The explosion of digital data, along with the proliferation of technology, devices and other health care innovations has created a multilayered range of privacy and data security issues in the health care industry. Polsinelli’s multidisciplinary Health Information Privacy & Security group brings together attorneys across the firm focusing on the areas of privacy, security, technology and litigation, who understand the value of your health-related data and are adept at assisting clients in maximizing the benefits of that data while minimizing and responding to ever-changing threats and risks.

Our team has deep experience in the full breadth of privacy/security-related laws and regulations impacting the health care industry, including HIPAA, FERPA, federal laws and regulations governing the confidentiality of alcohol and drug use treatment records, state privacy/security laws related to the confidentiality of health information (including mental health, HIV/AIDS and genetic information), and international privacy laws impacting data use and transfers including without limitation, the EU General Data Protection Regulation (GDPR) and similar laws in other countries outside the U.S.

Attorneys in the practice have the skills to advise you on complex data-sharing arrangements, data protection strategies, and security incident or data breach response plans. Our team includes:

• A former Acting Deputy Director and Senior Advisor for HIPAA Compliance and Enforcement for the Office for Civil Rights (OCR) who was responsible for the growth of the HIPAA Enforcement program from 2012 to 2017 and who is a Certified Information Systems Security Professional (CISSP)
• A former Office for Civil Rights (OCR) attorney who assisted in conducting OCR Phase I audits, drafting the 2013 Final Rule and performing OCR breach investigations with a particular focus on breaches affecting 500 or more individuals
• A former OCR attorney who assisted in drafting and negotiating settlement agreements and served as the lead investigator of several high-profile investigations, including one of OCR’s largest settlements to date
• Attorneys who have obtained the Certified Information Privacy Professional-U.S. designation (CIPP/US) and the CIPP-Europe (CIPP/E) from the International Association of Privacy Professionals
• Litigators who have appeared in state and federal courts around the country related to health care data privacy and security issues
• Former in-house counsel who understand business realities and the need to provide practical guidance accurately, quickly and efficiently
• Technology lawyers who understand your electronic systems and can work with your IT team to address security issues, including cyber-attack avoidance and response

Our recent rankings include national recognition from Chambers USA: America's Leading Lawyers for Business in Privacy & Data Security: Healthcare, 2023. We offer a diversity of comprehensive services to health care clients, including:

• Advising on structuring complex data sharing arrangements to overcome restrictions on sharing for purposes of clinically integrated networks, via health information exchanges and for marketing, among other purposes
• Structuring privacy and security compliance programs and facilitating risk management
• Assisting with incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations 
• Advising on mobile devices, wearables and other digital products, including advising on privacy by design in the product development stage, conducting data protection impact assessments and reviewing website applications and devices for HIPAA and international privacy law compliance
• Assisting in litigation matters, including civil lawsuits and class actions alleging violations of privacy or security under various federal and/or state laws and representation in TCPA actions
• Advising on transactions/due diligence, including drafting appropriate representations and warranties on privacy and security-related matters and reviewing HIPAA and other privacy-related policies and procedures, security risk analyses and risk management plans, business associate agreements, data processing agreements, breach logs, and other key documentation to evaluate compliance and assess risk
• Assisting with HIPAA compliance for clients’ group health plans and advising on the unique privacy and security issues beyond HIPAA implicated by wellness programs and employer-sponsored clinics, including state privacy laws and occupational health laws and regulations