The explosion of digital data, along with the proliferation of technology, devices and other health care innovation has created a multi-layered range of privacy and data security issues in the health care industry. Polsinelli’s multi-disciplinary Health Information Privacy and Security Team brings together attorneys across the firm specializing in the areas of privacy, security, technology and litigation, who understand the value of your health-related data and are adept at assisting clients in maximizing the benefits of that data while minimizing and responding to ever-changing threats and risks.

Our team has deep experience in the full breadth of privacy/security-related laws and regulations impacting the health care industry, including HIPAA, FERPA, federal laws and regulations governing the confidentiality of alcohol and drug abuse treatment records, state privacy/security laws related to the confidentiality of health information (including mental health, HIV/AIDS and genetic information), and international privacy laws impacting data use and transfers.

Attorneys in the practice have the skills to advise you on complex data sharing arrangements, data protection strategies, and security incident or data breach response plans. Our team includes:
  • A former Acting Deputy Director and Senior Advisor for HIPAA Compliance and Enforcement for the Office for Civil Rights (OCR) who was responsible for the growth of the HIPAA Enforcement program from 2012 to 2017, and who is a Certified Information Systems Security Professional (CISSP)
  • A former Office for Civil Rights (OCR) attorney who assisted in conducting OCR Phase I audits, drafting the 2013 Final Rule and performing OCR breach investigations with a particular focus on breaches affecting 500 or more individuals
  • A former OCR attorney who assisted in drafting and negotiating settlement agreements and served as the lead investigator of several high profile investigations, including one of OCR’s largest settlements to date
  • Attorneys who have obtained the Certified Information Privacy Professional-U.S. designation (CIPP/US) from the International Association of Privacy Professionals
  • Litigators who have appeared in state and federal courts around the country related to health care data privacy and security issues
  • Former in-house counsel who understand business realities and the need to provide practical guidance accurately, quickly and efficiently
  • Technology lawyers who understand your electronic systems and can work with your IT team to address security issues, including cyber-attack avoidance and response
We offer a diversity of comprehensive services to health care clients, including:
  • Advising on structuring complex data sharing arrangements to overcome restrictions on sharing for purposes of clinically integrated networks, via health information exchanges and for marketing, among other purposes
  • Structuring privacy and security compliance programs and facilitating risk management
  • Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations 
  • Advising on mobile devices and wearables, including conducting privacy impact assessments in the product development stage, and reviewing website applications and devices for HIPAA compliance
  • Assisting in litigation matters, including civil lawsuits and class actions alleging violations of privacy or security under various federal and/or state laws and representation in TCPA actions
  • Advising on transactions/due diligence, including drafting appropriate representations and warranties on privacy and security-related matters and reviewing HIPAA policies and procedures, security risk analyses and risk management plans, business associate agreements, breach logs, and other key documentation to evaluate compliance and assess risk
  • Assisting with HIPAA compliance for clients’ group health plans, and advising on the unique privacy and security issues beyond HIPAA implicated by wellness programs and employer-sponsored clinics, including state privacy laws and occupational health laws and regulations
Government Investigations/Enforcement Actions:
  • Following a four year OCR investigation, negotiated a resolution agreement and corrective action plan with OCR on behalf of a large health system arising out of a breach involving thousands of patients. A substantial reduction to the settlement amount that OCR initially proposed was negotiated and favorable corrective action plan terms for the client were established. 
  • Assisted a physician practice in investigating a complicated ransomware attack, including hiring a forensic analyst on a privileged basis to determine the scope of an attack and whether there was evidence of exfiltration or malware left on the system. We also analyzed whether the attack rose to the level of a reportable breach, taking into account OCR’s recent guidance on ransomware attacks. 
  • Assisted a university/academic medical center client in responding to and successfully obtaining a determination from OCR to close, without imposition of penalties, its investigation of the client arising out of a lost laptop containing the PHI of thousands of patients. In addition, we successfully challenged the scope of an OCR document request. 
  • Assisted a large hospital in successfully responding to a phishing attack that impacted over a thousand patients. As part of representation, a security consultant was engaged on a privileged basis to pinpoint the scope of the attack and to identify the appropriate mitigation and corrective action steps. Assisted the client in responding to the subsequent OCR investigation, which included responding to initial and follow-up questions and document requests and ultimately resulted in OCR closing the investigation without imposing any penalties against the client. 
  • Representation of a physician practice in connection with the theft of a desktop computer containing PHI of thousands of patients. Assisted the client through the investigation, breach reporting process, remediation/mitigation efforts and successfully obtained a determination from OCR to close, without penalties, its investigation based on jurisdictional grounds. 
  • Assisted a large hospital client in obtaining closure, without penalties, of an OCR investigation stemming from a breach that occurred at the business associate level involving electronic PHI of thousands of patients. Counseled the client through all aspects of the breach, including assisting the client in its own investigation of the breach and the business associate’s actions, making the required notifications and preparing its response to the OCR investigation and document request, which ultimately resulted in OCR closing the investigation as to the client. 
  • Successfully convinced the California Department of Public Health to withdraw a penalty notice and close out an investigation into a national provider client in connection with a theft of patient information from an employee’s car. 

OCR HIPAA Audit Preparation
  • Assisted a national hospice client who received notification from OCR of a pending HIPAA audit in preparing for the audit, including reviewing the client’s privacy and security policies, procedures and processes for compliance gaps and providing recommendations for improvement.
  • Conducted an analysis of the HIPAA practices of a provider with locations in all 50 states against the OCR audit protocol.
  • Analyzed a large hospital’s HIPAA policies and procedures and revised the policies to incorporate issues highlighted in the OCR audit protocol.

HIEs, CINs and Structuring Complex Data Sharing Arrangements 

  • Guided a statewide health information exchange (HIE) through its formation, governance and consent model. Assisted the client by developing participation agreements and policies and procedures and advising on ongoing operational issues. Work included analyzing various state law issues that impacted the consent model, as well as interfacing with various health care provider participants and the state Medicaid program. 
  • Advised a large health care system that operates in several states on the creation and implementation of a private HIE. Created agreements, policies and procedures and worked with internal business departments on desired data use scenarios.
  • Assisted a client offering a HIE and data analytics services in multiple states, including advising on state information privacy and health information exchange laws, HIPAA and 42 CFR Part 2 preemption issues, and consent models in multiple states, and preparing corresponding participation agreements and operating policies and procedures. 

Security and Technology/Health Information Systems

  • Assisted a client through the privacy and security compliance considerations and operational issues involved in operating and offering a shared electronic health record platform to unaffiliated community providers.
  • Assisted a large health system in implementing its patient portal, including drafting terms of use, privacy policy, etc.
  • Regularly work with security consultants (or hire security consultants on a privileged basis) on behalf of health care clients to perform security assessments, including enterprise-wide risk analyses, penetration testing, forensic analysis, etc. 

Marketing Initiatives, Including Online Activities:
  • Have worked closely with a number of provider clients on privacy/security aspects of website retargeting campaigns, including reviewing and revising website privacy policies to make sure the language is “clear and conspicuous” under the FTC standards and in compliance with state laws. 
  • Advised a large hospital client on various privacy and security laws (including HIPAA, the FTC’s Telemarketing Sales Rule and the FCC’s TCPA) in providing appointment reminders through automated/prerecorded voice and text communications.
  • Regularly advise provider clients on privacy and security issues relating to marketing initiatives, including restrictions under HIPAA, the TCPA, CAN-SPAM and various state laws, such as California’s Confidentiality of Medical Information Act (CMIA). 

Big Data Use and Analytics/ Assisting with De-Identification

  • Advised an international provider on their big data analytics strategy, including addressing HIPAA and international data transfer issues as well as data governance rules.
  • Worked closely with statisticians to prepare determinations of de-identification for provider clients so the clients can report data to manufacturers and other third-parties.
  • Regularly review contracts and data reporting provisions for health care clients to determine if the proposed reporting meets the de-identification requirements.

Clinical Research Issues

  • Assisted a large hospital in creating a data warehouse and tissue bank for research. Representation included advising on HIPAA and state privacy and security requirements, structuring appropriate use cases, addressing data ownership issues. 
  • Advised a large academic medical center acting as a coordinating center in an international clinical trial on compliance with US and international privacy and security requirements.
  • Advised a national non-profit organization on the state privacy law requirements impacting its informed consent/authorization form and secondary uses of data.

Transactions/Due Diligence on Privacy/Security Issues

  • After discovering through due diligence that a target provider had been the subject of a ransomware attack affecting its electronic systems, counseled the potential buyer (a large health system) on the scope of the attack and how to evaluate and address the risks in moving forward with the transaction.
  • Assisted a national provider in evaluating and quantifying risk in moving forward with an acquisition of a multi-location physician practice that lacked a HIPAA privacy/security program. Work included drafting contractual protections and identifying steps to take both pre and post-closing to address significant risks.
  • Reviewed over 50 business associate agreements on behalf of a client who was purchasing a business associate to evaluate HIPAA compliance and the assignment provisions and to determine whether off-shoring of PHI was prohibited.
Recent News


Past Events