Alston & Bird has expertise in advising clients on HIPAA health information privacy, as well as security and breach issues, and in developing HIPAA compliance plans for our clients. We have significant experience under the HIPAA/HITECH Act and state health privacy laws, advising and representing clients in HHS Office for Civil Rights (OCR) investigations, civil and criminal enforcement actions, and private health information litigation. We help clients navigate these difficult issues, including identifying real strategies to achieve compliance and helping them manage a breach crisis if one occurs.
Breach Response and Notification
Managing and responding to a health information breach incident can be a complicated endeavor, especially when the breach is associated with a crisis for the client. It requires expertise in both federal and state laws—whether general breach notification laws, or those specific to the health care industry—as well as in incident management and response. Alston & Bird’s HIPAA/Health Information Privacy and Security Team and its Security Incident Management and Response Team bring a unique combination of expertise—knowledge of the laws governing health information breaches and security incident/crisis management and response experience—to assist clients in managing and responding to a health information breach. Our team also includes a former deputy general counsel of HHS, who also served as acting general counsel, and advised the Secretary of HHS on privacy and security issues. Her unique background adds to our team’s expertise in analyzing privacy and security incidents, especially as to the likely perspective of HHS, the agency which issues and enforces the HIPAA regulations.
Alston & Bird advises clients in the event of an inadvertent or malicious breach of health information, including identifying immediate, proactive steps to mitigate potential harm. We recognize that no breach is the same, and we tailor our advice to the size and scope of the incident and its potential impact on our client. From physician group practices and small hospital providers to large for-profit companies, and from covered entities to business associates, we have navigated companies through the various federal and state laws relating to privacy and security breaches of health and financial data. Not all incidents are reportable under federal and state law, and legal expertise is crucial in making that determination. If the breach is reportable under federal or state law, Alston & Bird can assist clients with notifying government agencies and individuals as required and notifying/interacting with the media. And if a breach leads to a government investigation or civil or criminal litigation, Alston & Bird’s government investigations and litigation team has significant experience with health information breaches and can assist clients in resolving such matters as expeditiously and favorably as possible.
Relevant experience includes:
- Advise clients in connection with a hacking/IT incident experienced by a major health insurance company that served as the third-party administrator of their employer-sponsored group health plans.
- Represent an academic medical center in connection with a breach arising from the loss of electronic media.
- Advise clients, including health care providers, health plans and health insurance companies, on breach notification issues and on responding to HHS/OCR investigative inquiries.
- Advised a hospital on breach response issues in connection with a third party’s sophisticated hacking incident that went undetected for a period of time.
- Advised clients, including a hospital, a health care service provider, an employer/group health plan sponsor, and an insurer on incidents and/or breaches arising from lost or stolen laptop computers and other mobile devices.
- Advised a physician group on addressing a potential breach arising from misdirected faxes and several business associate clients on potential breaches arising from packages lost, damaged, or misdirected in the shipment process.
- Advised a hospital, as well as other clients, on incidents involving inappropriate accessing of the medical records of celebrity patients and the posting of pictures containing PHI to social media outlets.
- Advised a hospital regarding an attempt by a business associate’s employee to sell PHI.
The HIPAA Rules (and their state-level equivalents) are complicated, and the potential penalties for mistakes can be steep. Alston & Bird’s expertise in the area enables clients to successfully navigate these complexities.
Alston & Bird lawyers routinely advise clients on HIPAA privacy, security and breach issues, whether the client is a HIPAA-covered entity, a business associate or a research or other organization that seeks to obtain health information from a covered entity. Our attorneys regularly deal with HHS/OCR.
We are experienced in developing HIPAA privacy and security compliance plans for clients and work with client personnel in the legal, compliance and IT/technical capacities to educate on HIPAA requirements and ensure that such compliance plans are consistent with our client’s culture and fully integrated into their existing information security program.
We have expertise in devising comprehensive HIPAA training programs, as well as programs narrowly tailored to meet the training needs of specific employees with limited health care-related functions—and various iterations in between.
Relevant experience includes:
- Counseled a for-profit corporation on compliance with HIPAA and state health and financial data security laws in 48 states after potential theft of 50,000 patient records. Successfully represented the client in the corresponding government investigation.
- Developed a comprehensive HIPAA Privacy and Security Compliance Program for state hospital associations and various health care providers and health plans, including the preparation of forms, compliance manuals that contain all required policies and procedures, all form documents, Internet-based training programs, monthly teleconference presentations and staffing a HIPAA compliance hotline. Also developed comprehensive HIPAA Privacy and Security Compliance Programs for other clients, including several financial institutions and a transportation/package shipping company that ships medical products and devices.
- Advise national health care clearinghouses and a physician practice billing and management company on their respective compliance with HIPAA Privacy, Security and Transactions and Code Set Rules. Advise health insurance companies, including a national health insurer and many other health care entities, on compliance with HIPAA Rules, including the Privacy Rule.
- Advised clients, including a medical device manufacturer/distributor, a health plan and a pharmacy benefits manager, on compliance with the HIPAA Privacy Rule requirements on marketing, including the exemptions from the marketing requirements. Also advised a client on the marketing and sale of health information under HIPAA and the laws of several states.
- Advised a client on options for organizational structures for related companies (business associate, organized health care arrangement, affiliated covered entity) to maximize client flexibility with respect to compliance with HIPAA Privacy and Security Rules.
- Advise clients, including a national package carrier, on compliance with privacy requirements through agreements with customers that are subject to the HIPAA Rules.
Transaction Due Diligence
Alston & Bird’s corporate transactions lawyers routinely draw on the expertise of our health information privacy and security lawyers to conduct HIPAA/HITECH Act due diligence and support client transactions involving health care entities or service providers. Working in tandem with our health information privacy and security lawyers, we are able to assess and contain risk associated with transactions involving HIPAA covered entities, business associates, technology companies and other entities that hold private and secure health information.
Government Investigations & Litigation
Alston & Bird has decades of experience supporting national and international clients on health information technology and privacy litigation, including significant data breach investigations. Our health information privacy and security lawyers advise and represent clients in responding to OCR investigations and administrative enforcement proceedings involving the Privacy, Security and Breach Notification Rules. Our government and investigations lawyers regularly advise health information technology companies, hospitals, physicians, payers and other HIPAA-covered entities in protecting the health information privacy of patients and customers, including in response to subpoenas, requests for production, search warrants and motions to compel. In doing so, we utilize Alston & Bird’s expertise in HIPAA, the federal alcohol and drug abuse confidentiality regulations and the various state laws that protect certain diagnoses (e.g., HIV, AIDS, mental health, alcohol/drug treatment, developmental disabilities), as well as state laws that protect certain communications (e.g., privileges for psychiatrists, psychologists, social workers and therapists). Our lawyers also represent clients in criminal investigations conducted by the U.S. Department of Justice (DOJ) concerning alleged HIPAA violations.
Relevant experience includes:
- Represented a large plan sponsor in a review by OCR and DOJ into whether the benefits personnel at the plan sponsor impermissibly listened to calls by health coaches and used that information in employment decisions for the sponsor’s employees. The investigation was formally dropped as a result of Alston & Bird’s efforts.
- Represented a large hospital in Georgia in a voluntary self-disclosure regarding medical records that were inadvertently published to the Internet by the company’s medical transcription vendor, mitigating follow-on litigation liability.
- Represented a large pharmacy in a class action complaint alleging the pharmacy’s transfer of its customers’ prescription records to another pharmacy violated their right to privacy.
- Represented a hospital in response to a complaint submitted to HHS alleging noncompliance with the HIPAA Privacy Rule. The HHS investigation successfully resolved without sanctions.
Alston & Bird’s health information privacy and security team is part of its Privacy & Security Group, which has been nationally ranked in Chambers USA: America’s Leading Lawyers for Business for seven straight years and globally ranked by Chambers for four straight years, as well as part of Alston & Bird’s Health Care Group, which is nationally ranked by Chambers. Our attorneys are recognized leaders and bring a unique and practical results-oriented perspective to client issues. These Alston & Bird attorneys include:
- a former deputy general counsel and acting general counsel of HHS;
- a former senior counsel to the assistant attorney general for the Civil Division, and in 2003 as the senior counsel to the associate attorney general;
- an attorney who authored a HIPAA article cited by the Georgia Supreme Court on ex parte interviews and qualified protective orders under the HIPAA Privacy Rule;
- one of “America's Leading Lawyers” for information technology matters; and
- one of the “Best Lawyers in America” regarding group health plans, HIPAA privacy and health benefit issues.
Bringing Value to Our Clients
Alston & Bird communicates with clients on the front end regarding how best to staff a matter, including ranging from a single attorney to a multidisciplinary team when necessary and appropriate, depending on the issues involved. Our expertise means we are already familiar with the laws and issues, and that expertise translates into value for the clients across the board, whether they are large or small, for-profit or nonprofit.