HIPAA Phase 2 Audits and Your Compliance – Telehealth.org
HIPAA Phase 2 Audits and Your Compliance Telehealth.org
HIPAA Compliant App: Understanding Data Sharing – Telehealth.org
HIPAA Compliant App: Understanding Data Sharing Telehealth.org
Finally! FREE HIPAA Tool Makes HIPAA Risk-Assessment Easy-Peasy – Telehealth.org
HIPAA Compliance Officer Training for Newly Appointed Officers
HIPAA Compliance Officer training prepares a designated individual to oversee how a HIPAA Covered Entity meets its HIPAA Privacy, HIPAA Security, and HIPAA Breach Notification obligations, often in smaller practices while still functioning as a member of the workforce. Training for HIPAA Compliance Officers has two layers. HIPAA Compliance Officers need the same high quality HIPAA training that every employee receives so they understand HIPAA compliance from an employee perspective. HIPAA Compliance Officers need additional training that focuses on the overall compliance program for the HIPAA Covered Entity, including policies, documentation, risk management, and oversight. The most effective programs build this in sequence, starting with employee level training and then adding the advanced compliance content on top. The more advanced content is typically custom training that is specific to the HIPAA-Covered Entities policies and procedures.
The Foundation is HIPAA Training For Employees
The foundation for any HIPAA Compliance Officer is strong employee training that covers what staff actually do with Protected Health Information in real life. A good employee course introduces core HIPAA concepts, explaining what PHI and ePHI are, how the Minimum Necessary Standard works, why authorizations matter, and how HIPAA supports patient trust and better care. It then walks through the main HIPAA rules, including the Privacy Rule, Security Rule, and Breach Notification Rule, so employees see the whole picture rather than isolated fragments.
High quality employee training also explains the role of Compliance Officers themselves, framing them as partners who help staff follow ethical and legal standards. It goes on to show how HIPAA violations really occur and how to prevent them, with practical examples about oversharing information, mishandling records, ignoring access controls, or skipping procedures. Staff learn about patient rights under HIPAA, such as access, amendments, and confidential communications, and they see how their actions support those rights in day to day work.
Healthcare employee training must include HIPAA security awareness and cybersecurity training, teaching staff how to recognize threats to medical records and how administrative, physical, and technical safeguards protect data. It should cover how HIPAA applies in emergencies, how recent HIPAA updates affect work, and how to use artificial intelligence tools in a HIPAA compliant way. Lessons on social media and messaging clarify why casual or anonymous posts can still violate HIPAA and why organizational policies must be followed. Optional modules on state privacy laws and small medical practice challenges are also valuable when they apply. This type of comprehensive, scenario based employee training is the baseline that every Compliance Officer should complete and understand thoroughly.
Building On The Foundation with HIPAA Covered Entity Level Compliance Training
Once the employee layer is in place, a HIPAA Compliance Officer needs training that teaches them how to manage compliance for the entire HIPAA-Covered Entity. This includes learning how to design and maintain policies and procedures that reflect the specific organization’s size, structure, and risk profile. It also requires a deeper understanding of risk analysis and risk management planning, so the officer can identify where PHI is stored and transmitted, where vulnerabilities exist, and how to prioritize mitigation.
HIPAA Compliance Officer training at the HIPAA-Covered Entity level should address how to plan, deliver, and document workforce training, how to manage HIPAA Business Associates and their agreements, and how to monitor compliance through internal reviews or audits. It should explain how to coordinate incident response and breach notification, how to work with leadership on corrective action, and how to communicate with regulators or clients when questions arise. The HIPAA Business Associate Agreement should also contain a provision that their staff in turn receive HIPAA training. This part of the training for the HIPAA Compliance Officer is less about individual tasks and more about building and sustaining a complete HIPAA compliance program.
Training Pathway For HIPAA Compliance Officers
The most practical training pathway for a HIPAA Compliance Officer starts with completing a full workforce HIPAA training course, just like other employees. That ensures they see the same content staff receive and understand how it feels from the employee perspective. Once that foundation is in place, the Compliance Officer should add role specific modules that focus on risk assessments, policy development, documentation standards, training governance, and vendor oversight. Additional learning in incident handling, root cause analysis, and corrective action planning is also important.
Over time, both layers need to be refreshed. The HIPAA Compliance Officer should repeat employee level training on a regular schedule, so they stay aligned with staff content, and also keep their advanced compliance training up to date as regulations, technology, and enforcement priorities evolve. Skipping the employee layer or relying only on policy documents can leave significant blind spots in how policies are experienced on the ground.
HIPAA Compliance Officer Training For Newly Appointed Officers
Newly appointed HIPAA Compliance Officers face a steep learning curve. They may inherit an existing compliance program with gaps, or they may be asked to build one from scratch. The smartest first step for a new officer is to complete the same HIPAA Training for Employees that everyone else takes. This quickly aligns them with the organization’s baseline expectations, shows them what staff are being told, and highlights any disconnect between training messages and real practice.
After that initial employee training, new HIPAA Compliance Officers should move straight into structured officer level training that explains how to evaluate the current state of compliance, review existing policies and risk assessments, and identify urgent priorities. They need guidance on how to talk to leadership about risk, how to gain cooperation from busy departments, and how to shape a realistic 90 day plan that includes quick wins and longer term projects. Starting with employee training and then layering on specialized officer training helps new Compliance Officers build credibility with staff and leadership while avoiding dangerous assumptions about what people already know or do.
Conclusion: Ongoing Education And Professional Development
HIPAA Compliance Officer training is not a one time course but a layered and ongoing process. Effective officers build their knowledge from the ground up, starting with robust employee training that reflects real world risks, then adding advanced training in policies, risk management, documentation, and oversight for the HIPAA Covered Entity. They refresh both layers regularly and stay informed about new threats, regulatory updates, and enforcement trends. To support that ongoing learning, it is wise for Compliance Officers to follow trusted educational resources and keep a steady flow of practical insight. Subscribing to the free weekly newsletter from The HIPAA Journal is a simple way to stay current on HIPAA news, breach patterns, and guidance that can strengthen both employee training and the overall compliance program.
The post HIPAA Compliance Officer Training for Newly Appointed Officers appeared first on The HIPAA Journal.
12,000-Record Data Breach Announced by New York Plastic Surgery Practice
Data breaches have recently been reported by Pearlman Aesthetic Surgery and Associated Radiologists of the Finger Lakes in New York and Fast Pace Urgent Care in Tennessee.
Pearlman Aesthetic Surgery
Steven J. Pearlman, MD, PC, a well-known plastic surgeon and the owner of Pearlman Aesthetic Surgery, a popular plastic surgery practice in Manhattan, New York, has recently reported a breach of the protected health information of 11,764 individuals to the HHS’ Office for Civil Rights (OCR).
The specifics of the data breach have yet to be publicly disclosed, other than it being a hacking/IT incident. The incident was reported to OCR on November 9, 2025, and there is currently no substitute data breach notice on the Pearlman Aesthetic Surgery website.
This post will be updated when further information becomes available.
Associated Radiologists of the Finger Lakes
Associated Radiologists of the Finger Lakes, a network of interventional and diagnostic radiology centers in Elmira, NY, and the surrounding areas, has identified unauthorized access to its computer network. Anomalous activity was identified on October 30, 2025, and the investigation confirmed unauthorized access to a subset of its network, starting on October 28, 2025. Over two days, patient data may have been viewed or copied.
The file review is currently ongoing, and notification letters will be sent to the affected individuals when the review is completed. While the specific types of data involved have yet to be confirmed, based on the information collected to date, the types of data involved include names, addresses, medical record numbers, Social Security numbers, dates of birth, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information. Associated Radiologists of the Finger Lakes has reviewed and enhanced its technical, administrative, and physical safeguards, policies, and procedures to reduce the risk of similar incidents in the future.
The incident has been reported to the HHS’ Office for Civil Rights with a placeholder figure of at least 501 individuals.
Fast Pace Urgent Care (FPMCM)
Fast Pace Urgent Care in Tennessee has announced a HIPAA breach at its business associate, FPMCM, LLC. On August 12, 2025, an FPMCM employee received a legitimate request for the protected health information of a single patient. When responding to that request, the employee inadvertently sent a document containing the protected health information of 2,072 patients.
The privacy violation was identified the following day, and an investigation was launched. The investigation has recently concluded and confirmed that the information impermissibly disclosed included names, dates of service, internal account numbers, billing codes, insurance information, and potentially health insurance claim numbers.
The recipient of the email confirmed that the email and the attached document have been deleted, no copies have been retained, and the information was not further disclosed. Additional safeguards have been implemented to prevent similar incidents in the future. While the affected individuals are not believed to be at risk, they have been advised to review their Explanation of Benefits statements as a best practice.
The post 12,000-Record Data Breach Announced by New York Plastic Surgery Practice appeared first on The HIPAA Journal.
October 2025 Healthcare Data Breach Report – The HIPAA Journal
October 2025 Healthcare Data Breach Report The HIPAA Journal
October 2025 Healthcare Data Breach Report
A delayed October 2025 healthcare data breach report due to the government shutdown for the whole of the month, which caused a significant delay at the HHS’ Office for Civil Rights, which failed to upload any data breach reports in October. The shutdown ended on November 12, 2025, and the HHS had a considerable backlog of data breaches to add to the data breach portal. When a data breach report is received, OCR verifies the data, a process that may take up to around two weeks, before it is added to the OCR breach portal. Data breaches continued to be added for October well into December.
Based on data obtained from OCR on December 31, 2025, OCR received 28 reports of data breaches affecting 500 or more individuals in October – the lowest monthly total of the year, the lowest total since the 28 reported data breaches in May 2020, and a 31.7% month-over-month reduction in large healthcare data breaches.
While there has been a downward trend in data breaches, the October total is suspiciously low, which could indicate the backlog of data breach reports has yet to be cleared. The totals will be better reflected in our 2025 healthcare data breach report, due for publication in late January, and our healthcare data breach statistics page.
While breach numbers are down, the number of affected individuals increased by 540% month-over month to 11,062,868 individuals – the second-highest monthly total of the year. That total is certain to increase well past April’s total, as the largest data breach of the month is still under investigation and the number of affected individuals has yet to be confirmed.
The Largest Healthcare Data Breaches Reported in October 2025
In October, 7 healthcare data breaches were reported that affected more than 10,000 individuals, all of which were network server hacking incidents. The largest data breach of the month occurred at the business associate Conduent Business Services, a provider of back-office services to healthcare providers, health plans, and government agencies. Conduent’s client list includes major U.S. health insurers such as Humana and Premera Blue Cross.
Conduent experienced a hacking incident in May 2025, and while not stated as a ransomware attack, the SafePay ransomware group claimed responsibility. On its data leak site, SafePay claimed to have stolen 8.5 terabytes of data. Conduent notified the HHS’ Office for Civil Rights that 42,616 individuals had been affected; however, a few months later, the Oregon Attorney General was informed that more than 10.5 million individuals were affected nationwide.
Since the data for this report were compiled, there has been a further breach report from Conduent. The Texas Attorney General has been informed that the Conduent data breach affected almost 14.8 million individuals in Texas alone.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Conduent Business Services LLC | NJ | Business Associate | 10,515,849* | Ransomware attack (Safepay) |
| Tri Century Eye Care PC | PA | Healthcare Provider | 200,000 | Hacking incident – Data theft confirmed |
| Central Jersey Medical Center | NJ | Healthcare Provider | 88,000 | Ransomware attack (Sinobi ransomware group) |
| Sierra Vista Hospital & Clinics | NM | Healthcare Provider | 75,054 | Hacking incident |
| Bosch Choice Welfare Benefit Plan | MI | Health Plan | 55,000 | Hacking incident |
| Heartland Health Center | NE | Healthcare Provider | 43,728 | Hacking incident |
| Revere Health, PC | UT | Healthcare Provider | 10,800 | Hacking incident of a third-party payment system |
The HIPAA Breach Notification Rule requires data breaches to be reported to OCR within 60 days of the discovery of a data breach. If the total number of affected individuals is not known, an estimate should be provided. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when the data review is ongoing. In October, two data breaches were reported with suspected 501 placeholder totals.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Saint Mary’s Home of Erie | PA | Healthcare Provider | 501 | Hacking incident |
| North Atlantic States Carpenters Health Benefits Fund | MA | Health Plan | 501 | Hacking incident |
Causes of December 2024 Healthcare Data Breaches
As is usually the case, hacking and other IT incidents dominated the breach reports in October, accounting for 21 (75%) of the month’s data breaches and 99.8% of the affected individuals. Across the 21 data breaches, 11,037,882 individuals had their protected health information exposed or stolen. The average breach size was 525,613 individuals, and the median breach size was 6,633 individuals.
The next most common category of data breaches was unauthorized access/disclosure incidents. There were 7 of these incidents in October, affecting 24,986 individuals. The average breach size was 3,569 individuals, and the median breach size was 3,177 individuals.
While loss and theft incidents were among the most common types of data breaches when OCR first started publishing healthcare data breach data in 2009, along with improper disposal incidents, they are relatively rare. No loss, theft, or improper disposal incidents were reported in October. The most common location of breached protected health information in October was network servers, with email the second most common location of breached PHI.
Where did the Data Breaches Occur?
Healthcare providers reported 20 data breaches in October (472,481 affected individuals), 4 data breaches were reported by health plans (60,358 affected individuals), and four data breaches were reported by business associates of HIPAA-covered entities (10,530,029 affected individuals)
When a data breach occurs at a HIPAA business associate, the business associate must report the data breach to each affected covered entity, and the covered entity must decide who should send out individual notifications and notify OCR and the media. Some covered entities choose to report business associate breaches to OCR and issue their own notifications, while others delegate that responsibility to the business associate. If a business associate works with multiple covered entities, some of their covered entity clients may report the breach, while others delegate the responsibility to the business associate.
The consequence of that is that business associate data breaches are often underrepresented in many healthcare data breach reports. The HIPAA Journal calculates where the breach occurred rather than the entity that reported the breach to ensure business associate data breaches are reported accurately. As you can see from the pie chart below, while 4 data breaches were reported by business associates, 9 of the month’s data breaches occurred at business associates.
Geographic Distribution of Healthcare Data Breaches
HIPAA-regulated entities in 18 U.S. states reported data breaches in October. Florida and Texas were the worst-affected states in October, with three large healthcare data breaches reported by entities headquartered in each of those states.
| States | Breaches |
| Florida & Texas | 3 |
| Alaska, Arizona, California, Illinois, New Jersey & Pennsylvania | 2 |
| Kentucky, Massachusetts, Michigan, Missouri, Montana, Nebraska, New Mexico, Ohio, Oklahoma & Utah | 1 |
While Florida and Texas had the highest number of data breaches, each affected a relatively low number of individuals. Unsurprisingly, given the scale of the data breach at Conduent Business Services, New Jersey was the worst-affected state, although that total includes individuals across the United States.
| State | Individuals Affected |
| New Jersey | 10,603,849 |
| Pennsylvania | 200,501 |
| New Mexico | 75,054 |
| Michigan | 55,000 |
| Nebraska | 43,728 |
| Texas | 14,233 |
| Utah | 10,800 |
| California | 9,700 |
| Kentucky | 9,536 |
| Illinois | 9,405 |
| Florida | 8,503 |
| Oklahoma | 6,633 |
| Montana | 5,617 |
| Arizona | 4,177 |
| Alaska | 2,641 |
| Missouri | 1,680 |
| Ohio | 1,310 |
| Massachusetts | 501 |
HIPAA Enforcement Activity in October 2025
The government shutdown for the entire month of October meant all but the most critical workflows ground to a halt at the Department of Health and Human Services. As such, there were no announcements about HIPAA settlements and civil monetary penalties, and no penalties were announced by state attorneys general in October.
The post October 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.