HIPAA and Healthcare Privacy

  • Our team of dedicated healthcare, compliance, cybersecurity and technology lawyers have practical know-how for handling your health information privacy and security matters.
  • Our Healthcare & Life Sciences Industry Sector Group not only knows the HIPAA laws and rules, but we know how to design a practical and useful compliance program that we can harmonize with state privacy laws. Members of our team are frequently called upon to speak and write on these topics.
  • Our lawyers have experience drafting comments to the U.S. Department of Health and Human Services (HHS) on the HIPAA privacy laws and regulations – working on behalf of industry associations, multinational corporations and other clients.
Stethoscope

Overview

Since enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, numerous regulations and guidance documents have been issued to attempt to clarify its provisions. Despite these efforts, the regulations are anything but simple. HIPAA has a significant effect on the way business is conducted in the United States. Organizations regulated by HIPAA, either as covered entities or as business associates, will want informed legal counsel to advise on the challenges. The HITECH Act of 2009, federal substance use disorder regulations (42 C.F.R. Part 2), the Telephone Consumer Protection Act (TCPA) and the Federal Trade Commission's (FTC) Health Breach Notification Rule for personal health records (PHRs), as well as state privacy laws, also impact how health information and other patient data may be used and disclosed.

The complex provisions of HIPAA and state privacy and security laws govern a vast spectrum of U.S. businesses. We have advised clients in the following industry sectors:

  • pharmaceutical and device manufacturers
  • medical app developers
  • pharmacies and pharmaceutical benefit managers
  • self-insured employee benefit plans
  • health plans, health insurers and third-party administrators
  • vendors, contractors and other business associates
  • physician groups
  • hospitals and nursing homes

Experienced Counsel

Holland & Knight has extensive experience in HIPAA and HITECH Act legal and security issues, with a national team of dedicated healthcare and privacy lawyers as well as a multidisciplinary approach that complements our healthcare knowledge with subject-matter leadership from across the firm.

In-Depth Insight for a Range of Legal Needs

Whether your matter involves privacy compliance assessments, breach response, training or HIPAA compliance documentation, data monetization, assessing risks related to pixels and other website tracking tools, or defending against plaintiff class actions alleging privacy violations, our team has the substantive understanding of HIPAA and other data privacy laws necessary to guide you through the maze.

Customized Client Training to Help You Navigate Change

HIPAA's shifting policy landscape is a critical factor that drives the need for continuous training. Our lawyers provide customized and comprehensive training programs that cover individual client policies, procedures, practices and business relationships, as well as the general HIPAA privacy and security standards. Our attorneys are also available to conduct in-person training seminars on privacy compliance matters.

Savvy Technology Support

Addressing the complex IT-related issues that have emerged from HIPAA and other data security laws requires specialized resources that may not be available inside your organization. Holland & Knight's experienced technology attorneys can assist you through the changes, advising you in areas such as the following:

  • advising on privacy design for medical apps, devices and websites, including privacy policies, terms of use and patient authorizations
  • assisting in the development of clinical data repositories and data lakes
  • counseling on your administrative requirements, including implementing appropriate IT security processes and recognized security practices, to ensure administrative safeguards
  • coordinating security risk analyses and risk assessments with experienced IT vendors

Ongoing Strategic Counsel for Protecting Your Interests

Holland & Knight's Data Strategy, Security & Privacy Team provides the strategic legal counsel you need to respond proactively to continuously evolving requirements and to protect your business from unintended violations. Specific services include:

  • full-scale privacy and operational compliance assessments and remediation programs
  • advice and counsel regarding responding to data breaches and security incidents, including state law reporting requirements and the FTC's PHR reporting rules
  • counseling on HIPAA and related state law issues, such as gap analyses and the impact of HIPAA on state litigation
  • developing comprehensive analysis, assessment and operational compliance of self-insured employee health plans
  • reviewing existing business arrangements with third parties that permit access to health information – including those with vendors, agents and independent contractors

Health Information Exchange and Data Interoperability Compliance

Organizations that maintain electronic health information (EHI) face mounting pressure to implement processes for sharing EHI while complying with federal and state privacy and security laws. Our HIPAA and Healthcare Privacy Team and Data Strategy, Security & Privacy Team help clients meet these demands. Our attorneys guide providers, health information technology (IT) developers and health information networks through the intricacies of federal regulations that mandate data sharing while protecting patient privacy and data security.

Health Data Interoperability and Information Blocking

Our team has extensive experience in addressing the challenges posed by the 21st Century Cures Act's prohibition on information blocking. We provide strategic counsel and actionable guidance on:

  • the full scope of the information blocking regulations in 45 C.F.R. Part 171
  • navigating the definition of "EHI" within the HIPAA-designated record set
  • implementing and developing appropriate information exchange protocols
  • health IT certification criteria
  • applying information blocking exceptions, such as the Trusted Exchange Framework and Common Agreement (TEFCA)
  • aligning HIPAA privacy and security rules with information blocking regulations and interoperability requirements
  • negotiating related health IT contractual provisions
  • conducting mergers and acquisitions (M&A) diligence and purchase agreement and transition issues
  • information blocking issues in health IT arrangements or arising out of complaints or litigation

Comprehensive Compliance Strategies

We develop tailored compliance strategies for healthcare organizations that balance information sharing obligations with privacy requirements, including:

  • Policy Development. Creating robust yet practical information sharing policies that align with federal requirements while protecting sensitive information
  • Exception Documentation. Establishing proper documentation processes when applying information blocking exceptions
  • Training Programs. Implementing staff education on permissible information blocking exceptions and proper data exchange
  • Risk Assessment. Evaluating potential exposure from information blocking in operations, from complaints (by individuals and other organizations) and in M&A processes

Our attorneys and policy advisors stay at the forefront of regulatory developments in health data exchange and information blocking. We regularly monitor updates from HHS and its Office of Inspector General (OIG) and Assistant Secretary for Technology Policy (ASTP – formerly the Office of the National Coordinator, ONC) to help ensure our clients understand their obligations and can implement compliant practices.

Documenting Your Compliance

Ensuring compliance with HIPAA and the HITECH Act requires painstaking tracking and documentation. Our Cybersecurity and Privacy Team brings the right combination of legal resources to the task. We can help you:

  • develop HIPAA compliance documents – including notices of privacy practices, business associate agreements, breach notices, plan document amendments, protective orders and authorization forms
  • produce the policy and procedure manuals and related contractual provisions needed to protect the confidentiality of patient information
  • create employee training materials covering HIPAA laws and other privacy and security standards

Multimedia

Sound Waves
Managing Vendor Relationships and Navigating Data Breaches in the New Age of Data Privacy
 Sound Waves
Navigating the Conflicting Interests of Digital Health Innovation and Business Advancement
 Sound Waves
Beyond Privacy Implications: Data Breaches in Clinical Trials
 ctc ep 32
Podcast - Regulating AI in Healthcare: The Road Ahead
 Florida Capital Conversations Episode 25 Thumb/Still
Podcast: Addressing Patient Complaints About Privacy Violations
 fcc ep 24
Podcast: What Healthcare Providers Should Be Telling Students and Interns About HIPAA and Snooping
 CTC ep 30 thumb/still
Podcast - Innovations and Insights in the Palliative Care Space
 FCC_ep23_thumb/still
Podcast: Who Owns Your DNA? Lessons Learned from 23andMe
 Sound Waves
Should Users of 23andMe Delete Their Profile Following Company’s Bankruptcy?
 Sound Waves
Top Ten 2025: Medical Malpractice in the Age of AI
 Sound Waves
Navigating Information Blocking Regulations in Healthcare Transactions
 CTC Title Slide
Podcast - Data Privacy and Tracking Technology Compliance
 Podcast: Discussing the Implications of Healthcare Privacy Violations
Podcast: Discussing the Implications of Healthcare Privacy Violations
 Podcast - Discussing Information Blocking with Eddie Williams
Podcast: Discussing Information Blocking with Eddie Williams
 Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield
Podcast: Keeping an Eye on HIPAA Trends with Shannon Hartsfield
 Episode Still Image
Podcast - Artificial Intelligence in Healthcare and How to Comply with HIPAA and State Privacy Laws
 Cybersecurity still
Podcast - SEC's Oversight on Cybersecurity Requirements
 CTC Digital Health Market Assessment
Podcast - Digital Health Market Assessment
 Sound Waves
Takin' Care of Business
 Shannon Hartsfield & Eddie Williams Discuss Patient Access to Medical Data
Podcast: Shannon Hartsfield & Eddie Williams Discuss Patient Access to Medical Data
 Podcast: Discussing HIPAA with Shannon Hartsfield and Eddie Williams
Podcast: Discussing HIPAA with Shannon Hartsfield and Eddie Williams
 Pre-Election Webinar Series: Healthcare recording still
Election 2020: Potential Impacts Series - Healthcare & Life Sciences
 Avoiding HIPAA Headaches and Hassles
Avoiding HIPAA Headaches and Hassles
 Straight from the Cutter’s Mouth: A Retina Podcast
Straight from the Cutter’s Mouth: A Retina Podcast

Insights

Upcoming Events

News and Headlines

Primary Contacts

Shannon Britton Hartsfield Beth Neal Pitman Eddie Williams III
Meet Our Professionals
View Professionals

Additional Resources

Healthcare Blog

Related Practices

Behavioral Health Certificate of Need Clinical Research Corporate Practice of Medicine Data Strategy, Security & Privacy Dental Support Organizations (DSOs) Digital Healthcare Executive Compensation and Benefits Healthcare Antitrust Healthcare Appropriations Healthcare Employment, Immigration and Labor Healthcare Finance Healthcare Government Investigations and Audits Healthcare Investors and Lenders Healthcare Healthcare Policy Healthcare Litigation Healthcare Real Estate Healthcare Regulatory Compliance Healthcare Restructuring and Bankruptcy Healthcare Transactions Hospitals and Health Systems Insurance Disputes Labor and Employment Post-Acute and Long-Term Care Managed Care Outpatient and Ambulatory Services Pharmacy Physician Practice Management Value-Based Care

Related Industry

Healthcare & Life Sciences