Our team is one of the nation's leaders in the area of information privacy and security issues for the health care industry. We serve as privacy and information security counsel to hospitals, health systems, clinics, pharmacies and ancillary service providers. We also represent vendors, including electronic and personal health record vendors and health care clearinghouses, on HIPAA, privacy and information security matters.

We work closely with clients to minimize exposure and reduce risks through compliance counseling and policy development. Our lawyers have experience untangling the web of federal, state and international data security regulations and handle complex litigation in jurisdictions throughout the United States. Should a data breach occur, we assist clients with investigations that identify the cause of the breach and a coordinated response, including remediation plans to prevent similar incidents in the future.

We counsel clients on compliance issues raised by the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Children’s Online Privacy Protection Act (COPPA), Telephone Consumer Protection Act (TCPA), CAN-SPAM Act and Junk Fax Prevention Act, as well as other federal, state and international privacy laws impacting health industry participant operations.

HIPAA, Privacy and Information Security

HIPAA, Privacy and Information Security team assists clients with their information privacy and security needs, including counseling, breach readiness and response, and privacy and data security litigation.


We help clients craft effective data security policies and procedures, provide training for client personnel and help implement data retention and privacy programs that fit their operational structure. We also draft and negotiate contracts to ensure compliance with applicable laws and regulations, including those related to cross-border data transfers.

Representative engagements include:

  • Perform gap analyses with respect to HIPAA/HITECH compliance and work with our clients to create policies and procedures and training programs that assure implementation of best practices.
  • Provide on-going compliance advice to several academic medical centers and clinical research organizations under federal and state privacy laws pertaining to clinical research, HR and marketing activities. We also develop privacy policies and standard operating procedures in specific functional areas and prepare training materials for company personnel.
  • Assisted several health systems with their roll-out of electronic medical record systems, both within their systems and with third parties, as they grow into the role of EMR vendor, as well as with their creation of and affiliation with health information exchanges. We provide ongoing advice on technical and operational matters to health care providers and health information organizations, including licensing, contracting, training and development and refinement of policies and procedures.
  • Advised telehealth providers on the website and HIPAA privacy requirements with respect to personal health information transmitted to and through the sites.
  • Helped to form and served as general counsel to a software developer of a leading personal health record. We assisted the company in developing and implementing its privacy and security strategy and with contracting, policies, procedures and on-going operations as well as the expansion of its business model. We later sold the company to a publicly traded technology vendor.

Breach Readiness and Response

When potential data security breaches arise, we work with health care clients from the outset to develop a successful strategy that will reduce risks and exposure. From malware attacks to lost laptops, we assist clients in conducting a thorough investigation to identify the cause of the breach.  We also develop and implement remediation plans to prevent similar incidents from occurring in the future. Our team has a network of relationships with forensic experts and cyber-liability insurers, and we advise clients on appropriate notifications to patients and regulatory agencies and steps to mitigate the short-term and long-term impact of the breach. We also represent clients in any civil or criminal proceedings that may arise.

Representative engagements include:

  • Serve as privacy compliance counsel to numerous HIPAA-covered entities and routinely assist with the investigation, assessment, documentation and reporting of breaches of protected health information. We have reviewed breach notification requirements in all 50 states and are well-versed in best practices for mitigation of harm.
  • Advised a leading U.S. software developer regarding an investigation into a security breach and remediation efforts, including the notification of affected customers and security policy upgrades.
  • Advised a nationally-known charitable institution regarding an audit of its security system/practices and upgrading of that system and policies.

Privacy and Data Security Litigation

When lawsuits are filed or threatened, our lawyers know how to effectively and efficiently manage complex class actions brought by individuals who may have been the subject of a privacy breach, enforcement proceedings brought by federal or state regulatory authorities and commercial disputes.

Representative engagements include:

  • Supervised investigation of an incident involving data system of large Mid-Atlantic health care system that concluded no breach had occurred. We worked with the client to upgrade its information systems, formulate new data security protocols and implement them throughout the new systems.
  • Oversaw review of Fortune 200 pharmaceutical company’s new data security policies and procedures to accommodate new health care data reporting services under the applicable U.S. and EU statutes and regulations.
  • Supervised investigation for Fortune 200 medical device and health care company into a data breach involving patient treatment information. Assisted the client in complying with applicable notification statutes and working with forensic investigators to identify the source of the breach and to rectify the system defect.
  • Supervised investigation for large Mid-Atlantic not-for-profit foundation into data breaches involving student scholarship information. Assisted client in complying with applicable notification statutes and worked with forensic investigators to identify the source of breaches and rectify the system defects.

Related Capabilities