Health Law

Privacy & Security – HIPAA Compliance

Health care privacy and security issues arise every day in connection with normal business operations, simple contracting issues, corporate transactions, and domestic and international business operations. They can present significant risk management issues and, in the worst case, state and federal breach notification obligations. Running afoul of federal and state privacy and security laws, can lead to your company being subject to government investigation, criminal and civil liability, seven-figure fines, and incalculable reputation damage.

Our Health Law attorneys are deeply involved in this ever-changing area of law. We have extensive, cross-disciplinary experience in the growing range of health care privacy and security laws, including the HIPAA Privacy and Security Rules, the HITECH provisions of the American Recovery and Reinvestment Act of 2009 (ARRA), the privacy provisions of the Communications Act, the Gramm-Leach-Bliley Act, the European Union Data Directive, state privacy and state data breach laws, and the evolving body of privacy-related common law.

We counsel our clients on strategic and tactical responses to federal and state legislative and regulatory developments in health care privacy and security. Our clients include health care providers and suppliers, pharmaceutical and medical device manufacturers, investors, IT vendors and health IT companies, web hosting companies, Health Information Exchanges (HIEs), and a wide variety of companies that incur regulatory and compliance obligations by providing services to the health care industry. We defend our clients in civil and criminal HIPAA enforcement actions. We also regularly handle state and federal litigation involving the privacy and security of health information data, including class action lawsuits prompted by data breaches.

To ensure our clients receive up-to-the-minute privacy and security news and analysis, we maintain a blog known as Privacy & Security Matters. In addition, our Health Law & Policy Matters blog also regularly reports on privacy and security developments specific to the health care industry.

Representative Experience

  • Advised multiple health information technology service providers on compliance with new regulatory obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Designed, implemented, and delivered an employee privacy and security training program for a specialty physician practice under investigation by the Department of Justice.
  • Counseled a hospital following the loss of paper-based mental health records on mitigation of harm, reporting to patients and regulatory authorities, and negotiation with state authorities following disclosure of the incident.
  • Served as counsel to a health care provider on the investigation and mitigation of a data breach involving more than 20,000 patients of a large hospital.
  • Assisted a biotech company on the acquisition and use of national and international clinical data to build a data repository to support research and development activities.
  • Represented a US-based pharmaceutical company with the establishment of an international data registry to support clinical research


  • CISO Executive Network Security Innovation Meeting Boston, MA