Privacy & Data Security

Data breach, breach response, cyberliability, drones, and encryption are just a few of the terms that have worked their way into our vocabulary as businesses use evolving technologies to collect and maintain increasing amounts of electronic data. Competitive pressures require companies to take advantage of these efficiencies, but raise a host of new and ever-changing security risks, privacy considerations, compliance concerns, and legal requirements.

Our interdisciplinary team has significant experience in advising legal departments, boards, executive leadership, and compliance and IT teams on sophisticated and practical data management, data security and privacy matters, including proactive data security and privacy strategic planning, breach preparation and cybersecurity risk management, security breach response, national and global privacy and security program design and implementation. We provide practical advice to clients on how they can collect, use, and share data and still meet their operational and organizational goals while complying with the ever-changing privacy laws, regulations, and industry standards, including: California Consumer Privacy Act (CCPA); EU General Data Protection Regulation (GDPR); EU ePrivacy Directive; Health Insurance Portability and Accountability Act (HIPAA); Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); China’s Cybersecurity Law; Fair Credit Reporting Act (FCRA); Gramm-Leach-Bliley Act (GLBA); Telephone Consumer Protection Act (TCPA); Electronic Communication Privacy Act (ECPA); Children’s Online Privacy Protection Act (COPPA); U.S. state privacy laws; Federal Trade Commission (FTC) Guidance; Payment Card Industry Standards (PCI); and the Network Advertising Initiative’s Code of Conduct.  Our attorneys closely track developments at the state, federal and international levels to ensure that our clients always are fully informed of and compliant with changes in the legal and regulatory environment.

With regard to HIPAA/HITECH specifically, we counsel hospital companies and healthcare providers on the increasingly stringent federal laws and regulations related to HIPAA compliance and the privacy and security of personal health information, including federal and state security standards, business associate standards and breach reporting requirements. We navigate state and other requirements related to the responding to data breaches and preventing identity theft, implementing necessary policies and training employees. As providers are incorporating information security and electronic health records (EHR) into their compliance plan and patient experience, we counsel them with respect to the use of mobile devices, including physician use of mobile devices to transmit and access electronic patient records.

Our attorneys assist clients with:

Data Security Graphic

  • Data security and privacy policies and procedures.
  • Incident response plans.
  • Employee training.
  • Negotiation of vendor and other business partner contracts.
  • Investigation of data security incidents.
  • Data breach responses and customer notifications.
  • Cybercrime investigations and reporting.
  • Interacting with law enforcement and regulators.
  • Pursuit of claims against responsible parties.
  • Defense of claims from customers, business partners and regulators.
Information Blocking

The information blocking regulations issued by the Office of the National Coordinator of Health Information Technology (ONC) pursuant to the 21st Century Cures Act (Information Blocking Rules) present complex operational, compliance and security challenges for a variety of entities across the healthcare landscape. Healthcare providers, health IT developers of certified IT, and health information exchanges and networks (HIEs/HINs) must take proactive steps to comply with the new regulatory structure that upsets traditional methods for addressing requests for electronic health information (EHI).

Drawing from our extensive knowledge of healthcare regulatory and data privacy matters, our multidisciplinary team provides practical solutions to the commercial and regulatory issues that come with navigating the intersection of Information Blocking Rules, Health Insurance Portability and Accountability Act (HIPAA), other federal and state laws and operational concerns. We assist a wide range of healthcare companies with compliance and implementation of the Information Blocking Rules, including operationalizing these rules in alignment with existing processes. We advise healthcare providers, health IT developers and HIEs/HINs on the following:

  • Interpreting the Information Blocking Rules and how to maintain HIPAA and 42 CFR Part 2 compliant programs.
  • Developing compliance plans, including revising existing policies and drafting new polices and advising on how to support new workflows.
  • Conducting a gap analysis, identifying which requirements are being satisfied and fulfilled by existing technology tools and processes.
  • Identifying and implementing new tools and processes necessary to remain compliant with the Information Blocking Rules.
  • Creating information blocking monitoring systems.
  • Developing internal education and communication materials.
Samar S. Ali
International Counsel
Richard W. Arnholt
Member
Ryan R. Baker
Member
Jaime L. Barwig
Member
Michael A. Brady
Member
Robert L. Brewer
Member
Stefanie P. Carter
Associate
Stefanie Colletier
Associate
Alexandria Wood Davenport
Associate
Jeff H. Gibson
Member
Chelsea L. Harrison
Associate
Elizabeth Harwood
Associate
Johnathan D. Holbrook
Associate
Ashleigh Karnell
Associate
Anthony J. McFarland
Member
Paige Waldrop Mills
Member
Jacquelyn Papish
Associate
Lisa S. Rivera
Member
T. Stephen C. Taylor
Member
Shelley R. Thomas
Member
Nesrin Garan Tift
Member
Rodrigo N. Valle
Associate
Janelle D. Waack
Member
Kathryn Hannen Walker
Member
Elizabeth S. Warren
Member
Caitlin Wilkinson
Associate