Brad Lieberman

Practicing PMHNP with a Juris Doctor (retired). The Encrypted Chart is operational privacy guidance for solo and small-group healthcare practice — the shields you'd have if you had a hospital's compliance team.

Jun 13, 2026

•

5 min read

The Email Habits That Just Cost a Mental Health Practice $900,000

A Massachusetts behavioral health center settled a class action this week for $900,000 over a breach that started with one phished email account. A national legal alert published two days ago explains how a routine group email becomes a reportable HIPAA event. Both stories point at the same form most solo therapy practices don't have.

Brad Lieberman

Jun 9, 2026

•

6 min read

Three Breaches Last Month. All Started With One Email

The Acadia Healthcare notice that went out May 22, the Genesis ransomware that hit an independent California cardiology practice, and the 35,000-account phishing campaign Microsoft tracked in April. Same fact pattern, three different scales. The attackers did not break in. They logged in.

Brad Lieberman

Your Vendor's Breach Just Became Your Lawsuit.

Jun 2, 2026

•

4 min read

Your Vendor's Breach Just Became Your Lawsuit.

A federal court in Chicago ruled last week that patients can sue a healthcare provider over a vendor's data breach. The diligence defense — "they were reputable, they had certifications, I trusted them" — just got materially narrower.

Brad Lieberman

May 30, 2026

•

6 min read

$900,000 for the 72 Hours You Didn't Plan For

A Small OB/GYN practice just paid $900,000 to settle a class action over a four-day breach in 2022. The breach itself wasn't extraordinary — what made it expensive was what happened next. Here's the operational document most independent practices don't have, and why it's the difference between $0 and seven figures.

Brad Lieberman

California Just Reached Into Your Out-of-State Practice.

May 26, 2026

•

4 min read

California Just Reached Into Your Out-of-State Practice.

A California Supreme Court ruling last week makes it easier to sue any practice that holds a California resident's medical records — including the records of patients who moved there years ago and you haven't seen since.

Brad Lieberman

Your Forms Predate the 42 CFR Part 2 Update. So Did Mine.

May 23, 2026

•

6 min read

Your Forms Predate the 42 CFR Part 2 Update. So Did Mine.

This weekend I sat down to audit my own NPP and intake consent against the 42 CFR Part 2 Final Rule. I found gaps. Here's what I found, how I'm fixing them by Tuesday morning, and the same audit you can run on yours.

Brad Lieberman

May 19, 2026

•

4 min read

$245,000 for the Form You Don't Have

OCR fined five practices a combined $1.41 million in the past two weeks. The common thread wasn't sophisticated hacking. It was a missing annual document. Here's why solo and small-group practices should be reading their own compliance paperwork this week.

Brad Lieberman

Your Website Is Probably Leaking Patient Data to TikTok and Meta.

May 16, 2026

•

5 min read

Your Website Is Probably Leaking Patient Data to TikTok and Meta.

Bloomberg just confirmed every state-run health insurance exchange in America is doing it. The same tracking pixels sit on most practice websites. Here's the operational audit that closes the gap this week.

Brad Lieberman

May 12, 2026

•

4 min read

Sutter's AI Scribe Just Got Sued. You Use the Same Tool.

Three California health systems just got named in a class action over how they record patient visits with an AI scribe. The lawsuit isn't HIPAA. Your vendor's contract doesn't cover it. Here's the gap and what to check this week.

Brad Lieberman

May 9, 2026

•

7 min read

When Your Billing Service Gets Hacked: A $225K Federal Wake-Up Call

If your billing service got hacked tomorrow, what does the contract you signed with them actually say? Last month the federal government fined a vendor in that exact pattern $225,000. Here's what to read this week — before it's your patients calling.

Brad Lieberman

Five Questions Hospital Compliance Officers Ask About AI Scribes — and Solo Practices Don't

May 6, 2026

•

8 min read

Five Questions Hospital Compliance Officers Ask About AI Scribes — and Solo Practices Don't

The institutional version of this conversation happens before the contract is signed. The independent version happens after the breach. Here's the operational protocol that bridges them.

Brad Lieberman