McDermott is the premier firm for the health care sector and the only health law practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. We provide sophisticated counsel to clients on the gamut of health care data privacy and security issues and regularly develop comprehensive health information privacy and security compliance programs for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH Act) and related state laws.
We routinely conduct, develop or provide health-related:
Customized privacy, security and incident-response policies
Day-to-day compliance counseling
Privacy compliance audits and security risk assessments
Privacy and security incident response guidance
Data and health information technology license agreements
A cornerstone of our health information privacy and security compliance practice is our suite of template HIPAA Materials.
Our lawyers have helped companies successfully resolve all aspects of countless security breaches and other privacy incidents, including hundreds of matters involving protected health information (PHI) under HIPAA. From cyberattacks and malicious insiders to lost laptops, unsecured data and mailing mishaps, we have handled the full spectrum of PHI incidents. We also regularly negotiate settlements and resolution agreements with the HHS Office for Civil Rights (OCR) arising out of complaint investigations and security breach reports, including serving as lead counsel in connection with multiple OCR investigations of breach matters affecting 500 or more individuals.
We are at the forefront of the design, negotiation and implementation of license agreements and other collaborations among health industry stakeholders for the development and deployment of big-data strategies and cutting-edge health IT. Our team provides seamless advice to clients’ privacy and IT professionals by combining our deep understanding of privacy and security laws and our practical experience in the acquisition and implementation of electronic health record (EHR) systems, enterprise-resource planning systems, data-warehouse technology and other IT systems.
Helped a Fortune 100 pharmaceutical and medical technology company identify corporate divisions subject to HIPAA, assessed the divisions’ compliance with HIPAA privacy and security requirements, prepared a health information privacy and security compliance program for the divisions, and assisted the divisions to implement the program and train affected personnel
Developed and assisted with implementation of information-asset-and-practice inventories and a corresponding comprehensive data privacy and security compliance program for not-for-profit and for-profit covered entities and business associates, including the integration of HIPAA compliance requirements and business objectives
Advised a client comprising a health care delivery system and payer on the structuring of its operations to maximize the permissible use of patient information under HIPAA and other applicable laws
Assisted a large emergency medical physician practice with all aspects of its response to a theft from the client’s medical billing agency of a portable hard drive containing medical billing information for more than 175,000 patients from over 50 jurisdictions; our counsel included drafting a template breach notification letter, providing breach reports to OCR and state regulators, developing talking points for call-center operators responding to affected patients, drafting press releases and media notices, pursuing an indemnification claim to the medical billing agency, and responding to OCR’s investigative data requests in a manner that resulted in successful closure of the matter with without penalty from OCR
Represented a regional health services management company in settlement negotiations with OCR with respect to allegations of HIPAA violations
Advised an EHR vendor with the creation and deployment of de-identified health data sets from patient information, including drafting HIPAA de-identification opinions, developing data de-identification policies and procedures, and negotiating agreements with pharmaceutical and biotech companies seeking access to de-identified data sets
Advise a large informatics company on the development of a research data acquisition and analysis platform, including federally and privately sourced data
Represented a health industry consortium of academic medical centers on the formation of a strategic partnership with another leading health industry consortium to provide enhanced data warehouse and data analytical capabilities to health providers across the country