Health Care and Life Sciences > Health Information Privacy and Security

The firm’s health industry practice has maintained a robust privacy practice since the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health information is protected by a complex patchwork of state and federal laws and regulations that is continually evolving. Most notably, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009 (ARRA), dramatically impacting data privacy and security obligations and risks. Our lawyers have the depth of experience needed to handle health information privacy and security issues in these dynamic times. We assist hospitals, pharmacies, pharmaceutical companies, health clinics, health plans, third-party administrators, research entities, software vendors, service providers, trade associations and even a professional sports league, among others, in addressing concerns relating to data privacy and security. Representative engagements include:

  • developing HIPAA and HITECH compliance and training programs for clients ranging from a health provider trade association to a health software vendor to a health plan
  • drafting data breach remediation and response policies and procedures for clients ranging from a health information exchange to employer-sponsored group health plans to a health provider trade association
  • assisting health care providers that have experienced a data breach in complying with state and federal breach notification requirements and in addressing related concerns
  • counseling providers in connection with HHS Office for Civil Rights (OCR) investigations of alleged HIPAA violations
  • preparing comments for submission to HHS on the proposed (1999) and interim final (2000) privacy rules on behalf of clients, including a major retail pharmacy chain and a group of cancer hospitals developing HIPAA-compliant forms, including authorization forms, notices of privacy practices and complex business associate agreements
  • drafting, tailoring and negotiating contracts to address health information privacy and security concerns on behalf of clients ranging from health plans to pharmacy chains to hospitals to vendors
  • advising a major hospital and health system, as well as a retail pharmacy chain, on issues arising under the HIPAA regulations governing transaction standards
  • reviewing existing and proposed state health information privacy laws in varying contexts, including analyzing their potential impact on a medical products manufacturer’s clinical research and promotional activities
  • providing a range of clients with advice relating to the HIPAA and HITECH marketing provisions
  • developing and implementing a HIPAA compliance strategy and business plan for a clinical research company gathering data from patients and their physicians to build a database to be used for research purposes
  • assisting a physician practice management company acquiring physician practices in obtaining access to medical records in compliance with state and federal laws governing the release of medical records, including sensitive records containing information regarding substance abuse, psychiatric conditions and/or the treatment of AIDS or related conditions
  • addressing health information privacy concerns arising in the course of litigation and in bankruptcy proceedings.