging from 7.5 to 8.2 (v4.0: 8.7 to 8.8). CISA published a security advisory about the vulnerabilities on June 30, 2026.

The vulnerabilities affect OFFIS DCMTK versions prior to v3.7.0 and are tracked under the following CVEs:

CVE Severity CVSS v3.1 CVSS v4.0 Vulnerability
CVE-2026-50003 Critical 9.8 9.3 Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-52868 High 8.2 8.8 Improper limitation of a pathname to a restricted directory (path traversal)
CVE-2026-50254 High 7.5 8.7 Missing release of memory after effective lifetime
CVE-2026-35505 High 7.5 8.7 Missing release of memory after effective lifetime

 

CVE-2026-44628 High 7.5 8.7 Access of resource using incompatible type (Type confusion)

According to CISA, the maintainer of the toolkit was informed about the vulnerabilities and has issued a fix; however, Agarwal contacted The HIPAA Journal to warn that the vendor has applied the fix upstream in the master branch, which means downstream libraries and operators will be unable to release with the fix to upgrade to it. Users will need a fixed release or a vendor-provided update path.

One of the problems with vulnerabilities in DICOM toolkits is that many end users may be using DICOM software with known, disclosed vulnerabilities and be unaware that their software is vulnerable, unless they are provided with a Software Bill of Materials (SBoM) and routinely check for vulnerabilities in all components. Agarwal suggested that healthcare entities should ask their imaging vendors whether DCMTK is present, what versions are used, whether the CISA advisories apply, and when patched builds will ship.

The post Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software appeared first on The HIPAA Journal.

HIPAA Compliance Made Easy for Small Practices

HIPAA compliance for a small practice means meeting the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule through a documented, current program rather than a single training session or a policy binder assembled once and left unchanged. Small practices are held to the same regulatory standard as hospitals and health systems, and the Department of Health and Human Services Office for Civil Rights does not scale its expectations down based on staff count or patient volume. A practice that has never been investigated is not necessarily compliant, it has simply not yet been tested. The path to a program that holds up under scrutiny is more structured than most owners and office managers assume, and it does not require becoming a regulatory expert to get there.

What HIPAA Compliance Requires From a Small Practice

A covered entity under HIPAA must maintain administrative, physical, and technical safeguards for protected health information under the Security Rule, apply use and disclosure standards for that information under the Privacy Rule, and follow defined notification timelines when a breach occurs under the Breach Notification Rule. These three rules work together rather than separately. A practice needs a documented Security Risk Analysis that identifies where electronic protected health information lives and what threatens it, written policies and procedures that reflect how the practice actually operates, workforce training tied to those policies, and a record-keeping system that can produce evidence of all of it on request. Missing any one piece leaves a gap that surfaces during an investigation, a breach response, or a patient complaint.

The Documentation Gap Most Small Practices Overlook

Many practices believe they are compliant because staff completed an annual training or because a policy binder sits in a filing cabinet. Those actions satisfy part of the requirement, not the whole of it. Regulators evaluating a complaint or a breach do not see the daily operation of a practice, they see whatever documentation the practice can produce, and a gap in that documentation is treated as a gap in compliance regardless of what actually happened in the office. Practices that can show a completed Security Risk Analysis, dated policy updates, individual training records, and a log of remediation steps are positioned to demonstrate that an incident was human error rather than neglect. Practices without that paper trail have no way to make that distinction to an investigator.

Why Partial Steps Do Not Satisfy HIPAA Rules

HIPAA does not grant partial credit for partial effort. A risk analysis completed for one year and never revisited does not meet the requirement in the following year, since regulations, technology, and practice operations change and the analysis has to reflect current conditions to remain valid. Training delivered once at hire, without refresher sessions when policies change, leaves staff operating on outdated information. A good-faith compliance program has to be complete across all three rules and kept current, not assembled from whichever pieces were easiest to finish. This standard applies equally to a solo practitioner and a multi-location group practice, and the absence of any single required element can be the finding that drives a penalty.

Building a Program That Stays Current With Changing Regulations

HIPAA compliance is not a project with a completion date, it is a program that has to be maintained as long as the practice operates. Federal rules are updated periodically, state privacy laws layer additional obligations on top of HIPAA in many jurisdictions, and a practice’s own risk profile changes as it adds staff, technology, or locations. Software built specifically to manage HIPAA compliance can generate the required policies, Security Risk Analysis, and training content directly from information about a specific practice, then flag when an update is due as regulations or the practice itself changes. Abyde is one example of software designed this way, producing a program tailored to the practice rather than a generic template the practice has to interpret and apply on its own. A program built this way can typically be assembled in a matter of hours rather than weeks, with ongoing maintenance requiring only a few minutes a month once the initial setup is complete.

Expert Support for Judgment Calls Software Cannot Make

Software can generate documentation and flag deadlines, but some compliance questions require a judgment call that depends on the specific facts of a situation, such as whether an incident meets the threshold for breach notification or how to respond to an unusual patient request. Direct access to compliance experts closes that gap. Abyde includes compliance experts as part of its subscription, reachable by phone or message, so a practice facing a real situation is not left interpreting regulatory language alone. This kind of support matters most to the office manager or compliance officer who runs the program day to day and needs a reliable answer quickly, rather than a research project every time a question comes up.

Bringing a Complete Program Together

A small practice does not need to become fluent in HIPAA regulatory text to meet its obligations under the Privacy Rule, the Security Rule, and the Breach Notification Rule. What it needs is a documented, complete program covering all three rules, kept current as regulations and the practice change, with expert support available for the judgment calls that documentation alone cannot resolve. Abyde has supported customers through more than 200 Office for Civil Rights investigations without a resulting fine, an outcome tied directly to the completeness and currency of the documentation those practices had in place. Practices evaluating their own compliance posture should start by identifying which of the three required pieces, a current risk analysis, complete policies, or documented training, are missing or out of date, since that gap is typically the first thing an investigation uncovers.

The post HIPAA Compliance Made Easy for Small Practices appeared first on The HIPAA Journal.

DOJ’s Using Advanced Data Analytics and AI Tools to Combat Healthcare Fraud Before Payment

The U.S. government has announced record-breaking Medicaid fraud charges as part of its 2026 National Health Care Fraud Takedown, with the enforcement action resulting in charges for 455 defendants, including more than 90 doctors and other licensed medical professionals, in connection with more than $6.5 billion in healthcare fraud and opioid abuse claims.

The enforcement action involved a whole-government approach, including U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG), HHS Centers for Medicare and Medicaid Services (CMS), and Drug Enforcement Administration (DEA), with cases in 56 federal districts, 45 U.S. states and territories, and 50 state Medicaid Fraud Control Units participated, more than ever before. There was also unprecedented international cooperation over the two-week takedown. The DOJ seized more than $182 million in cash, luxury vehicles, jewelry, and other assets.

“We are aggressively scaling our offensive against anyone using health care as a front to steal from the American people,” said Assistant Attorney General Colin M. McDonald of the Justice Department’s National Fraud Enforcement Division. “As today’s cases and arrests show, there is no case too big, no scheme too complex, and no hiding place too remote for our relentless fraud-fighting team. Our message is simple: if you put profit over patients, you should expect to be put in prison.”

Advanced Algorithms and AI Tools Used to Shift from Pay-and-Chase to Pre-Payment Detection

The takedown involved the use of cutting-edge data analytics algorithms and artificial intelligence tools to identify potential fraud before criminals cash out, rather than the reactive pay-and-chase approach of previous years. The use of AI tools for fraud prevention is set to expand significantly moving forward. AI tools were used to identify suspicious activity in many of the fraud schemes, including the first-ever criminal prosecution under the Data Fusion Center that was formed last year.

The Data Fusion Center was established to track, identify, and prevent fraudulent billing and medical scams and combines traditional data analytics with financial analysis and comprises experts from the Health Care Fraud Unit’s Data Analytics Team, HHS-OIG, FBI, and other agencies, supported by data sharing agreements between a wide range of government agencies. “Prosecuting criminals who steal from American patients is necessary—but stopping them before a single dollar leaves the building is smarter,” said CMS Administrator Dr. Mehmet Oz.

The Data Fusion Center helped identify a $67 million fraud scheme involving the billing of Illinois Medicaid for behavioral health services that were never provided. The defendant allegedly billed more than 500 hours a day for counselling and therapy services, which could not have been provided even if all providers on staff had been working 24 hours per day. The data analysis showed that patients were hospitalized at other institutions on days when the defendant billed for behavioral health services. Prosecutors opened the case within 5 days of the completion of the data analysis, and the defendant was arrested within 7 months while attempting to flee the country.

Actions by the CMS resulted in the suspension of 1,079 providers and the revocation of billing privileges for 1,403 providers. More than $73 million was obtained in 48 Civil Monetary Payment settlements accompanied by more than 1,400 exclusions, while 25 actions by HHS-OIG are seeking more than $10 billion in payments to the Medicare Trust Fund from payments identified by CMS and blocked before the funds were paid in fraudulent claims. CMS has announced that under a new arrangement, it will provide cloud computing space within its integrated data repository to support the DOJ fraud division’s data analysis algorithms and AI tools to combat health care fraud. Civil charges have been filed against 13 defendants for $14.8 million in health care fraud schemes, along with $23 million in civil settlements with 31 defendants. There have also been 928 administrative cases by the DEA seeking the revocation of authority to handle and prescribe controlled substances since October 1, 2025.

Fraud Costs Taxpayers and Causes Significant Patient Harm

Healthcare fraud costs U.S. taxpayers, exploits vulnerable patients and puts lives at risk, causing considerable patient harm, including death. In one case, the medical director of a cardiovascular testing and treatment practice in Florida was charged in connection with an $89 million fraud scheme to bill for medically unnecessary cardiovascular tests on student athletes. The director falsified diagnoses to defraud health care benefit programs for the testing and is alleged to have rubber-stamped test results as normal without checking them, in some cases stamping test results as normal within seconds.

Student athletes with cardiac abnormalities were not made aware that they were at high risk of sudden cardiac arrest. In one case, a patient’s test results showed an enlarged heart, but the results were signed off as normal. The patient died from complications from his enlarged heart within 24 hours of the test results being signed off as normal.

The DOJ highlighted fraud cases involving wound care, especially allografts, and hospice providers in its announcement, where fraud cases have increased significantly, and these are likely to remain key enforcement areas moving forward. Medicare billing for wound care more than doubled from $3.4 billion in 2023 to $7.5 billion in 2024 and almost doubled again in 2025 to $14.4 billion. The increase in payments was not due to medical necessity; rather, it was driven by illegal kickback and healthcare fraud schemes. Charges were filed in 6 districts for fraudulent claims for amniotic wound allografts against 11 defendants, including a company executive and 8 medical professionals.

In one scheme, a company that did not manufacture allografts obtained them from another firm, added a 2,000% mark-up, paid 40% of that in illegal kickbacks to marketers, and targeted hospice patients, providing medically unnecessary allografts, far exceeding the size of the wound, which were often provided without coordinating with the individual’s treating physician, without proper treatment for infection, and for superficial wounds that did not require the treatment, The defendant was paid more than $24 million by the company, with the marketers and medical professionals involved often paid between $500 and $600 per square centimeter of graft.

“Today’s historic enforcement action sends a clear message: if you use our health care system to enrich yourself at the expense of patients or the American people, we will find you, we will prosecute you, and we will hold you accountable,” said HHS Secretary Robert F. Kennedy, Jr. “HHS will continue working with our law enforcement partners to protect patients, safeguard taxpayer dollars, and restore integrity to our health care system.”

The post DOJ’s Using Advanced Data Analytics and AI Tools to Combat Healthcare Fraud Before Payment appeared first on The HIPAA Journal.

Allina Health System to Pay $12.5 Million to Settle Pixel Litigation

Allina Health System, a nonprofit health system based in Minneapolis, Minnesota, that serves patients in Minnesota and Western Wisconsin, has agreed to pay $12,500,000 to resolve litigation over its use of website tracking technologies such as pixels. Those tools were alleged to have resulted in the disclosure of personally identifiable information (PII) and protected health information (PHI) to third parties such as Facebook (Meta) and Google, in violation of federal and state laws.

Those tools are extensively used on websites for marketing and advertising purposes. The tools collect information about website usage, and that information can be used to improve web services. It can also be used to serve targeted advertisements to individuals, based on their interactions on a website. Depending on how they are configured, these tools can collect individually identifiable health information when installed on healthcare providers’ websites, and if they are used on authenticated pages such as a patient portal, that information may include HIPAA-protected data.

The first lawsuit over the use of these tracking tools was filed by Plaintiff Jacqueline Ahlers on September 16, 2024, in the U.S. District Court for the District of Minnesota. An amended complaint was filed on February 12, 2025, adding a further two plaintiffs who had filed similar complaints. The consolidated lawsuit – Ahlers, et al. v. Allina Health System – asserted claims for invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, negligence, and violations of the Electronic Communication Privacy Act, Minnesota Health Records Act, and Minnesota Unfair and Deceptive Trade Practices Act.

Allina Health System denies wrongdoing and liability; however, after considering the cost, distraction, burden, and risks associated with continuing with the litigation, Allina Health System agreed to a settlement.  Under the terms of the settlement, Allina Health System has agreed to pay $12,500,000 to resolve the complaint. From that amount, attorneys’ fees and expenses will be deducted, along with settlement administration and notification costs, and service awards for the class representatives.

The $12,500,000 will be split into two settlement funds: A Group 1 settlement fund of $10,303,098 and a Group 2 settlement fund of $2,196,902. The attorneys’ fees/expenses, settlement administration/notification costs, and service awards will be deducted from those settlement funds with an 82.42% (Group 1) and 17.58% (Group 2) split. The remaining funds will be paid pro rata to individuals submitting a claim.

The Group 1 settlement class consists of individuals who were patient portal users, non-portal bill pay users, and non-portal scheduling users between September 16, 2018, and May 11, 2026. The Group 2 settlement class consists of individuals who were non-portal, non-bill pay, and non-scheduling patients between September 16, 2018, and May 11, 2026.

The deadline for opting out of the settlement and objection to the settlement is August 10, 2026. Claims must be submitted by September 8, 2026, and the final approval hearing has been scheduled for September 24, 2026.

The post Allina Health System to Pay $12.5 Million to Settle Pixel Litigation appeared first on The HIPAA Journal.

Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System

Amicus Solutions (Fedora Solutions) has been affected by a cybersecurity incident, and Huntsville Hospital has confirmed it was affected by a January 2025 breach at Cerner (Oracle Health).

Amicus Solutions

Amicus Solutions, Inc., doing business as Fedora Solutions, a provider of managed IT and revenue cycle management services, has experienced a cybersecurity incident involving the protected health information of 1,137 individuals. According to the breach notification to the Massachusetts Office of Consumer Affairs and Business Regulation, the breach affected patients of medical practices managed by OneOncology, LLC, including New York Cancer and Blood Specialists.

Suspicious activity was identified within the Amicus Solutions network on April 2, 2026, with the unauthorized access believed to have occurred between February 2, 2026, and February 18, 2026. During that time, a threat actor exfiltrated data from its systems, and some of that data was posted to the threat actor’s website, including personally identifiable information and protected health information.

The data review confirmed that the threat actor obtained patient data such as first and last names, phone numbers, email addresses, birth dates, gender information, Social Security numbers, medical information, and health insurance information. Amicus Solutions confirmed that there was no unauthorized access to its clients’ networks. No misuse of that data had been identified at the time of issuing notifications. Amicus Solutions said additional safeguards have been implemented to harden security, and 24 months of complementary credit monitoring and identity theft protection services have been offered to the affected individuals.

Huntsville Hospital

Huntsville Hospital Health System in Alabama has recently announced that it has been affected by the January 2025 data breach at electronic health record vendor Cerner, now Oracle Health. The data breach affected approximately 90 healthcare providers, and many of those providers announced the data breach last year. Hackers gained access to two legacy Cerner servers as early as January 22, 2025, and Huntsville Hospital was informed that it was affected on August 12, 2025. The hospital said law enforcement requested delaying notifying the affected individuals and additional providers so as not to impede the investigation.

According to the hospital, the breach was confined to Cerner systems, which contained names, Social Security numbers, and details from medical records, including medical record numbers, doctors’ names, diagnoses, medications, test results, images, and treatment information. The affected individuals have been offered complementary credit monitoring services for 24 months. It is currently unclear how many Huntsville Hospital patients have been affected.

The post Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System appeared first on The HIPAA Journal.