Data breach, breach response, cyberliability, drones, and encryption are just a few of the terms that have worked their way into our vocabulary as businesses use evolving technologies to collect and maintain increasing amounts of electronic data. Competitive pressures require companies to take advantage of these efficiencies, but raise a host of new and ever-changing security risks, privacy considerations, compliance concerns, and legal requirements.
Our interdisciplinary team has significant experience in advising legal departments, boards, executive leadership, and compliance and IT teams on sophisticated and practical data management, data security and privacy matters, including proactive data security and privacy strategic planning, breach preparation and cybersecurity risk management, security breach response, national and global privacy and security program design and implementation. We provide practical advice to clients on how they can collect, use, and share data and still meet their operational and organizational goals while complying with the ever-changing privacy laws, regulations, and industry standards, including: Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health Act (HITECH); California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act (CPRA)); Virginia Consumer Data Protection Act (CDPA); Colorado Privacy Act (CPA); Utah Consumer Privacy Act (UCPA); Connecticut Data Privacy Act (CTDPA); Iowa Consumer Data Protection Act (ICDPA); Indiana Consumer Data Protection Act (INCDPA); Tennessee Information Protection Act (TIPA); Montana Consumer Data Privacy Act (MCDPA); Florida Digital Bill of Rights (FDBR); Texas Data Privacy and Security Act (TDPSA); Oregon Consumer Privacy Act (OCPA); Delaware Personal Data Privacy Act (DPDPA); EU General Data Protection Regulation and similar UK law (GDPR); EU ePrivacy Directive; National Institute of Standards and Technology (NIST); Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); China’s Personal Information Protection Law (PIPL); Fair Credit Reporting Act (FCRA); Gramm-Leach-Bliley Act (GLBA); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Electronic Communication Privacy Act (ECPA); Children’s Online Privacy Protection Act (COPPA); U.S. state breach notification and similar laws; Federal Trade Commission (FTC) Guidance; Payment Card Industry Data Security Standards (PCI-DSS); International Organization for Standardization (ISO) certifications; and the Network Advertising Initiative’s Code of Conduct. Our attorneys closely track developments at the state, federal and international levels to ensure that our clients always are fully informed of and compliant with changes in the legal and regulatory environment.
With regard to HIPAA/HITECH specifically, we counsel hospital companies and healthcare providers on the increasingly stringent federal laws and regulations related to HIPAA compliance and the privacy and security of personal health information, including federal and state security standards, business associate standards and breach reporting requirements. We navigate state and other requirements related to the responding to data breaches and preventing identity theft, implementing necessary policies and training employees. As providers are incorporating information security and electronic health records (EHR) into their compliance plan and patient experience, we counsel them with respect to the use of mobile devices, including physician use of mobile devices to transmit and access electronic patient records.
Our attorneys assist clients with:
- Data security and privacy policies and procedures
- Incident response plans
- Employee training
- Negotiation of vendor and other business partner contracts
- Investigation of data security incidents
- Data breach responses and customer notifications
- Cybercrime investigations and reporting
- Interacting with law enforcement and regulators
- Pursuit of claims against responsible parties
- Defense of claims from customers, business partners and regulators
The information blocking regulations issued by the Office of the National Coordinator of Health Information Technology (ONC) pursuant to the 21st Century Cures Act (Information Blocking Rules) present complex operational, compliance and security challenges for a variety of entities across the healthcare landscape. Healthcare providers, health IT developers of certified IT, and health information exchanges and networks (HIEs/HINs) must take proactive steps to comply with the new regulatory structure that upsets traditional methods for addressing requests for electronic health information (EHI).
Drawing from our extensive knowledge of healthcare regulatory and data privacy matters, our multidisciplinary team provides practical solutions to the commercial and regulatory issues that come with navigating the intersection of Information Blocking Rules, Health Insurance Portability and Accountability Act (HIPAA), other federal and state laws and operational concerns. We assist a wide range of healthcare companies with compliance and implementation of the Information Blocking Rules, including operationalizing these rules in alignment with existing processes. We advise healthcare providers, health IT developers and HIEs/HINs on the following:
- Interpreting the Information Blocking Rules and how to maintain HIPAA and 42 CFR Part 2 compliant programs
- Developing compliance plans, including revising existing policies and drafting new polices and advising on how to support new workflows
- Conducting a gap analysis, identifying which requirements are being satisfied and fulfilled by existing technology tools and processes
- Identifying and implementing new tools and processes necessary to remain compliant with the Information Blocking Rules
- Creating information blocking monitoring systems
- Developing internal education and communication materials