CORRECTING and REPLACING PCI Pal Raises the Bar for Payment Security With SOC2 Type II with HIPAA/HITECH Attestation – Enidnews.com
CORRECTING and REPLACING PCI Pal Raises the Bar for Payment Security With SOC2 Type II with HIPAA/HITECH Attestation – Business Wire
HIPAA Certification for Business Associates
HIPAA certification for Business Associates is documented evidence that employees have completed training on HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, Business Associate Agreement restrictions, permitted uses and disclosures of protected health information, incident reporting, and practical safeguards that apply when a vendor, contractor, consultant, or service provider handles protected health information for a covered entity.
Meaning of HIPAA Certification for Business Associates
HIPAA certification for HIPAA Business Associates usually refers to a certificate of completion issued after workforce members complete HIPAA training and pass the required course assessments. For HIPAA Business Associates, certification has a narrower compliance function. It shows that employees received training on HIPAA obligations relevant to their work. It also creates documentation that can be retained with training records, workforce onboarding files, compliance reports, and audit materials.
HIPAA Business Associates should treat certification as evidence of workforce training, not as proof that every HIPAA compliance requirement has been satisfied. A certificate does not replace written policies, risk analysis, risk management, access controls, Business Associate Agreements, breach response procedures, sanctions policies, or ongoing security management.
HIPAA Business Associate Training Obligations
Business Associates are directly regulated under HIPAA when they create, receive, maintain, or transmit protected health information for a covered entity or another Business Associate. Their employees need training because day-to-day workforce decisions affect whether protected health information is handled in compliance with HIPAA and the applicable Business Associate Agreement.
Training should explain how HIPAA applies to the employee’s assigned role. A billing employee, software support analyst, courier, IT technician, claims processor, data analyst, transcription worker, and customer support representative do not all face the same operational risks. The training standard is not satisfied by generic privacy awareness if employees still do not understand what they are allowed to do with protected health information in their actual work.
HIPAA Business Associate employees need to understand when protected health information can be used, when it can be disclosed, who can receive it, how much information is allowed under the HIPAA Minimum Necessary Rule, and what to do when an error or suspected breach occurs.
HPIAA Business Associate Agreements and Workforce Training
A HIPAA Business Associate Agreement controls how a HIPAA Business Associate is permitted to use and disclose protected health information. Employees need to understand that the agreement is not only a contract handled by management or legal staff. Its restrictions affect routine work.
If a HIPAA Business Associate Agreement limits protected health information use to billing support, claims administration, software maintenance, storage, consulting, analytics, or another defined service, employees must stay within that permitted scope. Accessing protected health information for curiosity, convenience, training examples, product development, or unrelated internal purposes can create a HIPAA violation.
Training should also address downstream relationships. When a subcontractor creates, receives, maintains, or transmits protected health information for a Business Associate, the subcontractor relationship must be managed under HIPAA. Employees involved in vendor onboarding, data transfer, platform access, or service delivery need to understand when subcontractor controls and written agreements are required.
HIPAA Privacy Rule Training for Business Associate Employees
HIPAA Privacy Rule training for Business Associate employees should explain the limits on uses and disclosures of protected health information. Employees need to understand that protected health information includes more than clinical records. It can include billing data, appointment data, insurance information, claim details, patient identifiers, demographic data, call recordings, images, emails, files, logs, and information stored in business systems.
Training should explain the difference between permitted use and unrestricted use. A Business Associate employee can handle protected health information only for purposes allowed by HIPAA, the Business Associate Agreement, and the organization’s policies. The presence of system access does not mean the employee has permission to view, copy, disclose, export, or reuse the information.
HIPAA Privacy Rule training should also explain patient rights. Business Associate employees do not always respond directly to patient requests, but they can affect whether covered entities meet access, amendment, accounting, authorization, and disclosure obligations. Employees who support records systems, patient portals, release of information workflows, or customer service functions need to understand when a request should be routed to a privacy officer or designated client contact.
HIPAA Security Rule Training for Business Associate Employees
HIPAA Security Rule training for Business Associate employees should address the safeguards used to protect electronic protected health information. Employees need practical instruction on access credentials, device use, email security, file transfers, remote work, phishing, social engineering, malware, unauthorized downloads, system permissions, and security incident reporting.
A Business Associate can have strong technical controls and still experience a HIPAA incident because an employee clicked a malicious link, sent protected health information to the wrong recipient, stored files in an unapproved location, reused a password, ignored a security alert, or delayed reporting an error. Training should connect security requirements to conduct employees control during routine work.
Training should also explain that workforce members share responsibility for protecting electronic protected health information. They do not need to become security specialists, but they do need to recognize unsafe practices and report issues before they expand into larger incidents.
HIPAA Breach Notification Rule Training for Business Associate Employees
HIPAA Breach Notification Rule training should explain how employees identify and report potential breaches. Business Associate employees should know that a breach can involve misdirected emails, lost devices, unauthorized account access, improper downloads, ransomware, improper disposal, system misconfigurations, or disclosure to an unauthorized person.
Employees should not decide alone that an incident is harmless. The organization needs enough information to assess the event, notify the covered entity when required, preserve evidence, contain exposure, and meet contractual and regulatory deadlines. Training should tell employees where to report suspected incidents, what details to include, and why prompt reporting matters.
Practical incident reporting content is a necessary part of Business Associate training because delay can affect breach analysis, client notification, investigation quality, and remediation.
Contents of a HIPAA Certification Course
A suitable HIPAA certification course for Business Associate employees should cover the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, Business Associate Agreement obligations, uses and disclosures of protected health information, the HIPAA Minimum Necessary Rule, patient rights, incident reporting, workforce responsibilities, and consequences of non-compliance.
The course should include Business Associate-specific modules rather than only general healthcare employee content. Business Associate employees need training on chain of custody for protected health information, client restrictions, subcontractor issues, permitted service functions, security incident reporting, and the limits placed on staff by Business Associate Agreements.
Course content should use practical workplace examples. Employees need to understand how the rules apply when sending files, supporting a healthcare client, viewing a record, responding to a service ticket, using messaging tools, working remotely, escalating an incident, or deciding whether information can be disclosed.
State Privacy Modules and Specialized Content
Business Associates that support clients in Texas, California, or other states with medical privacy requirements need to account for state law overlays where relevant. State medical privacy training can address requirements that sit alongside HIPAA and affect workforce handling of health information.
California medical privacy training can cover laws such as the Confidentiality of Medical Information Act, patient access requirements, consumer privacy obligations affecting health-related data, and newer patient access protections. Texas medical privacy training can cover state medical records privacy requirements, identity theft protections, data privacy obligations, and state requirements addressing artificial intelligence and electronic health records.
Specialized modules can also address generative AI, social media, emergency situations, and terminology. These subjects create operational risk because employees encounter tools and communication channels that were not always addressed in older HIPAA training materials.
AI training should explain why employees must not place protected health information into unapproved tools. Social media training should explain why patient information, images, workplace incidents, and indirect identifiers can create HIPAA exposure even when names are omitted.
Choosing HIPAA Certification for Business Associates
Business Associates should choose HIPAA certification training that addresses workforce responsibilities under HIPAA and under Business Associate Agreements. The course should cover the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, HIPAA Minimum Necessary Rule, incident reporting, patient rights, permitted uses and disclosures, Business Associate-specific obligations, and practical safeguards for electronic protected health information.
The training should produce verifiable completion records and certificates. It should allow managers to assign training, monitor completion, review progress, and document compliance. It should also support new hire onboarding and periodic refresher training.
For Business Associates, the strongest training record is not just a certificate. It is a documented link between the employee’s role, the protected health information the employee handles, the policies the employee must follow, and the organization’s ability to prove that training occurred.
| Feature | The HIPAA Journal Training | Typical Competitor Courses |
|---|---|---|
| Purpose-built for Business Associates | Designed specifically for employees of Business Associates who handle PHI for healthcare clients. | Often adapted from general HIPAA courses rather than built around Business Associate responsibilities. |
| Business Associate-specific modules | Includes dedicated lessons on Business Associate obligations, BAAs, PHI chain of custody, permitted uses and disclosures, and staff responsibilities. | May only briefly mention Business Associates without covering day-to-day employee obligations in detail. |
| Accredited certificate course | Provides an accredited certificate course with 5.0 CEUs. | Some providers offer only a basic completion certificate with no CEUs. |
| New hire and refresher training | Suitable for HIPAA-mandated new hire onboarding and annual refresher training for Business Associate employees. | May not clearly support both onboarding and ongoing workforce training needs. |
| Real-world training approach | Uses relatable workplace examples to help employees understand what to do when HIPAA rules apply in real situations. | Some courses focus heavily on regulatory definitions without practical application. |
| Root-cause risk reduction | Focuses on the staff mistakes and decision points that commonly lead to HIPAA violations and breaches. | May focus on rule awareness rather than helping employees reduce everyday compliance risk. |
| Current and maintained content | Maintained to reflect HIPAA guidance, enforcement trends, proposed updates, and evolving healthcare risks. | Update schedules may be unclear or not guaranteed. |
| Generative AI coverage | Includes modules explaining HIPAA risks associated with AI tools and best practices for compliant use. | Many courses do not address how AI tools can create HIPAA compliance risks. |
| Social media and messaging risks | Explains HIPAA risks involving social media, online sharing, messaging platforms, and workplace communications. | Coverage of social media and communication risks may be limited or absent. |
| Incident reporting guidance | Gives practical advice on reporting HIPAA incidents, mistakes, security concerns, and suspected breaches. | May not clearly explain what employees should do after an error or suspected incident. |
| Business Associate Agreement awareness | Explains how Business Associate Agreements limit how staff may use and disclose PHI. | May not connect BAAs to everyday employee behavior and decision-making. |
| Security Rule safeguards | Covers practical safeguards for protecting ePHI, including device, credential, email, and security incident awareness. | May provide only high-level security awareness without HIPAA-specific context. |
| Patient rights coverage | Includes patient rights and HIPAA authorization guidance so employees understand the broader privacy framework. | Some courses focus only on employee obligations and give limited attention to patient rights. |
| Emergency situations | Includes optional guidance on how HIPAA applies during emergencies and when information may be shared. | Emergency-specific HIPAA guidance is often not included. |
| State medical privacy modules | Optional Texas and California medical privacy modules can be added at no extra charge when relevant. | State-specific medical privacy coverage may be unavailable or sold separately. |
| Lesson-by-lesson testing | Short randomized tests after lessons help confirm understanding and reduce the chance of passing by guesswork. | Some courses rely on predictable or basic end-of-course quizzes. |
| Learner mastery | Learners can review and retake tests until they understand the material. | Some courses provide limited reinforcement after incorrect answers. |
| Self-paced access | Self-paced lessons allow employees to pause, resume, and complete training around work schedules. | Training flexibility may vary by provider. |
| Admin dashboard | Admin dashboards show learner progress, assigned modules, completion status, and training activity. | Dashboards may be limited, unavailable, or restricted to higher-priced plans. |
| Audit-ready reporting | Certificates, completion records, reports, exportable data, and scheduled reporting help support audit readiness. | Some providers offer only basic certificates with limited reporting support. |
| Scalable workforce training | Supports single learners, small teams, and larger Business Associate workforces with group training and seat management. | Some courses are better suited to individual learners than organization-wide training. |
| Enterprise options | Enterprise customers can customize lessons, content, delivery options, and host SCORM files on their own LMS. | Customization and LMS hosting options may be limited or unavailable. |
| Transparent pricing | Uses clear per-seat pricing with no automatic subscription and no separate certificate fee. | Some providers charge extra for certificates, add-ons, or recurring subscriptions. |
The post HIPAA Certification for Business Associates appeared first on The HIPAA Journal.
Home Healthcare Agency Owner Facing Decades in Jail for $1.6M Medicare Fraud Scheme
The owner and operator of a Michigan home health care company has been convicted of five counts of healthcare fraud and four counts of paying illegal healthcare kickbacks and now faces decades in jail. Ruby Scott, 55, of Farmington Hills, Michigan, the owner and operator of Delta Home Health Care LLC, was alleged to have operated a fraud scheme that caused more than $1.6 million in losses to the Medicare program. From 2018 to 2021, Scott was alleged to have fraudulently billed Medicare for home health services using stolen patient records.
Scott bribed a discharge nurse at a Detroit hospital to identify Medicare patients and fax their medical records to Delta Home Health Care. Scott developed a kickback relationship with the nurse, paying approximately $300 for each set of patient records that were successfully used to bill Medicare. The discharge nurse was paid more than $130,000 via PayPal, CashApp, cash, and check for providing the records.
Scott used confidential diagnostic and personal information to bill Medicare for home healthcare services for the patients, falsely representing that a doctor had certified that the patients satisfied the Medicare requirements for home health care services. The patients were unaware that their personal and health information was being used to submit false claims, and the doctors had never met any of the patients and did not know that their information was being used on the fraudulent claims. Medicare paid approximately $1.2 million to Delta, causing approximately $1.6 million in losses to the Medicare program.
Scott was charged with multiple counts of fraud and operating an illegal kickback scheme and was recently convicted by a federal jury in the Eastern District of Michigan. The jury found Scott guilty of five counts of health care fraud, conspiracy to defraud the United States, and pay illegal health care kickbacks, and four counts of paying illegal health care kickbacks. The healthcare fraud and kickback counts each carry a maximum sentence of 10 years in prison, and Scott faces a maximum of 5 years in jail for the conspiracy count. Scott is due to be sentenced on September 24, 2026.
“The [Department of Justice] Fraud Division is laser-focused on investigating and prosecuting those who commit fraud against the American people,” explained the Department of Justice in a press release announcing the guilty verdict. “The Department’s work to combat fraud supports President Trump’s Task Force to Eliminate Fraud, a whole-of-government effort chaired by Vice President J.D. Vance to eliminate fraud, waste, and abuse within Federal benefit programs.”
The post Home Healthcare Agency Owner Facing Decades in Jail for $1.6M Medicare Fraud Scheme appeared first on The HIPAA Journal.
Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit – The HIPAA Journal
Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit
A settlement has been agreed to resolve a class action lawsuit against Ciox Health, which does business as Datavant Group, an Arizona-based health IT company, over a May 2024 email-related data breach.
Suspicious activity was identified within an employee’s email account on May 9, 2024. The forensic investigation confirmed that an unauthorized individual had access to the account between May 8 and May 9, 2024. Access to the account was gained after an employee responded to a phishing email. The breach was reported to the HHS’ Office for Civil Rights as affecting 320,702 individuals. Data potentially compromised in the incident included names, dates of birth, addresses, contact information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and health information.
A lawsuit was filed in response to the data breach – Jackson v. Ciox Health, LLC d/b/a Datavant Group – in the United States District Court for the District of Arizona. The lawsuit alleged that the defendant failed to implement sufficient security measures to protect patients’ sensitive information. The lawsuit alleged that the failure amounted to negligence and that the defendant had violated the Illinois Consumer Fraud and Deceptive Business Practices Act.
As is common in class action data breach lawsuits, the parties explored the possibility of an early resolution to the lawsuit to avoid the costs and risks associated with continuing with the litigation. An appropriate settlement was agreed upon by all parties, and the settlement has received preliminary approval from the court. Datavant Group has agreed to pay $900,000 to resolve the lawsuit. The settlement fund will be used to pay attorneys’ fees and expenses, service awards for the class representatives, settlement administration and notification costs, and benefits for the class members. While the OCR breach portal states that more than 320,000 individuals were affected, the class consists of 58,309 individuals.
Class members may submit a claim for up to $5,000 as reimbursement for documented, unreimbursed losses incurred as a result of the data breach. Alternatively, a claim may be submitted for a one-time pro rata cash payment. The amount of each cash payment will depend on the number of valid claims received. In addition to one of those benefits, class members may also enroll in one year of expanded identity theft protection and fraud monitoring services. The deadline for objection and exclusion is July 20, 2026. Claims must be submitted by August 18, 2026, and the final fairness hearing has been scheduled for September 4, 2026.
The post Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
May 2026 Data Breach Round Up: Data Breaches Affect 9 HIPAA-regulated Entities – The HIPAA Journal
May 2026 Data Breach Round Up: Data Breaches Affect 9 HIPAA-regulated Entities
A round-up of data breaches recently announced by 9 HIPAA-regulated entities: University of Nebraska Medical Center, Singing River Health System, Tampa Bay Dental Implants & Prosthetics, Aligned Orthopedic Partners, South Alabama Regional Planning Commission, Pivot Health, LHC Group, Mays Housecall Home Health, and the World Trade Center Health Program.
University of Nebraska Medical Center
University of Nebraska Medical Center (UNMC) has discovered that a vulnerability in a third-party software application has been exploited by a threat actor, exposing patient information. UNMC learned about the vulnerability in the REDCap software application in February 2026. REDCap software is used by UNMC to support its research studies and public health activities. When UNMC learned about the vulnerability, the software was taken offline, and an investigation was launched to determine if the vulnerability had already been exploited. Assisted by third-party cybersecurity experts, UNMC determined that the vulnerability had been exploited on September 20, 2023, and access remained possible until February 3, 2026.
The data review confirmed that the system contained a range of sensitive data, which varied from individual to individual depending on the nature of the research study/public health activities. That information may have included names, dates of birth, addresses, phone numbers, email addresses, medical record numbers, and information created or collected in connection with a research study. Such information may have included visit dates, diagnoses, medications, laboratory results, imaging or procedure information, questionnaire responses, or other health-related information. A subset of individuals also had their Social Security numbers exposed. In total, 26,937 individuals had data exposed. Individuals whose Social Security numbers were impacted have been offered complimentary credit monitoring services.
Singing River Health System
Singing River Health System, a non-profit health system with three hospitals and more than 50 clinics serving the Mississippi Gulf Coast, has started notifying patients about a hacking incident identified on or around December 21, 2025. The forensic investigation confirmed unauthorized access to its computer network between December 19, 2025, and December 21, 2025, and on February 10, 2026, it was confirmed that files containing patient information were viewed and potentially copied.
Data exposed varied from individual to individual and may have included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, bank account information, health insurance information, provider names, internal patient identification numbers, dates of service, medication information, and treatment and/or diagnostic information.
Singing River Health System said, “We will continue to implement and evaluate enhanced safeguards and security measures to further protect our systems and continue to provide security training to our employees.” The affected individuals have been advised to monitor their accounts and explanation of benefits statements for data misuse. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
Tampa Bay Dental Implants & Prosthetics
Tampa Bay Dental Implants & Prosthetics, which also does business as Tampa Bay Dental Implants, Periodontics & Oral Surgery, a dental care provider serving the St. Petersburg and Tampa Bay area in Florida, has recently disclosed a data breach affecting 6,400 individuals. Tampa Bay Dental discovered unauthorized access to its network on January 19, 2026, when ransomware was used to encrypt files. The attack affected a legacy server that contained a backup of electronic medical records.
The file review confirmed that patient data was exposed, including names, contact information, birth dates, treatment notes, and clinical histories, and for a limited number of individuals, Social Security numbers. Tampa Bay Dental has implemented additional security measures to prevent similar incidents in the future, including enhancing its security logging, strengthening server encryption, and updating access controls. Credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.
World Trade Center Health Program
The World Trade Center (WTC) Health Program, which provides no-cost healthcare services to individuals harmed by the 9/11 attack on the World Trade Center, has reported a data security incident to the HHS’ Office for Civil Rights affecting 1,071 individuals. Highly sensitive data was compromised in the incident, which occurred at a vendor, Managed Care Advisors/Sedgwick Government Solutions.
Hackers accessed a server containing files associated with the WTC Health Program and exfiltrated sensitive data before encrypting files. The TridentLocker ransomware group claimed responsibility for the attack. The attack was detected by Managed Care Advisors/Sedgwick Government Solutions on December 4, 2025, and the forensic investigation confirmed that the server was first breached on November 16, 2025. Data compromised in the incident includes names, addresses, Social Security numbers, dates of birth, and protected health information. TridentLocker proceeded to leak the stolen data on its dark web data site when the ransom was not paid. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.
Aligned Orthopedic Partners
Bethesda, Maryland-based ASC Ortho Management Company, LLC, doing business as Aligned Orthopedic Partners, has discovered unauthorized access to its email environment and the exposure of the protected health information of 7,213 individuals. The forensic investigation determined unauthorized access occurred between November 16, 2025, and December 16, 2025, during which time, emails and files may have been accessed or acquired.
The file review determined on February 17, 2026, that the exposed data included names in combination with one or more of the following: date of birth, Social Security number, driver’s license or state identification number, Medicaid or Medicare number, financial account number, date(s) of service, medical provider name, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account number, and or medical record number. The affected individuals were notified on April 17, 2026, and complimentary identity protection services have been made available. Aligned Orthopedic Partners said steps have been taken to augment security to prevent similar incidents in the future.
Pivot Health
Pivot Health, a health insurance company specializing in short-term and supplemental health insurance products, has identified unauthorized access to its Amazon Web Services cloud environment. The unauthorized access was detected and blocked on March 13, 2026. The investigation confirmed that its AWS environment was accessed by an unauthorized third party at various points over a two-week period between February 26, 2026, and March 13, 2026. During that time, files containing member data were viewed or copied.
The digital forensic investigation confirmed that the exposed data included names, birth dates, member identification numbers, person identification, certificate identification, coverage identification, insurance billing and payment information, and, for certain individuals, financial account information. Data security policies and procedures are being reviewed, and additional cybersecurity protections have been implemented. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected, although the Texas Attorney General was informed that 1,172 Texas residents had their data exposed in the incident.
LHC Group / Mays Housecall Home Health
Two more healthcare providers have notified patients that some of their protected health information was compromised in a security incident at vendor Doctor Alliance: The home healthcare providers LHC Group in Louisiana and Mays Housecall Home Health, an Oklahoma-based provider of community and home health care services throughout Oklahoma, Kansas, and Texas.
The data breach did not involve unauthorized access to the home healthcare providers’ systems, as the incident was confined to the web-based portal used in connection with the services provided by their technology vendor. Doctor Alliance provides a platform that physicians and healthcare providers use to exchange and sign documentation related to patient care. The Doctor Alliance web portal was accessed by an unauthorized third party between October 31, 2026, and November 17, 2026. Doctor Alliance discovered the unauthorized access on November 12, 2025.
LHC Group said 8,644 individuals were affected and had the following types of information exposed: names, dates of birth, demographic information, health information, including clinical summaries and diagnosis codes, provider information, and health insurance information. Mays Housecall Home Health said 5,208 individuals were affected. Data compromised in the incident included names, demographic information, dates of birth, clinical information, diagnosis information, physician information, insurance-related information, and other information related to patient care documentation.
No data misuse has been detected. Both home healthcare providers are conducting additional oversight and review procedures related to third-party providers, and Doctor Alliance has implemented additional security safeguards and monitoring capabilities.
The South Alabama Regional Planning Commission
The South Alabama Regional Planning Commission has reported a data breach to the HHS’ Office for Civil Rights involving unauthorized access to the protected health information of 3,043 individuals. The substitute data breach notice does not state when the unauthorized access was detected, nor when its systems were accessed by unauthorized individuals, only that the investigation determined on August 6, 2025, that certain files were copied from its systems.
The files were reviewed and found to contain client names, Medicaid numbers, Social Security numbers, and medical information related to eligible services. The Alabama Department of Senior Services was notified about the breach on January 28, 2026, and the HHS’ Office for Civil Rights was notified on March 18, 2026. Notification letters have now been mailed to the affected individuals, and complimentary credit monitoring services have been offered.
The post May 2026 Data Breach Round Up: Data Breaches Affect 9 HIPAA-regulated Entities appeared first on The HIPAA Journal.