Healthcare Privacy and Compliance

The depth of the Baker team concerning HIPAA and other complex privacy laws was extensive. They came to the table with a lot of experience dealing with the regulatory agencies.

— Chambers USA 2025

Our diverse team has wide experience in counseling health systems, physician groups, insurers and employers across the country regarding risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to privacy and security incidents, from lost paper files and laptops to the largest cyber incident ever reported involving medical information.

Led the incident response for approximately 50 percent of the largest healthcare data security incidents reported to date.
Successfully defended more than 500 investigations commenced by the Department of Health and Human Services Office for Civil Rights (OCR).
Negotiated more resolution agreements and corrective action plans with the OCR arising out of data security incidents than any other firm (more than 12 agreements negotiated and finalized).
Defended hundreds of investigations by attorneys general, including multi-state investigations, arising out of data security incidents.
Negotiated numerous consent judgments and settlements with attorneys general, including some of the largest on record.
Defending a large public health system in a multi-state attorney general investigation. The matter arises out of a nation-state sponsored data security incident.
Advise health systems, physician groups, academic medical centers and long-term care facilities regarding all aspects of general privacy matters, including HIPAA compliance, the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other state privacy laws. Our team provides guidance on the HIPAA Privacy and Security Program, state law requirements, breach analysis, regulatory reporting, policies and procedures, and general privacy advice, including best practices for safeguarding individuals’ protected health information and other personally identifiable information,
Because of our privacy and regulatory expertise, clients often look to us to conduct privacy assessments. We conduct gap analyses; review policies and procedures to assess HIPAA compliance, state law compliance, policy and procedure comprehensiveness; provide training and education on privacy matters, privacy awareness and readiness within the organization; and review processes in business agreements, breach notification protocols and investigation procedures, among other privacy issues.
We represent healthcare clients in connection with HIPAA audits conducted by federal regulators. Since 2016, we have helped several diverse healthcare entities prepare for audits across the privacy, security and breach notification rules under HIPAA in anticipation that they would be chosen for an audit. When the audits were sent later that year, we worked with selected entities to respond to the HIPAA audits and OCR findings. Because of this experience, in June 2018 we began working with large health system in the Midwest in preparation for an expected onsite OCR audit. Our work in this area represents our strong command of HIPAA laws, policies and procedures, a practical understand of healthcare operations, as well as our strong working relationship with the OCR, which allows us to guide the client’s response in such a way that it demonstrates compliance while advocating for a practical approach to HIPAA at healthcare organizations.
We advise medical device manufacturers on their obligations as business associates and data owners on general privacy matters, including HIPAA compliance, GDPR, CCPA and state privacy laws. Our team provides guidance on the HIPAA Privacy and Security Program, state law requirements, breach analysis, regulatory reporting, policies and procedures, and general privacy advice, including best practices for safeguarding individuals’ protected health and other personally identifiable information. A recent secondment of our attorneys at a device manufacturer presented the team with a real-time look into the complex and volume of privacy issues that these entities face, and we were able to successfully support the client through these issues.
As privacy and data protection issues have moved into the boardroom, we find our team of attorneys being requested to attend board meetings at healthcare organizations to explain the regulatory and risk environment and to provide real-time advice on responding to high-stakes cybersecurity incidents. These presentations range from tabletop exercises and breach workshops, risk assessment advice and compliance strategy to crisis management and strategy during a large data breach. Our clients include some of the United States’ largest and most well-respected healthcare providers and health insurers.