Health Law

Privacy & Security – HIPAA Compliance

Health care privacy and security issues arise every day in connection with normal business operations, simple contracting issues, corporate transactions, and domestic and international business operations. They can present significant risk management issues and, in the worst case, state and federal breach notification obligations. Running afoul of federal and state privacy and security laws, can lead to your company being subject to government investigation, criminal and civil liability, seven-figure fines, and incalculable reputation damage.

Our Health Law attorneys are deeply involved in this ever-changing area of law. We have extensive, cross-disciplinary experience in the growing range of health care privacy and security laws, including the HIPAA Privacy and Security Rules, the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA), the privacy provisions of the Communications Act, the Gramm-Leach-Bliley Act, the European Union Data Directive, state privacy and state data breach laws, and the evolving body of privacy-related common law.

We counsel our clients on strategic and tactical responses to federal and state legislative and regulatory developments in health care privacy and security. Our clients include health care providers and suppliers, pharmaceutical and medical device manufacturers, investors, IT vendors and health IT companies, web hosting companies, Health Information Exchanges (HIEs), and a wide variety of companies that incur regulatory and compliance obligations by providing services to the health care industry. We defend our clients in civil and criminal HIPAA enforcement actions. We also regularly handle state and federal litigation involving the privacy and security of health information data, including class action lawsuits prompted by data breaches.

To ensure our clients receive up-to-the-minute privacy and security news and analysis, we maintain a blog known as Privacy & Security Matters. In addition, our Health Law & Policy Matters blog also regularly reports on privacy and security developments specific to the health care industry.

Representative Experience

  • Advised multiple health information technology service providers on compliance with new regulatory obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Designed, implemented, and delivered an employee privacy and security training program for a specialty physician practice under investigation by the Department of Justice.
  • Counseled a hospital following the loss of paper-based mental health records on mitigation of harm, reporting to patients and regulatory authorities, and negotiation with state authorities following disclosure of the incident.
  • Served as counsel to a health care provider on the investigation and mitigation of a data breach involving more than 20,000 patients of a large hospital.
  • Assisted a biotech company on the acquisition and use of national and international clinical data to build a data repository to support research and development activities.
  • Represented a US-based pharmaceutical company with the establishment of an international data registry to support clinical research
  • Part B News Tell Gun-Toting Patients That New HIPAA Gun Rule Isn’t about Them Dianne J. Bourque is quoted in this article.
  • Medical Practice Insider Dangers Lurking in the EHR Cloud Dianne J. Bourque
  • Health IT Security Preparing HIPAA BAs, Subcontractors for 2014 OCR Audits Dianne J. Bourque quoted discussing what covered entities and  business associates should expect if they are audited by the Office for Civil Rights.
  • Healthcare Risk Management OMG! How Many of Our Hard Drives Are Out There? Dianne J. Bourque is quoted discussing the potential HIPAA violations associated with photocopier hard drives.
  • Healthcare Risk Management Photocopiers Seen as HIPAA Risk After $1.2 Million Payout Dianne J. Bourque discusses Affinity Health Plans settlement for breaching HIPAAA regulations.
  • Health IT Security One Month Until HIPAA Omnibus Compliance: Current Trends Dianne J. Bourque is quoted discussing the upcoming deadline which requires all healthcare organizations to be compliant with the HIPAA omnibus rule.
  • Reuters Lawyers Debate Impact of Obama HIPAA Initiative on Gun Control Dianne J. Bourque discussing whether the Health Insurance Portability and Accountability Act (HIPAA) is inhibiting states from reporting the mentally ill to a gun control database.
  • HealthITSecurity HIPAA Omnibus Rules Already Influencing Covered Entities Dianne J. Bourque discusses how the new rules have already begun impacting covered entities and BAs alike since they took effect in January.
  • Health IT Security Will HIPAA Omnibus Subcontractor Rules Reduce Data Breaches? Dianne J. Bourque is quoted discussing the implications of the new HIPAA Omnibus rule.
  • InsideHealthPolicy.com Final HIPAA Final Rule Stricter than Interim Regulation on Data Protection Dianne J. Bourque is quoted discussing the recently released  final HIPAA Omnibus rule.
  • Associated Press Medical Privacy Rules Get an Update Dianne J. Bourque discusses the increased privacy protections under the new HIPAA Omnibus rule.
  • AMN Healthcare What 2013 Holds for the Healthcare Workforce Dianne J. Bourque is quoted discussing the impact that the new HITECH provisions will have on the health care industry.
  • PhysBizTech Concerns Raised about Stage 2 Measures beyond Physicians’ Control Dianne J. Bourque is quoted discussing the Stage 2 meaningful use final rule.
  • Search HealthIT Impact of Stage 2 Meaningful Use Rules to be Big, But Surprises are Few Dianne J. Bourque is quoted discussing the finalized Stage 2 meaningful use rules. Ms. Bourque explains that the rule that extends the deadline for meeting the requirements of Stage 2 will be beneficial to the health care industry.
  • Computerworld Feds Give Break in Electronic Health Records Dianne J. Bourque is quoted discussing the final electronic health records (EHR) certification criteria for Stage 2 of Meaningful Use.

Past