Health Information—Privacy, Security, and Data Sharing

Increased regulation of personally identifiable health information and data security have created new demands for hospitals and healthcare industry clients. Our team handles your compliance needs so you can focus on providing care.

Stay connected to legal developments in a broad array of health care law topics and events by signing up for our Health Law Alert.


Our Approach

The exchange of health information is governed by many state and federal laws, including HIPAA, 42 C.F.R. Part 2, and the FTC’s Health Breach Notification Rule. These laws have spurred regulations that impose stringent standards for patient privacy, data security, and breach response.

For healthcare clients, complying with these regulations is a dynamic and sometimes confusing process. New requirements and evolving technology can require overhauling policies and procedures, updating risk management plans, and providing significant new training for employees.

Our health information team has the experience and knowledge necessary to build or strengthen your compliance program—maintaining your standards of integrity and efficiency, protecting your assets, and meeting unexpected challenges along the way.

We draw on the diverse experience of attorneys from across practice groups to give you smart, actionable advice on the full spectrum of health information concerns, including regulatory issues, digital data management, and intellectual property.

What We Do

We handle all aspects of compliance with federal and state laws governing the management, privacy, and security of health information, including:

  • Developing HIPAA compliance programs
  • Training your workforce
  • Assisting with evaluations of and responses to potential security incidents and breaches of protected health information or other regulated health data
  • Investigating potential breaches, drafting required notifications, interfacing with law enforcement and forensic teams, and identifying mitigation activities
  • Counseling organizations facing an audit or investigation by the Office for Civil Rights (OCR) or a state attorney general
  • Creating incident response plans
  • Advising on data privacy issues related to clinical trials
  • Advising on privacy and security risk management
  • Reviewing and negotiating business arrangements involving the use or disclosure of protected health information and other regulated health data, including data sharing agreements, licensing agreements, and application service provider (ASP) hosting agreements
  • Guiding organizations on compliant de-identification of health data and the secondary use of regulated data
  • Planning litigation avoidance strategies
  • Strategizing practical resolutions of privacy- and security-related disputes
  • Guiding healthcare providers on information disclosures protected by a patient’s right of access to their health information
  • Advising actors on compliance with information blocking requirements
  • Assisting organizations joining or creating an organized healthcare arrangement (OHCA) or an affiliated covered entity (ACE)
  • Advising healthcare providers entering health information exchanges (HIEs)
  • Counseling behavioral health providers on permissible uses and disclosures of patient mental health data and substance use disorder data
  • Advising on the flexibilities provided for sharing health data during the COVID-19 pandemic

Who We Work With

  • Healthcare providers, pharmacies, laboratories, and others who collect, transmit, store, or access protected health information
  • Treatment providers for behavioral health and substance use disorders
  • Business associates, including data storage companies, electronic medical records (EMR) providers, software and technology vendors, collection agencies, and billing services providers
  • Companies with self-insured health plans
  • HIEs, regional health information organizations (RHIOs), e-prescribing gateways, and personal health record (PHR) vendors
  • Healthcare providers participating in an HIE or RHIO
  • Patient safety organizations
  • Law firms, law enforcement agencies, accounting firms, and other professional advisors working with sensitive client information
  • Companies responding to privacy complaints or the theft or loss of data

Recent Experience

  • Assist a large social services organization operating a mental health clinic to investigate a breach involving its EMR system, including responding to a subsequent OCR investigation triggered by the breach notification
  • Counsel to privacy and security officers at multiple hospital systems, Federally Qualified Health Centers (FQHCs), and physician practices to assess privacy and security incidents, develop and update internal policies and procedures, assess business associate risks, and advise on employee disciplinary matters
  • Advise healthcare providers with issues relating to a patient’s right to access health information
  • Assist hospital clients with OCR and state attorney general investigations, including a probe initiated in response to a patient complaint that the hospital had improperly disclosed patient information to a state agency, and another following employee postings of patient information
  • Assist a large psychotherapy provider in responding to a ransomware attack, including coordination with a third-party forensics team
  • Advise for-profit and not-for-profit healthcare vendors with data privacy and security compliance, including negotiating agreements involving the disclosure of protected health information and the secondary use of regulated health data and providing privacy and security compliance reviews
  • Assist a national laboratory company in federal and state privacy issues related to its venture with a major pharmaceutical manufacturer to purchase and conduct rapid tests for COVID-19 via telehealth platform
  • Advise higher education organizations on data privacy compliance related to COVID-19 testing and vaccination programs, disclosures of patient information by the student health service, and the privacy implications of arrangements with athletic trainers and ambulance providers for athletics programs
  • Advise FQHCs and other healthcare providers on compliance obligations under the information blocking regulations
  • Work with Bloomberg Law to develop its Health Cybersecurity Practical Guidance

5 ERISA Cases To Watch In The 2nd Half Of 2020

Law360 | July 29, 2020

San Francisco office managing partner and Corporate partner Karen Ng was quoted in this article for her outlook on the federal government’s interest in Howard Jarvis Taxpayers Association v. California Secure Choice Retirement Savings Program, and the rise in ERISA privacy and cybersecurity lawsuits in Harmon et al. v. Shell Oil Co. et al.

ANALYSIS | 42 CFR Part 2 Rules Changes a Welcome Sign for Many Providers

Behavioral Healthcare Executive | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

More Changes Ahead for Substance Use Record Sharing Law

Bloomberg Law | July 22, 2020

This story features New York City Health Care associate Jena Grady for her outlook on the Department of Health & Human Services’ Substance Abuse and Mental Health Services Administration’s final rule to 42 CFR Part 2 relating to substance use disorders.

Coronavirus sparks demand for local telemedicine, marks turning point for the industry

Washington Business Journal | March 20, 2020

Washington, DC, Health Care counsel Sarah Swank talks about how a new waiver that expanded the list of video conference apps and platforms permitted under HIPAA for telemedicine could be a game-changer for the industry.

Hospitals balance disclosure and privacy as COVID-19 spreads

Modern Healthcare | March 12, 2020

Chicago Health Care partner Valerie Breslin Montague talks about how hospitals can remain in compliance with HIPAA while executing an effective crisis communications plan related to the coronavirus outbreak.

  • U.S. News/Best Lawyers has named Nixon Peabody “Law Firm of the Year” in Health Care Law in 2016
  • Ranked nationally in U.S. News/Best Lawyers 2019 “Best Law Firms” in Health Care Law, and received metropolitan rankings in Health Care Law in Albany, Chicago, Long Island, Los Angeles, New York City and Rhode Island
  • Ranked in Illinois, Massachusetts and New York for Health Care in Chambers USA: America’s Leading Lawyers for Business
  • Recognized lawyers by Best Lawyers in America in the field of Health Care law

NP Cybersecurity Blog
Staying ahead in a data-driven world: insights from our Cybersecurity & Privacy team

Back to top