HIPAA/Health Information Privacy, Security & Breach Response

Alston & Bird sits at the forefront of national law firms advising clients on health information privacy, security, and breach notification issues under federal and state laws. We have decades of experience advising our clients on Health Insurance Portability and Accountability Act (HIPAA) health information privacy, as well as security and breach issues, and developed HIPAA compliance plans. We have significant experience under HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and state health privacy laws, advising and representing clients in U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigations and compliance reviews, civil and criminal enforcement actions, and private litigation involving health information. We help you navigate these difficult issues, including identifying real strategies to achieve compliance and helping manage and resolve a breach crisis if one occurs.

Alston & Bird is there when you face an inadvertent or malicious breach of health information, including identifying immediate, proactive steps to mitigate potential harm. We recognize that no breach is the same, and we tailor our advice to the size and scope of the incident and its potential impact on you. Not all incidents are reportable under federal and state laws, and legal expertise is crucial in making that determination. If the breach is reportable under federal or state law, Alston & Bird can assist you with notifying government agencies and individuals as required and notifying/interacting with the media.

The HIPAA rules (and their state-level equivalents) are complicated, and the potential penalties for mistakes can be steep. Alston & Bird’s strength in HIPAA compliance enables you to navigate these complexities. We have developed HIPAA privacy and security compliance plans and work with your personnel in legal, compliance, and IT/technical capacities to educate on HIPAA requirements and ensure that compliance plans are consistent with your culture and fully integrated into your existing information security program.

You need a firm with a command of the issues and the capability to guide you through a crisis and the labyrinth of laws you’ll face: the federal HIPAA, Genetic Information Nondiscrimination Act (GINA), and HITECH Act and state laws such as California’s Confidentiality of Medical Information Act (CMIA) and Consumer Privacy Act (CCPA). Our team brings a unique combination of skills—knowledge of the laws governing health information breaches and security incident/crisis management and response experience—to assist you in managing and responding to a health information breach. With Alston & Bird, you have the right partner by your side. 

Breach Response and Notification

• Advised health care providers on COVID-19-related events, including breach analysis, interaction with media, and responding to individuals claiming to work with public health authorities.
• Assisted financial services companies, health care providers, and insurance companies in their incident response efforts and follow-on regulatory inquiries on federal and state levels, including some of the largest HIPAA data breaches.
• Advising clients on a hacking/IT incident experienced by a major health insurance company that served as the third-party administrator of their employer-sponsored group health plans.
• Representing an academic medical center in connection with a breach arising from the loss of electronic media.
• Advised a hospital on breach response issues in connection with a third party’s sophisticated hacking incident that went undetected for a time.
• Advised clients, including a hospital, health care service provider, employer/group health plan sponsor, and insurer, on incidents and breaches arising from lost or stolen laptop computers and other mobile devices.
• Advised a physician group on addressing a potential breach arising from misdirected faxes and several business-associate clients on potential breaches arising from packages lost, damaged, or misdirected during shipment.
• Advised a hospital, as well as other clients, on incidents involving inappropriate access of the medical records of celebrity patients and the posting of pictures containing protected health information (PHI) to social media outlets.
• Advised a hospital on an attempt by a business associate’s employee to sell PHI.

Regulatory Compliance

• Assisted health care providers, employers, and other businesses with COVID-19-related privacy matters.
• Assisted a health care system with conducting a HIPAA and state-law analysis assessing potential reporting obligations following an extensive cyber intrusion involving large amounts of data. When reporting obligations were identified, assisted with wording and transmittal of required notices, plus FAQs to be used by the health care system’s call center.
• Counseled a for-profit corporation on compliance with HIPAA and state health and financial data security laws in 48 states after the potential theft of 50,000 patient records. Represented the client in the corresponding government investigation.
• Developed comprehensive HIPAA privacy and security compliance programs for state hospital associations and various health care providers and health plans, including the preparation of forms, compliance manuals that contain all required policies and procedures, Internet-based training programs, monthly teleconference presentations, and staffing a HIPAA compliance hotline. Also developed comprehensive HIPAA privacy and security compliance programs for other clients, including several financial institutions and a transportation/package shipping company that ships medical products and devices.