HIPAA/Health Information Privacy, Security & Breach Response

Health care providers, clearinghouses, health plans, and their business associates face rigorous requirements under federal and state laws to protect health information. You need practical advice on how to manage the compliance, risk management, and litigation issues involved in the cutting-edge world of protected health information (PHI).

Alston & Bird sits at the forefront of national law firms advising clients on health information privacy, security, and breach notification issues under federal and state laws. We have advised our clients on Health Insurance Portability and Accountability Act (HIPAA) health information privacy, as well as security and breach issues, and developed HIPAA compliance plans. We have significant experience under HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) and state health privacy laws, advising and representing clients in U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigations, civil and criminal enforcement actions, and private health information litigation. We help clients navigate these difficult issues, including identifying real strategies to achieve compliance and helping them manage a breach crisis if one occurs.

You need a firm with a command of the issues and the capability to guide you through a crisis and the labyrinth of laws you’ll face: the federal HIPAA, Genetic Information Nondiscrimination Act (GINA), and HITECH Act—and state laws such as California’s Confidentiality of Medical Information Act (CMIA). HHS has adopted Privacy, Security, Breach Notification, and Enforcement Rules that:

Require protection of the privacy, security, and confidentiality of PHI, including electronic PHI.
Limit uses and disclosures of PHI.
Give individuals certain rights over their PHI.
Require notification of individuals, HHS, and the media of certain breaches of PHI.
Permit HHS to conduct investigations and audits, plus impose sanctions.

Breach Response and Notification

Managing and responding to a health information breach incident can be a complicated endeavor, especially when the breach is associated with a crisis for the client. It requires expertise in both federal and state laws—whether general breach notification laws or those specific to the health care industry—as well as in incident management and response. Alston & Bird’s HIPAA/Health Information Privacy, Security & Breach Response Team and its Cybersecurity Preparedness & Response Team bring a unique combination of skills—knowledge of the laws governing health information breaches and security incident/crisis management and response experience—to assist clients in managing and responding to a health information breach. Our team has a command of analyzing privacy and security incidents, especially the likely perspective of HHS, the agency that issues and enforces HIPAA regulations.

Alston & Bird advises clients when there is an inadvertent or malicious breach of health information, including identifying immediate, proactive steps to mitigate potential harm. We recognize that no breach is the same, and we tailor our advice to the size and scope of the incident and its potential impact on our client. From physician group practices and small hospital providers to large for-profit companies, and from covered entities to business associates, we have navigated companies through the various federal and state laws on privacy and security breaches of health and financial data.

Not all incidents are reportable under federal and state laws, and legal expertise is crucial in making that determination. If the breach is reportable under federal or state law, Alston & Bird can assist clients with notifying government agencies and individuals as required and notifying/interacting with the media. And if a breach leads to a government investigation or civil or criminal litigation, Alston & Bird’s government investigations and litigation team has significant experience with health information breaches and can assist clients in resolving such matters as expeditiously and favorably as possible.

Regulatory Compliance

The HIPAA rules (and their state-level equivalents) are complicated, and the potential penalties for mistakes can be steep. Alston & Bird’s strength in the area enables clients to navigate these complexities.

We have developed HIPAA privacy and security compliance plans for clients and work with client personnel in legal, compliance, and IT/technical capacities to educate on HIPAA requirements and ensure that compliance plans are consistent with our client’s culture and fully integrated into their existing information security program.

We have devised comprehensive HIPAA training programs, as well as programs narrowly tailored to meet the training needs of specific employees with limited health-care-related functions—and various iterations in between.

Transaction Due Diligence

Alston & Bird’s corporate transactions lawyers routinely draw on the knowledge of our health information privacy and security lawyers to conduct HIPAA and HITECH Act due diligence and support client transactions involving health care entities or service providers. Working in tandem with our health information privacy and security lawyers, we are able to assess and contain risk associated with transactions involving HIPAA-covered entities, business associates, technology companies, and other entities that hold private and secure health information.

Government Investigations & Litigation

Alston & Bird has decades of experience supporting national and international clients on health information technology and privacy litigation, including significant data breach investigations. Our health information privacy and security lawyers advise and represent clients responding to OCR investigations and administrative enforcement proceedings involving the Privacy, Security, and Breach Notification Rules. Our government and investigations lawyers regularly advise health information technology companies, hospitals, physicians, payers, and other HIPAA-covered entities protecting the health information privacy of patients and customers, including in response to subpoenas, requests for production, search warrants, and motions to compel. We utilize Alston & Bird’s background in HIPAA, federal alcohol and drug abuse confidentiality regulations, and various state laws that protect certain diagnoses (e.g., HIV, AIDS, mental health, alcohol/drug treatment, genetic testing, developmental disabilities), as well as state laws that protect certain communications (e.g., privileges for psychiatrists, psychologists, social workers, and therapists). Our lawyers also represent clients in criminal investigations conducted by the U.S. Department of Justice (DOJ) concerning alleged HIPAA violations.

Breach Response and Notification

Assisted financial services companies, health care providers, and insurance companies in their incident response efforts and follow-on regulatory inquiries, including three of the largest HIPAA data breaches in 2018.
Advising clients on a hacking/IT incident experienced by a major health insurance company that served as the third-party administrator of their employer-sponsored group health plans.
Representing an academic medical center in connection with a breach arising from the loss of electronic media.
Advised a hospital on breach response issues in connection with a third party’s sophisticated hacking incident that went undetected for a period of time.
Advised clients, including a hospital, health care service provider, employer/group health plan sponsor, and insurer, on incidents and/or breaches arising from lost or stolen laptop computers and other mobile devices.
Advised a physician group on addressing a potential breach arising from misdirected faxes and several business-associate clients on potential breaches arising from packages lost, damaged, or misdirected in the shipment process.
Advised a hospital, as well as other clients, on incidents involving inappropriate accessing of the medical records of celebrity patients and the posting of pictures containing protected health information (PHI) to social media outlets.
Advised a hospital on an attempt by a business associate’s employee to sell PHI.

Regulatory Compliance

Assisted a health care system with conducting a HIPAA and state-law analysis assessing potential reporting obligations following an extensive cyber intrusion involving large amounts of data. When reporting obligations were identified, assisted with wording and transmittal of required notices, plus FAQs to be used by the health care system’s call center.
Counseled a for-profit corporation on compliance with HIPAA and state health and financial data security laws in 48 states after the potential theft of 50,000 patient records. Represented the client in the corresponding government investigation.

Developed comprehensive HIPAA privacy and security compliance programs for state hospital associations and various health care providers and health plans, including the preparation of forms, compliance manuals that contain all required policies and procedures, Internet-based training programs, monthly teleconference presentations, and staffing a HIPAA compliance hotline. Also developed comprehensive HIPAA privacy and security compliance programs for other clients, including several financial institutions and a transportation/package shipping company that ships medical products and devices.
Advising national health care clearinghouses and a physician practice billing and management company on their compliance with HIPAA Privacy, Security, and Transactions and Code Set Rules. Advising health insurance companies, including a national health insurer and many other health care entities, on compliance with HIPAA rules.
Advised clients, including a medical device manufacturer/distributor, a health plan, and a pharmacy benefits manager, on compliance with the HIPAA Privacy Rule requirements and limitations on marketing, including possible solutions and strategies. Also advised a client on the marketing and sale of health information scenarios under HIPAA and the laws of several states.
Advised a client on options for organizational structures for related companies (business associate, organized health care arrangement, and affiliated covered entity) to maximize client flexibility in complying with HIPAA Privacy and Security Rules.
Advised clients, including a national package carrier, on compliance with privacy requirements through agreements with customers that are subject to the HIPAA rules.

Government Investigations & Litigation

Advising a health care system on responding to a grand jury subpoena from the Department of Justice (DOJ) and U.S. Attorney’s Office regarding a data privacy breach and on conducting analysis of potential reporting obligations under state law and HIPAA. Assisted with identification, assessment, and handling of an insider threat in the internal investigation.
Represented a large plan sponsor in a review by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and DOJ into whether the benefits personnel at the plan sponsor impermissibly listened to calls by health coaches and used that information in employment decisions for the sponsor’s employees. The investigation was formally dropped as a result of Alston & Bird’s efforts.
Represented a large hospital in Georgia in a voluntary self-disclosure regarding medical records that were inadvertently published to the Internet by the company’s medical transcription vendor, mitigating follow-on litigation liability.
Represented a large pharmacy in a class action complaint alleging that the pharmacy’s transfer of its customers’ prescription records to another pharmacy violated their right to privacy.
Represented a hospital in response to a complaint submitted to HHS alleging noncompliance with the HIPAA Privacy Rule. The HHS investigation was resolved without sanctions.
Represented a physician group in response to a privacy complaint alleging improper disclosure of sensitive lab test results. As a result of new facts discovered during our investigation, the patient withdrew her complaint.
Represented a large health insurer during an HHS investigation to a stolen laptop that was resolved without any corrective actions or sanctions.

Contacts

David C. Keating

Partner

Atlanta

Phone: 404.881.7355

Other Phone: 202.239.3921

Email: david.keating@alston.com

Dawnmarie R. Matlock

Partner

Atlanta

Phone: 404.881.4253

Email: dawnmarie.matlock@alston.com