HIPAA, HITECH & Omnibus Rule

Our unique combination of health industry smarts and deep regulatory understanding allows us to build and implement compliance solutions that are both realistic and resource-sensitive.

Stay connected to legal developments in a broad array of health care law topics and events by signing up for our Health Law Alert.


Our approach

HIPAA and state laws present the health care industry with stringent standards for patient privacy, data security, transactions and code sets. Compliance can require rethinking old procedures and systems and training employees to work and think differently. We help our clients rise to the challenge efficiently and affordably—whether they’re health care providers or entities that come into contact with protected health information.

We draw on extensive industry and regulatory know how to evaluate your current risk and find resource-sensitive compliance solutions. We also work with our clients to structure their transactions strategically, build compliant business associate programs that protect their interests and manage their litigation risk. And in the event of theft or loss of sensitive information, we’ll help you respond quickly and efficiently, take needed steps to avoid future incidents and guide you through any ensuing litigation or government investigation.

Who we work with

  • Health care providers, pharmacies, laboratories and others who collect, transmit, store or have access to protected health information
  • Business associates, including data storage companies, cloud vendors, EMR providers, software vendors, collection agencies and billing services (and their subcontractors)
  • Companies with self-insured health plans
  • Health information exchange organizations (HIEs), regional health information organizations (RHIOs), e-prescribing gateways and personal health record (PHR) vendors
  • Patient safety organizations
  • Law firms, law enforcement agencies, accounting firms and other professional advisors working with sensitive client information
  • Companies at any stage of responding to privacy complaints or the theft or loss of data, whether intentional or accidental, including victims of hacking, disgruntled or negligent employees and natural disasters


  • Recognized by Chambers USA as a nationwide leader in the Field of Privacy Law
  • The Rhode Island Department of Health Founder’s Award, the Rhode Island Attorney General Justice Award and the Rhode Island Department of Health Award for Excellence in Public Health Promotion

Recent experience

  • Serving as general counsel to the Rhode Island Quality Institute (RIQI), the first RHIO to implement a stringent privacy and security legal framework for its HIE and implement an opt-in consent for HIE participation. RIQI is the only entity in the country that received all three federal grants from the Office of the National Coordinator related to the implementation of health information technology, including the Regional Extension Center grant, the Health Information Exchange grant and the Beacon Communities grant.
  • Developed and implemented HIPAA compliance programs for:
    • Large hybrid entities
    • Multiple physician groups and hospital systems
    • Several RHIOs and HIEs
    • Cloud vendors
    • Software and EMR providers
    • Patient portal products
  • Worked with the Massachusetts Center for Health Information and Analysis to develop privacy and security policies related to the statewide All-Payer Claims Database and providing them with ongoing privacy and data security counsel
  • Assisted multiple clients in developing patient portals, including practices and procedures, website policies, terms and conditions of use and patient participant agreements
  • Participated in the Health Information Security and Privacy Collaboration (HISPC), a project funded by the National Governor's Association to develop best practices for the implementation of statewide health information exchanges
  • Helped multiple health care entities navigate investigations conducted by the HHS Office for Civil Rights and state attorneys general
  • Revised the policies, procedures and business associate agreements of several national health care providers and other large companies
  • Built corporate privacy and security framework for several startup companies in the health care industry
  • Counseled a pharmaceuticals company in corporate privacy and security issues and HIPAA compliance needs and provided worldwide employee privacy training
  • Represented an electronic health records provider with software license issues and support agreements
  • Provided emergency response and strategy for clients following the theft or loss of large amounts of sensitive information. Recent examples include:
    • A lost laptop containing the protected health information of over 11,000 individuals from 31 different states
    • Stolen paper medical records of 500 individuals
    • Theft of 1.7 million patient records
    • Misdirected e-mails containing personally identifiable and insurance information of over 3,000 employees
  • Conducting extensive employee training initiatives in identifying and protecting high-risk data

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

More Changes Ahead for Substance Use Record Sharing Law

Bloomberg Law | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

Coronavirus sparks demand for local telemedicine, marks turning point for the industry

Washington Business Journal | March 20, 2020

Washington, DC, Health Care counsel Sarah Swank talks about how a new waiver that expanded the list of video conference apps and platforms permitted under HIPAA for telemedicine could be a game-changer for the industry.

Hospitals balance disclosure and privacy as COVID-19 spreads

Modern Healthcare | March 12, 2020

Chicago Health Care partner Valerie Breslin Montague talks about how hospitals can remain in compliance with HIPAA while executing an effective crisis communications plan related to the coronavirus outbreak.

Facebook lawsuit underscores importance of transparent collection and use of data

Rochester Business Journal | January 25, 2019

Rochester Corporate partner Jeremy Wolk wrote this contributed column analyzing a lawsuit filed against Facebook in Washington, DC, alleging violations of state-level consumer protection laws by the social media company. This article incorporates perspective from an alert written by Washington Complex Commercial Disputes associate Brian Donnelly, Rochester Corporate associate Jenny Holmes, and Los Angeles Government Investigations & White Collar Defense associate Karina Puttieva.

  • Ranked nationally for Health Care in Chambers USA: America’s Leading Lawyers for Business 2018, as well as in Illinois, Massachusetts and New York
  • U.S. News/Best Lawyers “Best Law Firms” 2020 ranked as National Tier One in: Appellate Practice, Commercial Litigation, Corporate Law, Employment Law—Management, Energy Law, Franchise Law, Health Care Law, Labor Law—Management, Litigation—Construction, Litigation—Labor & Employment, Litigation—Real Estate, Mass Tort Litigation/Class Actions—Defendants, Patent Law, Public Finance Law, Real Estate Law, Securities Regulation, Tax Law
  • In addition, many Nixon Peabody practices received U.S. News/Best Lawyers Tier 1 rankings at the regional level in the following geographies: Albany, NY; Boston; Buffalo; Chicago; Long Island; Los Angeles; Manchester, NH; New York City; Providence, RI; Rochester, NY; San Francisco; and Washington, DC.
  • U.S. News/Best Lawyers has named Nixon Peabody “Law Firm of the Year” in Health Care Law in 2016
  • Ranked nationally in U.S. News/Best Lawyers 2019 “Best Law Firms” in Health Care Law, and received metropolitan rankings in Health Care Law in Albany, Chicago, Long Island, Los Angeles, New York City and Rhode Island
  • Ranked in Illinois, Massachusetts and New York for Health Care in Chambers USA: America’s Leading Lawyers for Business
  • Ranked nationally by Modern Healthcare—Largest Healthcare Law Firm
  • Recognized lawyers by Best Lawyers in America in the field of Health Care law
  • Recognized lawyers by Super Lawyers in the area of Health Care law
  • Recognized by the American Bar Association’s Health Law Section in its Annual Regional Law Firm Recognition Program

NP Privacy Partner Blog
Staying ahead in a data-driven world: insights from our Data Privacy & Security team

Back to top