Home > Industries > HIPAA / Health Information Privacy and Security

HIPAA / Health Information Privacy and Security

Guidance on the Complexities and Changes Involved in Protecting Health Information

For participants in the health care system, protecting individuals’ health information is a critical responsibility governed by federal and state laws and regulations that continue to evolve. Since protected health information (PHI) is vulnerable to a variety of data breaches—from theft of laptops and mobile devices to phishing, malware and ransomware attacks to human errors—entities handling PHI must establish comprehensive programs to safeguard this information and follow strict rules when breaches occur to avoid hefty penalties and significant reputational damage.

Saul Ewing Arnstein & Lehr’s Health Care Practice advises health care providers, insurers and other related entities, referred to as “covered entities,” and companies that regularly support them, which are referred to as “business associates,” on the full spectrum of health information privacy and security matters, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state laws and regulations.

Our services include:


  • Helping clients assess which, if any, federal and/or state health care privacy and security laws apply to their activities.
  • Implementing privacy, security and breach response programs, which include policies, procedures, incident response action plans and trainings.
  • Reviewing and negotiating business associate agreements—a type of contract on data sharing, for covered entities and business associates.
  • Helping clients partner with data security vendors.

Incident Response

  • Overseeing the entire breach response process.
  • Engaging forensic consultants as needed.
  • Analyzing and advising if and when breach notifications are needed, either under HIPAA or state data breach laws, and if so, preparing those notices.
  • Determining if there are any European-related responses necessary, particularly in relation to the General Data Protection Regulation (GDPR).

Post-Incident Response

  • Advising clients who receive inquiries and/or investigations from the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services.
  • Representing clients in any litigation resulting from a data breach.
  • Revising policies, procedures, incident response action plans and trainings with lessons learned to help prevent a recurrence of the same or a similar incident.

In addition, our team has particular experience working with universities to help them understand if and when they are subject to HIPAA and/or state laws since many of their small clinics provide health care services and often act autonomously.

See Related Services Offered for HIPAA / Health Information Privacy and Security:


Saul Ewing Arnstein & Lehr attorneys have handled these select matters in the representation of:

  • A medical practice in responding to a ransomware attack, including engaging a forensic expert and analyzing HIPAA and state breach law obligations.
  • A large university without an academic medical center but multiple medical clinics in assessing its HIPAA compliance obligations and preparing HIPAA recommendations.
  • A health care software company in a security incident, including conducting interviews and assessing potential federal and state reporting obligations.
  • A medical college in preparing analysis of its potential HIPAA obligations.
  • Multiple covered entities in responding to inquiries from the OCR.
  • Numerous covered entity and business associate clients in developing HIPAA privacy and security compliance programs.
  • Covered entities in preparing training materials.
  • Various parties in the health care delivery system, payors and business associates in assessing privacy concerns in proposed commercial agreements.
  • Universities in determining their HIPAA compliance obligations for individual components of their institution; drafting policies and procedures with respect to HIPAA compliance; helping to address HIPAA privacy and security concerns for universities; reviewing and editing business associate agreements; and conducting university-wide HIPAA assessments and interviewing key university staff.


The group includes attorneys who have received the following recognition:

Trade Groups & Associations