How Often is HIPAA Training Required? Updated for 2026 – The HIPAA Journal
How Often is HIPAA Training Required? Updated for 2026 The HIPAA Journal
How Often is HIPAA Training Required? Updated for 2026 – The HIPAA Journal
How Often is HIPAA Training Required? Updated for 2026 The HIPAA Journal
New Cybersecurity Rules for Healthcare? Understanding HHS’s HIPPA Proposal – The Fulcrum
Top 10 HIPAA Compliance Software Solutions – Security Boulevard
Top 10 HIPAA Compliance Software Solutions Security Boulevard
OpenAI Enters the Exam Room: Launch of HIPAA-Compliant GPT-5.2 Set to Transform Clinical Decision Support – FinancialContent
Is Saying Someone Died a HIPAA Violation?
In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.
Among other purposes, the HIPAA Privacy Rule protects the privacy of individually identifiable health information relating to the past, present, or future health condition of an individual. Organizations subject to the HIPAA Privacy Rule – and their workforces – must comply with this requirement with respect to a deceased individual “for a period of 50 years following the death of the individual”.
However, not all organizations are subject to the HIPAA Privacy Rule. If, for example, an employee of a private nursing home which does not qualify as a HIPAA “covered entity” revealed somebody had died, it is not a HIPAA violation because the nursing home is not required to protect the privacy of individually identifiable health information (Note: although this might not be a violation of HIPAA, disclosing private information of this nature may violate state privacy laws in some circumstances).
Even when an organization is subject to the HIPAA Privacy Rule, it is not automatically the case that saying someone died is a HIPAA violation. “Covered entities” are permitted to disclose individually identifiable health information to specific people, subject to the disclosure being limited to the minimum necessary to achieve the purpose of the disclosure, and subject to any prior expressed wish of the deceased relating to what information can be disclosed. Healthcare providers should receive HIPAA training on permitted disclosures of this nature.
Who Can Be Told Someone Has Died Under HIPAA?
The HIPAA Privacy Rule stipulates who can be told when someone has died in sections §164.510(b) and §164.512(g). The first section allows covered entities to disclose information about deceased individuals to family members, other relatives, close personal friends, or any other individual identified by the deceased individual while they were alive. All disclosures to people in this group are subject to the verification requirements of §164.514(h).
Persons or entities that were involved in the deceased person´s care or payment for health care can also be told the patient has died under §164.510(b), while §164.512(g) permits covered entities to disclose individually identifiable health information to a coroner or medical examiner to identify the deceased person, determine the cause of death, or other duty as authorized by law. Under this section, covered entities can also tell funeral directors somebody has died.
In all permitted circumstances, the information disclosed must be the minimum necessary to achieve the purpose of the disclosure, and must respect any wishes known by the covered entity prior to the patient’s death. If a patient died (say) due to injuries sustained in a road accident, but also suffered from a lung condition, covered entities are not permitted to disclose the lung condition or any other related treatment or payment for the treatment.
When is Saying Someone Died a HIPAA Violation?
There are not many circumstances when saying someone died is a HIPAA violation and usually violations of this nature only occur when a member of a covered entity’s workforce:
- Discloses information to somebody not permitted by the HIPAA Privacy Rule,
- Discloses more than the minimum necessary information about the deceased, or
- Discloses information it is known the deceased did not want disclosed.
However, it is important to note the HIPAA Privacy Rule generally applies to a deceased person’s health information in the same way as a living person’s health information. In the same way as an individual’s “personal representative” can authorize disclosures of health information not permitted by the HIPAA Privacy Rule on the individual’s behalf when they are alive, a personal representative can do the same when the individual is deceased.
In most states, a deceased individual’s “personal representative” is the next of kin. If the next of kin authorizes a disclosure to somebody not permitted by the HIPAA Privacy Rule, a disclosure of more than the minimum necessary information, or a disclosure of information the deceased did not want disclosed, these events are no longer HIPAA compliance violations. If you are still uncertain about when is saying someone died a HIPAA violation, you should seek professional compliance advice.
The post Is Saying Someone Died a HIPAA Violation? appeared first on The HIPAA Journal.
Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack – The HIPAA Journal
Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack
Monroe University, a for-profit university with campuses in the Bronx and La Rochelle in New York, and Saint Lucia in the Caribbean, has recently confirmed that a cyberattack has resulted in unauthorized access to the personal and health information of approximately 320,973 individuals.
The cyberattack was detected more than a year ago on December 23, 2024. When the intrusion was detected, immediate action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from December 9, 2024, to December 23, 2024, and exfiltrated files containing sensitive data.
It has taken nine months to review the affected files to determine the individuals affected and the types of data involved. On September 30, 2025, Monroe University confirmed that the data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, medical information, health insurance information, electronic account or email usernames and passwords, financial account information, and/or student data.
The university started issuing notification letters to the affected individuals on January 2, 2026, and had advised all individuals to remain vigilant against potential fraud and identity theft by monitoring their credit reports, accounts, and explanation of benefits statements for suspicious activity. At the time of issuing notification letters, the university had not identified any misuse of the stolen data. Based on the notification letter seen by The HIPAA Journal, credit monitoring services do not appear to have been offered.
Universities, like healthcare organizations, are an attractive target for hackers, who can gain access to vast amounts of sensitive data, which in this case included student data and health information. Other universities that have recently experienced cyberattacks include Harvard and Columbia.
The post Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack appeared first on The HIPAA Journal.