For participants in the health care system, protecting individuals’ health information is a critical responsibility governed by federal and state laws and regulations that continue to evolve. Since protected health information (PHI) is vulnerable to a variety of data breaches—from theft of laptops and mobile devices to phishing, malware and ransomware attacks to human errors—entities handling PHI must establish comprehensive programs to safeguard this information and follow strict rules when breaches occur to avoid hefty penalties and significant reputational damage.

Saul Ewing Arnstein & Lehr’s Health Care Practice advises health care providers, insurers and other related entities, referred to as “covered entities,” and companies that regularly support them, which are referred to as “business associates,” on the full spectrum of health information privacy and security matters, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state laws and regulations.

Our services include:

Preparedness

• Helping clients assess which, if any, federal and/or state health care privacy and security laws apply to their activities.
• Implementing privacy, security and breach response programs, which include policies, procedures, incident response action plans and trainings.
• Reviewing and negotiating business associate agreements—a type of contract on data sharing, for covered entities and business associates.
• Helping clients partner with data security vendors.

Incident Response

• Overseeing the entire breach response process.
• Engaging forensic consultants as needed.
• Analyzing and advising if and when breach notifications are needed, either under HIPAA or state data breach laws, and if so, preparing those notices.
• Determining if there are any European-related responses necessary, particularly in relation to the General Data Protection Regulation (GDPR).

Post-Incident Response

• Advising clients who receive inquiries and/or investigations from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services.
• Representing clients in any litigation resulting from a data breach.
• Revising policies, procedures, incident response action plans and trainings with lessons learned to help prevent a recurrence of the same or a similar incident.

In addition, our team has particular experience working with universities to help them understand if and when they are subject to HIPAA and/or state laws since many of their small clinics provide health care services and often act autonomously.

See Related Services Offered for HIPAA / Health Information Privacy and Security: