BakerHostetler
Alumni Login
| Subscribe | Print
Open search/close search button Open menu/close menu button
Services
Professionals
About Us
Offices
News/Resources
Diversity
Pro Bono
Careers
Alumni

Healthcare Privacy and Compliance

Overview

Healthcare providers, insurers and employer-sponsored health plan administrators, as well as the business associates with whom they do business, are particularly vulnerable to data security incidents because of the highly sensitive protected health information they maintain, including Social Security numbers, insurance information, payment records and confidential medical information. In addition, healthcare businesses must deal with the extensive state and federal regulations that are unique to the industry, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Our diverse team has wide experience in counseling health systems, physician groups, insurers and employers across the country regarding risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to privacy and security incidents, from lost paper files and laptops to the largest cyber incident ever reported involving medical information. We aggressively defend our healthcare clients in investigations brought by the Office for Civil Rights (OCR) and state attorneys general following privacy and security incidents. We advise healthcare industry clients on HIPAA and state law compliance regarding privacy policies and procedures, release of medical information, and access to medical records issues.

We also advise healthcare clients on best practices for leveraging emerging technologies, managing data and structuring operations in compliance with relevant laws and regulations.

We are nationally recognized for our healthcare privacy litigation experience and have served as defense counsel in several of the largest data breaches in the healthcare industry. Our class action defense team has successfully represented major insurance businesses and health systems across the country, minimizing monetary and reputational damage and negotiating with state and federal regulators.

Representative Clients
  • Health systems.
  • Academic medical centers.
  • Healthcare providers.
  • Specialty treatment centers.
  • Long-term care facilities.
  • Schools, colleges and universities.
  • Health plans (self-funded and large insurers).
  • Healthcare technology providers.
  • Medical device manufacturers.

Select Experience

  • Led the incident response for approximately 50 percent of the largest healthcare data security incidents reported to date.
  • Successfully defended more than 500 investigations commenced by the Department of Health and Human Services Office for Civil Rights (OCR).
  • Negotiated more resolution agreements and corrective action plans with the OCR arising out of data security incidents than any other firm (more than 12 agreements negotiated and finalized).
  • Defended hundreds of investigations by attorneys general, including multi-state investigations, arising out of data security incidents.
More »

Professionals

Name Title Office Email
Hiruy Berhane
Philadelphia
+1.215.564.2027
Associate
Hiruy Berhane
Associate Philadelphia
Jessica Captain Novick
Orlando
+1.407.649.4025
Partner
Jessica Captain Novick
Partner Orlando
Kathryn Carey
New York
+1.212.589.4696
Associate
Kathryn Carey
Associate New York
Kathryn E. Childress
Dallas
+1.214.210.1134
Associate
Kathryn E. Childress
Associate Dallas
Payal P. Cramer
Atlanta
+1.404.256.8433
Counsel
Payal P. Cramer
Counsel Atlanta
Vimala Devassy
Atlanta
+1.404.256.8243
Partner
Vimala Devassy
Partner Atlanta
Stefanie L. Ferrari
Chicago
+1.312.416.6229
Associate
Stefanie L. Ferrari
Associate Chicago
Amy E. Fouts
Atlanta
+1.404.256.8434
Partner
Amy E. Fouts
Partner Atlanta
Sara M. Goldstein
Philadelphia
+1 215.564.1572
Partner
Sara M. Goldstein
Partner Philadelphia
Kimberly C. Gordy
Houston / Seattle
+1.713.646.1360 / +1.206.566.7091
Associate
Kimberly C. Gordy
Associate Houston
Kyle R. Gregory
Atlanta
+1.404.459.4218
Associate
Kyle R. Gregory
Associate Atlanta
Patrick H. Haggerty
Cincinnati
+1.513.929.3412
Partner
Patrick H. Haggerty
Partner Cincinnati
Mark Hatcher
Columbus
+1.614.462.4765
Partner
Mark Hatcher
Partner Columbus
Steven C. Hiestand
Columbus
+1.614.462.4786
Staff Attorney
Steven C. Hiestand
Staff Attorney Columbus
Susan Whittaker Hughes
Cleveland
+1.216.861.7841
Partner
Susan Whittaker Hughes
Partner Cleveland
Theodore J. Kobus III
New York
+1.212.271.1504
Partner
Theodore J. Kobus III
Partner New York
M. Scott Koller
Los Angeles
+1.310.979.8427
Partner
M. Scott Koller
Partner Los Angeles
Laurice Rutledge Lambert
Atlanta
+1.404.256.8417
Partner
Laurice Rutledge Lambert
Partner Atlanta
Robin L. Larmer
Seattle
+1.206.332.1115
Counsel
Robin L. Larmer
Counsel Seattle
Courtney L. Litchfield
Chicago
+1.312.416.6236
Associate
Courtney L. Litchfield
Associate Chicago
Jennifer A. Mills
Cleveland
+1.216.861.7874
Partner
Jennifer A. Mills
Partner Cleveland
Brian M. Murray
Cleveland
+1.216.861.7084
Partner
Brian M. Murray
Partner Cleveland
Eric A. Packel
Philadelphia
+1.215.564.3031
Partner
Eric A. Packel
Partner Philadelphia
Alexandra Royal
Atlanta
+1.404.256.6688
Associate
Alexandra Royal
Associate Atlanta
Lynn Sessions
Houston
+1.713.646.1352
Partner
Lynn Sessions
Partner Houston
Aleksandra Vold
Chicago
+1.312.416.6249
Partner
Aleksandra Vold
Partner Chicago
Jennifer P. Whitton
Atlanta
+1.404.256.8426
Associate
Jennifer P. Whitton
Associate Atlanta
Robert M. Wolin
Houston
+1.713.646.1327
Partner
Robert M. Wolin
Partner Houston
Kristen McDermott Woodrum
Atlanta
+1.404.256.6698
Partner
Kristen McDermott Woodrum
Partner Atlanta

Experience

  • Led the incident response for approximately 50 percent of the largest healthcare data security incidents reported to date.
  • Successfully defended more than 500 investigations commenced by the Department of Health and Human Services Office for Civil Rights (OCR).
  • Negotiated more resolution agreements and corrective action plans with the OCR arising out of data security incidents than any other firm (more than 12 agreements negotiated and finalized).
  • Defended hundreds of investigations by attorneys general, including multi-state investigations, arising out of data security incidents.
  • Negotiated numerous consent judgments and settlements with attorneys general, including some of the largest on record.
  • Defending a large public health system in a multi-state attorney general investigation. The matter arises out of a nation-state sponsored data security incident.
  • Advise health systems, physician groups, academic medical centers and long-term care facilities regarding all aspects of general privacy matters, including HIPAA compliance, the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other state privacy laws. Our team provides guidance on the HIPAA Privacy and Security Program, state law requirements, breach analysis, regulatory reporting, policies and procedures, and general privacy advice, including best practices for safeguarding individuals’ protected health information and other personally identifiable information,
  • Because of our privacy and regulatory expertise, clients often look to us to conduct privacy assessments. We conduct gap analyses; review policies and procedures to assess HIPAA compliance, state law compliance, policy and procedure comprehensiveness; provide training and education on privacy matters, privacy awareness and readiness within the organization; and review processes in business agreements, breach notification protocols and investigation procedures, among other privacy issues.
  • We represent healthcare clients in connection with HIPAA audits conducted by federal regulators. Since 2016, we have helped several diverse healthcare entities prepare for audits across the privacy, security and breach notification rules under HIPAA in anticipation that they would be chosen for an audit. When the audits were sent later that year, we worked with selected entities to respond to the HIPAA audits and OCR findings. Because of this experience, in June 2018 we began working with large health system in the Midwest in preparation for an expected onsite OCR audit. Our work in this area represents our strong command of HIPAA laws, policies and procedures, a practical understand of healthcare operations, as well as our strong working relationship with the OCR, which allows us to guide the client’s response in such a way that it demonstrates compliance while advocating for a practical approach to HIPAA at healthcare organizations.
  • We advise medical device manufacturers on their obligations as business associates and data owners on general privacy matters, including HIPAA compliance, GDPR, CCPA and state privacy laws. Our team provides guidance on the HIPAA Privacy and Security Program, state law requirements, breach analysis, regulatory reporting, policies and procedures, and general privacy advice, including best practices for safeguarding individuals’ protected health and other personally identifiable information. A recent secondment of our attorneys at a device manufacturer presented the team with a real-time look into the complex and volume of privacy issues that these entities face, and we were able to successfully support the client through these issues.
  • As privacy and data protection issues have moved into the boardroom, we find our team of attorneys being requested to attend board meetings at healthcare organizations to explain the regulatory and risk environment and to provide real-time advice on responding to high-stakes cybersecurity incidents. These presentations range from tabletop exercises and breach workshops, risk assessment advice and compliance strategy to crisis management and strategy during a large data breach. Our clients include some of the United States’ largest and most well-respected healthcare providers and health insurers.

Recognition

  • Selected as a 2020 “Pacesetter” in Cybersecurity Services by ALM Intelligence Pacesetter Research
  • BTI Cybersecurity Powerhouse (2020)
  • BTI CyberSavvy Law Firm (2020)
  • Chambers Global
    • Privacy & Data Security (USA) (2014 to 2021)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2021)
  • Chambers Fintech
    • Legal – USA (2018 to 2021)
  • Chambers USA
    • Advertising: Transactional & Regulatory – Nationwide (2018 to 2020)
    • Privacy & Data Security – Nationwide (2013 to 2020)
    • Privacy & Data Security: Healthcare Spotlight Table – Nationwide (2018 to 2020)
  • Chambers USA Award: “Privacy & Data Security Team of the Year” finalist (2015, 2017)
  • The Legal 500 United States
    • Media, Technology and Telecoms: Advertising and Marketing: Transactional and Regulatory (2018 to 2020)
    • Media, Technology and Telecoms: Cyber Law (2016 to 2020)
    • Media, Technology and Telecoms: Data Privacy and Data Protection (2016 to 2020)
  • Law360: Privacy "Practice Group of the Year" (2013 to 2015, 2018)
  • Selected for Vault’s Guide to Legal Practice Areas
    • Privacy and Data Security (2017 to 2021)

News

News

Press Releases

Publications

Alerts

Articles

Podcasts

Blog Posts

Related Services

Key Contacts

Blog

In The Blogs

Previous Next
Data Counsel
Privacy-Forward California AG Xavier Becerra Confirmed as Next HHS Secretary
By Alexandra Royal, Aleksandra Vold
March 31, 2021
On March 19, 2021, Xavier Becerra was confirmed as the secretary of the U.S. Department of Health and Human Services (HHS). HHS is the federal regulatory body that oversees the Office for Civil Rights (OCR), which is the primary federal...
Read More ->
Data Counsel
Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?
By Jessica Captain Novick, Sara M. Goldstein, Lynn Sessions
January 27, 2021
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare...
Read More ->
Data Counsel
Compliance and Cybersecurity Best Practices Rewarded with HIPAA Safe Harbor
By Vimala Devassy, Sara M. Goldstein, Kyle R. Gregory
January 13, 2021
On January 5, 2021, H.R. 7898 was signed into law with little fanfare, thereby amending the Health Information Technology for Economic and Clinical Health Act.[1] As the healthcare industry continues to serve as one of the top targets for...
Read More ->
Data Counsel
CISA Updates Advisory on Large-Scale Impending and Credible Ransomware Threat to Healthcare to Include Additional IOCs
By Sara M. Goldstein, Aleksandra Vold
October 30, 2020
On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S...
Read More ->
Data Counsel
Warning of Cybersecurity Threat to Healthcare Sector – Imminent Threat of Ransomware
By Eric A. Packel
October 29, 2020
BakerHostetler is closely monitoring a Cybersecurity Advisory issued jointly by several government agencies including the United States Department of Health and Human Services (HHS) and the FBI, on October 28. The Advisory warns of an...
Read More ->

Services

Find Professionals

Offices

About Us

Careers

Firm Diversity

LinkedIn Twitter Facebook Instagram Youtube RSS
Subscribe »
© 2021 Baker & Hostetler LLP