HIPAA, HITECH & Omnibus Rule

Our unique combination of health industry smarts and deep regulatory understanding allows us to build and implement compliance solutions that are both realistic and resource-sensitive.

Stay connected to legal developments in a broad array of health care law topics and events by signing up for our Health Law Alert.


Our approach

HIPAA and state laws present the health care industry with stringent standards for patient privacy, data security, transactions and code sets. Compliance can require rethinking old procedures and systems and training employees to work and think differently. We help our clients rise to the challenge efficiently and affordably—whether they’re health care providers or entities that come into contact with protected health information.

We draw on extensive industry and regulatory know how to evaluate your current risk and find resource-sensitive compliance solutions. We also work with our clients to structure their transactions strategically, build compliant business associate programs that protect their interests and manage their litigation risk. And in the event of theft or loss of sensitive information, we’ll help you respond quickly and efficiently, take needed steps to avoid future incidents and guide you through any ensuing litigation or government investigation.

Who we work with

  • Health care providers, pharmacies, laboratories and others who collect, transmit, store or have access to protected health information
  • Business associates, including data storage companies, cloud vendors, EMR providers, software vendors, collection agencies and billing services (and their subcontractors)
  • Companies with self-insured health plans
  • Health information exchange organizations (HIEs), regional health information organizations (RHIOs), e-prescribing gateways and personal health record (PHR) vendors
  • Patient safety organizations
  • Law firms, law enforcement agencies, accounting firms and other professional advisors working with sensitive client information
  • Companies at any stage of responding to privacy complaints or the theft or loss of data, whether intentional or accidental, including victims of hacking, disgruntled or negligent employees and natural disasters


  • Recognized by Chambers USA as a nationwide leader in the Field of Privacy Law
  • The Rhode Island Department of Health Founder’s Award, the Rhode Island Attorney General Justice Award and the Rhode Island Department of Health Award for Excellence in Public Health Promotion

Recent experience

  • Serving as general counsel to the Rhode Island Quality Institute (RIQI), the first RHIO to implement a stringent privacy and security legal framework for its HIE and implement an opt-in consent for HIE participation. RIQI is the only entity in the country that received all three federal grants from the Office of the National Coordinator related to the implementation of health information technology, including the Regional Extension Center grant, the Health Information Exchange grant and the Beacon Communities grant.
  • Developed and implemented HIPAA compliance programs for:
    • Large hybrid entities
    • Multiple physician groups and hospital systems
    • Several RHIOs and HIEs
    • Cloud vendors
    • Software and EMR providers
    • Patient portal products
  • Worked with the Massachusetts Center for Health Information and Analysis to develop privacy and security policies related to the statewide All-Payer Claims Database and providing them with ongoing privacy and data security counsel
  • Assisted multiple clients in developing patient portals, including practices and procedures, website policies, terms and conditions of use and patient participant agreements
  • Participated in the Health Information Security and Privacy Collaboration (HISPC), a project funded by the National Governor's Association to develop best practices for the implementation of statewide health information exchanges
  • Helped multiple health care entities navigate investigations conducted by the HHS Office for Civil Rights and state attorneys general
  • Revised the policies, procedures and business associate agreements of several national health care providers and other large companies
  • Built corporate privacy and security framework for several startup companies in the health care industry
  • Counseled a pharmaceuticals company in corporate privacy and security issues and HIPAA compliance needs and provided worldwide employee privacy training
  • Represented an electronic health records provider with software license issues and support agreements
  • Provided emergency response and strategy for clients following the theft or loss of large amounts of sensitive information. Recent examples include:
    • A lost laptop containing the protected health information of over 11,000 individuals from 31 different states
    • Stolen paper medical records of 500 individuals
    • Theft of 1.7 million patient records
    • Misdirected e-mails containing personally identifiable and insurance information of over 3,000 employees
  • Conducting extensive employee training initiatives in identifying and protecting high-risk data

Health records law moves slowly

Buffalo Law Journal | July 09, 2018

Albany Health Care partner Laurie Cohen is quoted in this article discussing how state and federal guidance are encouraging patients to be more engaged with their health records, and outlining instances in which minors can withhold health information from their parents.

Aetna's HIV lapse shows snail mail's privacy pitfalls

Law360 | August 24, 2017

Chicago health care partner Valerie Montague is quoted in this article about how Aetna Inc.’s mailed letters to policy holders regarding prescriptions for HIV drugs violated the Health Insurance Portability and Accountability Act.

HIPAA spotlight: key stats from a banner year

Law360 | January 16, 2017

This article recaps HIPAA stats and highlights from the past year. Chicago health care partner Valerie Montague is quoted throughout discussing privacy breaches and how health care organizations react.

  • Ranked nationally for Health Care in Chambers USA: America’s Leading Lawyers for Business 2018, as well as in Illinois, Massachusetts and New York
  • U.S. News/Best Lawyers has named Nixon Peabody “Law Firm of the Year” in Health Care Law in 2016
  • Ranked nationally in U.S. News/Best Lawyers 2019 “Best Law Firms” in Health Care Law, and received metropolitan rankings in Health Care Law in Albany, Chicago, Long Island, Los Angeles, New York City and Rhode Island
  • Ranked in Illinois, Massachusetts and New York for Health Care in Chambers USA: America’s Leading Lawyers for Business
  • Ranked nationally by Modern Healthcare—Largest Healthcare Law Firm
  • Recognized lawyers by Best Lawyers in America in the field of Health Care law
  • Recognized lawyers by Super Lawyers in the area of Health Care law
  • Recognized by the American Bar Association’s Health Law Section in its Annual Regional Law Firm Recognition Program

NP Privacy Partner Blog
Staying ahead in a data-driven world: insights from our Data Privacy & Security team

Back to top