Health Information—Privacy, Security, and Data Sharing

Our Approach

The exchange of health information is governed by many state and federal laws, including HIPAA, 42 C.F.R. Part 2, and the FTC’s Health Breach Notification Rule. These laws have spurred regulations that impose stringent standards for patient privacy, data security, and breach response.

For healthcare clients, complying with these regulations is a dynamic and sometimes confusing process. New requirements and evolving technology can require overhauling policies and procedures, updating risk management plans, and providing significant new training for employees.

Our health information team has the experience and knowledge necessary to build or strengthen your compliance program—maintaining your standards of integrity and efficiency, protecting your assets, and meeting unexpected challenges along the way.

We draw on the diverse experience of attorneys from across practice groups to give you smart, actionable advice on the full spectrum of health information concerns, including regulatory issues, digital data management, and intellectual property.

What We Do

We handle all aspects of compliance with federal and state laws governing the management, privacy, and security of health information, including:

• Developing HIPAA compliance programs
• Training your workforce
• Assisting with evaluations of and responses to potential security incidents and breaches of protected health information or other regulated health data
• Investigating potential breaches, drafting required notifications, interfacing with law enforcement and forensic teams, and identifying mitigation activities
• Counseling organizations facing an audit or investigation by the Office for Civil Rights (OCR) or a state attorney general
• Creating incident response plans
• Advising on data privacy issues related to clinical trials
• Advising on privacy and security risk management
• Reviewing and negotiating business arrangements involving the use or disclosure of protected health information and other regulated health data, including data sharing agreements, licensing agreements, and application service provider (ASP) hosting agreements
• Guiding organizations on compliant de-identification of health data and the secondary use of regulated data
• Planning litigation avoidance strategies
• Strategizing practical resolutions of privacy- and security-related disputes
• Guiding healthcare providers on information disclosures protected by a patient’s right of access to their health information
• Advising actors on compliance with information blocking requirements
• Assisting organizations joining or creating an organized healthcare arrangement (OHCA) or an affiliated covered entity (ACE)
• Advising healthcare providers entering health information exchanges (HIEs)
• Counseling behavioral health providers on permissible uses and disclosures of patient mental health data and substance use disorder data
• Advising on the flexibilities provided for sharing health data during the COVID-19 pandemic

Who We Work With

• Healthcare providers, pharmacies, laboratories, and others who collect, transmit, store, or access protected health information
• Treatment providers for behavioral health and substance use disorders
• Business associates, including data storage companies, electronic medical records (EMR) providers, software and technology vendors, collection agencies, and billing services providers
• Companies with self-insured health plans
• HIEs, regional health information organizations (RHIOs), e-prescribing gateways, and personal health record (PHR) vendors
• Healthcare providers participating in an HIE or RHIO
• Patient safety organizations
• Law firms, law enforcement agencies, accounting firms, and other professional advisors working with sensitive client information
• Companies responding to privacy complaints or the theft or loss of data

Recent Experience

• Assist a large social services organization operating a mental health clinic to investigate a breach involving its EMR system, including responding to a subsequent OCR investigation triggered by the breach notification
• Counsel to privacy and security officers at multiple hospital systems, Federally Qualified Health Centers (FQHCs), and physician practices to assess privacy and security incidents, develop and update internal policies and procedures, assess business associate risks, and advise on employee disciplinary matters
• Advise healthcare providers with issues relating to a patient’s right to access health information
• Assist hospital clients with OCR and state attorney general investigations, including a probe initiated in response to a patient complaint that the hospital had improperly disclosed patient information to a state agency, and another following employee postings of patient information
• Assist a large psychotherapy provider in responding to a ransomware attack, including coordination with a third-party forensics team
• Advise for-profit and not-for-profit healthcare vendors with data privacy and security compliance, including negotiating agreements involving the disclosure of protected health information and the secondary use of regulated health data and providing privacy and security compliance reviews
• Assist a national laboratory company in federal and state privacy issues related to its venture with a major pharmaceutical manufacturer to purchase and conduct rapid tests for COVID-19 via telehealth platform
• Advise higher education organizations on data privacy compliance related to COVID-19 testing and vaccination programs, disclosures of patient information by the student health service, and the privacy implications of arrangements with athletic trainers and ambulance providers for athletics programs
• Advise FQHCs and other healthcare providers on compliance obligations under the information blocking regulations
• Work with Bloomberg Law to develop its Health Cybersecurity Practical Guidance