Matters

Government Investigations/Enforcement Actions

  • Following a four-year OCR investigation negotiated a resolution agreement and corrective action plan with OCR on behalf of a large health system arising out of a breach involving thousands of patients. A substantial reduction to the settlement amount that OCR initially proposed was negotiated, and favorable corrective action plan terms for the client were established.
  • Assisted a physician practice in investigating a complicated ransomware attack, including hiring a forensic analyst on a privileged basis to determine the scope of an attack and whether there was evidence of exfiltration or malware left on the system. We also analyzed whether the attack rose to the level of a reportable breach, taking into account OCR’s recent guidance on ransomware attacks.
  • Assisted a university/academic medical center client in responding to and successfully obtaining a determination from OCR to close, without imposition of penalties, its investigation of the client arising out of a lost laptop containing the PHI of thousands of patients. In addition, we successfully challenged the scope of an OCR document request.
  • Assisted a large hospital in successfully responding to a phishing attack that impacted over a thousand patients. As part of representation, a security consultant was engaged on a privileged basis to pinpoint the attack’s scope and identify the appropriate mitigation and corrective action steps. Assisted the client in responding to the subsequent OCR investigation, which included responding to initial and follow-up questions and document requests and ultimately resulted in OCR closing the investigation without imposing any penalties against the client.
  • Represented a physician practice in connection with the theft of a desktop computer containing PHI of thousands of patients. Assisted the client through the investigation, breach reporting process, remediation/mitigation efforts and successfully obtained a determination from OCR to close, without penalties, its investigation based on jurisdictional grounds.
  • Assisted a large hospital client in obtaining closure, without penalties, of an OCR investigation stemming from a breach that occurred at the business associate level involving electronic PHI of thousands of patients. Counseled the client through all aspects of the breach, including assisting the client in its investigation of the breach and the business associate’s actions, making the required notifications and preparing its response to the OCR investigation and document request, which ultimately resulted in OCR closing the investigation as to the client.
  • Successfully convinced the California Department of Public Health to withdraw a penalty notice and close out an investigation into a national provider client in connection with a theft of patient information from an employee’s car.

OCR HIPAA Audit Preparation

  • Assisted a national hospice client who received notification from OCR of a pending HIPAA audit in preparing for the audit, including reviewing the client’s privacy and security policies, procedures and processes for compliance gaps and providing recommendations for improvement.
  • Analyzed the HIPAA practices of a provider with locations in all 50 states against the OCR audit protocol.
  • Analyzed a large hospital’s HIPAA policies and procedures and revised the policies to incorporate issues highlighted in the OCR audit protocol.

Global Privacy Program Development & Implementation

  • Assisted multinational health care companies with development and implementation of their global privacy programs, including data mapping to meet requirements under privacy laws, including GDPR and CCPA, policy and procedure preparation and implementation, and development of template privacy notices, consents, and data processing agreements, among others.
  • Supported product teams in compliance with international privacy requirements as necessary to support successful product launches.

HIEs, CINs & Structuring Complex Data Sharing Arrangements

  • Guided a statewide health information exchange (HIE) through its formation, governance and consent model. Assisted the client by developing participation agreements and policies, and procedures and advising on ongoing operational issues. Work included analyzing various state law issues that impacted the consent model, as well as interfacing with various health care provider participants and the state Medicaid program.
  • Advised a large health care system that operates in several states on the creation and implementation of a private HIE. Created agreements, policies and procedures and worked with internal business departments on desired data use scenarios.
  • Assisted a client offering HIE and data analytics services in multiple states, including advising on state information privacy and health information exchange laws, HIPAA and 42 CFR Part 2 preemption issues, and consent models in multiple states, and preparing corresponding participation agreements and operating policies and procedures.

Security & Technology, Health Information Systems

  • Assisted a client through the privacy and security compliance considerations and operational issues in operating and offering a shared electronic health record platform to unaffiliated community providers.
  • Assisted a large health system in implementing its patient portal, including drafting terms of use, privacy policy, etc.
  • Regularly worked with security consultants (or hired security consultants on a privileged basis) on behalf of health care clients to perform security assessments, including enterprise-wide risk analyses, penetration testing, forensic analysis, etc.

Marketing Initiatives, Including Online Activities

  • Worked closely with a number of provider clients on privacy/security aspects of website retargeting campaigns, including reviewing and revising website privacy policies to make sure the language is “clear and conspicuous” under the FTC standards and in compliance with state laws.
  • Advised a large hospital client on various privacy and security laws (including HIPAA, the FTC’s Telemarketing Sales Rule and the FCC’s TCPA) in providing appointment reminders through automated/prerecorded voice and text communications.
  • Regularly advised provider clients on privacy and security issues relating to marketing initiatives, including restrictions under HIPAA, the TCPA, CAN-SPAM and various state laws, such as California’s Confidentiality of Medical Information Act (CMIA).

Big Data Use & Analytics, Assisting with De-Identification

  • Advised an international provider on their big data analytics strategy, including addressing HIPAA and international data transfer issues as well as data governance rules.
  • Worked closely with statisticians to prepare determinations of de-identification for provider clients so the clients could report data to manufacturers and other third parties.
  • Regularly reviewed contracts and data reporting provisions for health care clients to determine if the proposed reporting meets the de-identification requirements.

Clinical Research Issues

  • Assisted a large hospital in creating a data warehouse and tissue bank for research. Representation included advising on HIPAA and state privacy and security requirements, structuring appropriate use cases, and addressing data ownership issues.
  • Advised a large academic medical center acting as a coordinating center in an international clinical trial on compliance with US and international privacy and security requirements.
  • Advised a national nonprofit organization on the state privacy law requirements impacting its informed consent/authorization form and secondary uses of data.
  • Assisted research study sponsors in addressing data privacy issues with multi-center international clinical trials.

Transactions, Due Diligence on Privacy, Security Issues

  • After discovering through due diligence that a target provider had been the subject of a ransomware attack affecting its electronic systems, counseled the potential buyer (a large health system) on the scope of the attack and how to evaluate and address the risks in moving forward with the transaction.
  • Assisted a national provider in evaluating and quantifying risk in moving forward with an acquisition of a multi-location physician practice that lacked a HIPAA privacy/security program. Work included drafting contractual protections and identifying pre- and post-closing steps to address significant risks.
  • Reviewed over 50 business associate agreements on behalf of a client purchasing a business associate to evaluate HIPAA compliance and the assignment provisions and to determine whether off-shoring of PHI was prohibited.