Health Care Data Security and Privacy

Protecting individuals’ health data has never been more challenging or important for those involved in the health care industry.  Hackers, employee mistakes, product design flaws, the proliferation of big data and personal devices, and the increasing degree of interconnectivity among payers, providers and the vendors who support them all raise the potential for data incidents or breaches.  As robust analysis of individuals’ data becomes increasingly essential to effectively treating patients and maintaining the health of populations, repositories of this data increasingly will become targets for medical identity thieves and others seeking access to pharmaceuticals or otherwise looking to capitalize on the enhanced street value of medical information.  Failing to protect against these threats and hazards is not an option given the substantial reputational and legal consequences of a breach.  Whether you are a group health plan, carrier, health care provider, or technology or consulting firm serving payers or providers, keeping safeguards that protect this data up to date and maintaining the capacity to respond quickly to data incidents, agency audits and investigations, and individual complaints is a critical part of your business operations.


New state laws and enhanced federal oversight and enforcement of existing laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology in Economic and Clinical Health Act of 2009 (HITECH), significantly raise the stakes for failing to implement, update and maintain appropriate safeguards and controls to protect individually identifiable health information.  Health care payers and providers, as well as SaaS vendors, data hosts, data processors and other vendors to the health industry, need a team of professionals experienced with implementing compliance programs at varying levels of complexity, responding to data incidents of all sizes, and facilitating data exchange with different networks, systems and enterprises.  You’re looking for a team that is knowledgeable about the latest regulatory requirements and enforcement trends and creative enough to leverage its knowledge and experience into solutions for unique business needs and circumstances.  Stoel Rives is that team. We help you minimize the likelihood of data breaches in the first place and, when incidents do occur, avoid civil and criminal penalties and survive the threat of litigation.

Our Services

  • Privacy and security protocols, policies and agreements
  • HIPAA and HITECH compliance audit preparation
  • Department of Defense Instruction compliance
  • Privacy and security training
  • Subcontractor and vendor compliance and monitoring programs
  • Assistance with data use agreements, limited data sets, research protocols and waivers
  • CLIA compliance
  • Data incident response
  • Breach notification assessment and coordination
  • Complaint and enforcement action responses
  • Risk assessments
  • Pre- and post-acquisition compliance assessments

We work with you on all aspects of compliance with HIPAA and other state and federal privacy and security laws, including the federal Privacy Act and state medical records, data security, data disposal and breach notification acts.  We assist with the development of compliant documentation, conduct comprehensive HIPAA training for employees, provide data incident and breach preparation and response, and assist in preparing for and responding to audits and enforcement investigations.  

  • Lead privacy counsel for incident response and breach notification in data compromise and security breach matters ranging from one person to nearly five million unique individuals.
  • Assisted health care providers in responding to Office for Civil Rights' investigations of privacy complaints.
  • Assisted providers, support services organizations and technology vendors with gap analysis and HIPAA Security Rule compliance for computer systems, networks and software (e.g., Electronic Health Record, RIS/PACS, Laboratory Information System) acquisition and deployment.
  • Prepared and reviewed privacy and security policies and procedures for health care providers, managed care entities and group health plans.
  • Chief outside privacy counsel for technology and business process outsourcing contractor balancing information security requirements under the federal Privacy Act, Department of Defense and agency rules, and federal and state rules governing identifiable health information, genetic information and security breach issues.
  • Advised client in negotiations with data services vendor on unique vulnerabilities and appropriate safeguard requirements in contracting for cloud-based services.
  • Advised application developers on HIPAA compliance, data security and privacy policy.
  • Advised investigators and institutional review boards on privacy-related aspects of research protocols and privacy waivers, and research exceptions.
Insights & Presentations
Saved Pages

Use the arrows to arrange content.  Download pages as a .pdf file or share links via email..

{{ item.Title }} {{ item.AttorneyPosition }}, {{ item.AttorneyLocation }} , C. {{ item.AttorneyCell }} , P. {{ item.AttorneyPhone }} , F. {{ item.AttorneyFax }} {{ item.TypeText }} Remove
You have no pages saved
            {{ state | json }}