HIPAA Privacy and Security
Health care providers, clearinghouses, health plans and their business associates face stringent requirements under federal and state laws to protect health information. These laws include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act (GINA) and the Health Information Technology for Economic and Clinical Health (“HITECH Act”). The U.S. Department of Health and Human Services (HHS) has adopted Privacy, Security, Breach Notification and Enforcement Rules, which:
- require protection of the privacy, security, and confidentiality of protected health information (PHI), including electronic PHI;
- limit uses and disclosures of PHI;
- give individuals certain rights with respect to their PHI;
- require notification of individuals, HHS and the media of certain breaches of PHI; and
- permit HHS to conduct audits and impose sanctions.
We are at the forefront of advising clients on health information privacy, security and breach notification issues under federal and state law. We provide clients with practical advice on how to manage the compliance, risk management, and litigation issues involved in the cutting-edge world of PHI.
We have extensive expertise in advising clients on HIPAA health information privacy, as well as security and breach issues, and in developing HIPAA compliance plans for our clients. We have significant experience under the HIPAA/HITECH Act and state health privacy laws, advising and representing clients in HHS Office for Civil Rights (OCR) investigations, civil and criminal enforcement actions, and private health information litigation. We help clients navigate these difficult issues, including identifying real strategies to achieve compliance and helping them manage a breach crisis if one occurs.
The HIPAA Rules (and their state-level equivalents) are complicated, and the potential penalties for mistakes can be steep. Our expertise in the area enables clients to successfully navigate these complexities. Our attorneys routinely advise clients on HIPAA privacy, security and breach issues, whether the client is a HIPAA-covered entity, a business associate or a research or other organization that seeks to obtain health information from a covered entity.
We are experienced in developing HIPAA privacy and security compliance plans for clients and work with client personnel in the legal, compliance and IT/technical capacities to educate on HIPAA requirements and ensure that such compliance plans are consistent with our client’s culture and fully integrated into their existing information security program.
We have expertise in devising comprehensive HIPAA training programs, as well as programs narrowly tailored to meet the training needs of specific employees with limited health care-related functions—and various iterations in between.
We advise clients in the event of an inadvertent or malicious breach of health information, including identifying immediate, proactive steps to mitigate potential harm. From small hospital providers to large for-profit companies, and from covered entities to business associates, we have navigated companies through the various federal and state laws relating to privacy and security breaches of health and financial data. If the breach is reportable under federal or state law, we can assist clients with notifying government agencies and individuals as required.
Transaction Due Diligence
We routinely draw on our experience to conduct HIPAA/HITECH Act due diligence and support client transactions involving health care entities or service providers. With our experience, we are able to assess and contain risks associated with transactions involving HIPAA covered entities, business associates, technology companies and other entities that hold private and secure health information.