Breach Response and Notification
Managing and responding to a health information breach incident can be a complicated endeavor, especially when the breach is associated with a crisis for the client. It requires expertise in both federal and state laws—whether general breach notification laws or those specific to the health care industry—as well as in incident management and response. Alston & Bird’s HIPAA/Health Information Privacy, Security & Breach Response Team and its Cybersecurity Preparedness & Response Team bring a unique combination of skills—knowledge of the laws governing health information breaches and security incident/crisis management and response experience—to assist clients in managing and responding to a health information breach. Our team has a command of analyzing privacy and security incidents, especially the likely perspective of HHS, the agency that issues and enforces HIPAA regulations.
Alston & Bird advises clients when there is an inadvertent or malicious breach of health information, including identifying immediate, proactive steps to mitigate potential harm. We recognize that no breach is the same, and we tailor our advice to the size and scope of the incident and its potential impact on our client. From physician group practices and small hospital providers to large for-profit companies, and from covered entities to business associates, we have navigated companies through the various federal and state laws on privacy and security breaches of health and financial data.
Not all incidents are reportable under federal and state laws, and legal expertise is crucial in making that determination. If the breach is reportable under federal or state law, Alston & Bird can assist clients with notifying government agencies and individuals as required and notifying/interacting with the media. And if a breach leads to a government investigation or civil or criminal litigation, Alston & Bird’s government investigations and litigation team has significant experience with health information breaches and can assist clients in resolving such matters as expeditiously and favorably as possible.
Regulatory Compliance
The HIPAA rules (and their state-level equivalents) are complicated, and the potential penalties for mistakes can be steep. Alston & Bird’s strength in the area enables clients to navigate these complexities.
We have developed HIPAA privacy and security compliance plans for clients and work with client personnel in legal, compliance, and IT/technical capacities to educate on HIPAA requirements and ensure that compliance plans are consistent with our client’s culture and fully integrated into their existing information security program.
We have devised comprehensive HIPAA training programs, as well as programs narrowly tailored to meet the training needs of specific employees with limited health-care-related functions—and various iterations in between.
Transaction Due Diligence
Alston & Bird’s corporate transactions lawyers routinely draw on the knowledge of our health information privacy and security lawyers to conduct HIPAA and HITECH Act due diligence and support client transactions involving health care entities or service providers. Working in tandem with our health information privacy and security lawyers, we are able to assess and contain risk associated with transactions involving HIPAA-covered entities, business associates, technology companies, and other entities that hold private and secure health information.
Government Investigations & Litigation
Alston & Bird has decades of experience supporting national and international clients on health information technology and privacy litigation, including significant data breach investigations. Our health information privacy and security lawyers advise and represent clients responding to OCR investigations and administrative enforcement proceedings involving the Privacy, Security, and Breach Notification Rules. Our government and investigations lawyers regularly advise health information technology companies, hospitals, physicians, payers, and other HIPAA-covered entities protecting the health information privacy of patients and customers, including in response to subpoenas, requests for production, search warrants, and motions to compel. We utilize Alston & Bird’s background in HIPAA, federal alcohol and drug abuse confidentiality regulations, and various state laws that protect certain diagnoses (e.g., HIV, AIDS, mental health, alcohol/drug treatment, genetic testing, developmental disabilities), as well as state laws that protect certain communications (e.g., privileges for psychiatrists, psychologists, social workers, and therapists). Our lawyers also represent clients in criminal investigations conducted by the U.S. Department of Justice (DOJ) concerning alleged HIPAA violations.