Health Care and Life Sciences > Health Information Privacy and Security

The firm’s health industry practice has maintained a robust privacy practice since the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health information is protected by a complex patchwork of state and federal laws and regulations that is continually evolving. Our team offers a complete range of regulatory transactional, and strategic services related to compliance with privacy, cybersecurity and other data protection laws, including HIPAA; the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009; Section 5 of the Federal Trade Commission Act; and state laws relevant to health information privacy, breach notification and cybersecurity.

Our lawyers have the depth of experience needed to handle health information privacy and security issues in these dynamic times. We assist hospitals, pharmacies, pharmaceutical companies, health clinics, health plans, third-party administrators, research entities, software vendors, service providers, trade associations and even a professional sports league, among others, in addressing concerns relating to data privacy and security. We counsel clients with breach preparedness and response efforts. We have experience developing and implementing strategies for addressing privacy compliance risks associated with the often complex data flows involved in developing and deploying new health care innovations. We have assisted clients in addressing privacy and data security challenges presented by digital health solutions, including advising on data collection and use strategies, crafting privacy policies and consent forms, assisting with complex contracting issues, and tailoring data breach response plans to accommodate new products and data streams.

In analyzing risk and developing client-oriented strategies, we consider not just the letter of the law, but current government enforcement priorities, compliance trends, and the broader policy and economic environment. 

Representative engagements include:

  • counseling a cancer center on data breach response issues
  • providing privacy and cybersecurity advice to a cancer center entering into a venture to develop decision support tools utilizing cutting-edge technology
  • providing data breach response services to hospital systems
  • drafting comprehensive privacy and data protection policies and procedures for a range of HIPAA covered entities and business associates
  • providing a full range of transactional services for hospital systems, nursing home and other health industry participants engaging in mergers and acquisitions activities
  • advising a national sports league on privacy issues, primarily focusing on state and federal laws, including HIPAA, HITECH and the American with Disabilities Act confidentiality requirements;
  • assisting a medical device company in developing a HIPAA compliance program
  • developing HIPAA and HITECH compliance and training programs for clients ranging from a health provider trade association to a health software vendor to a health plan
  • drafting data breach remediation and response policies and procedures for clients ranging from a health information exchange to employer-sponsored group health plans to a health provider trade association
  • counseling providers in connection with the Department of Health and Human Services Office for Civil Rights investigations of alleged HIPAA violations
  • drafting, tailoring and negotiating contracts (including business associate agreements and data use agreements) to address health information privacy and security concerns on behalf of clients ranging from health plans to pharmacy chains to hospitals to vendors
  • providing a range of clients with advice relating to the HIPAA and HITECH marketing provisions
  • developing and implementing a HIPAA compliance strategy and business plan for a clinical research company gathering data from patients and their physicians to build a database to be used for research purposes.