Health industry companies are subject to extensive regulation under state and federal health information privacy laws, including most prominently the federal Health Insurance Portability and Accountability Act of 1996, as amended in 2009 by the Health Information Technology for Economic and Clinical Health (“HITECH”) and regulations promulgated thereunder (collectively, “HIPAA”). King & Spalding represents a wide range of health care providers, health plans, and health care products and services companies in the full range of HIPAA and other health information privacy and security compliance issues, including as applicable to HIPAA covered entities, business associates, research organizations, research sponsors, and vendors of health informatics products. We also advise clients on state privacy laws, including not only specialized health information privacy laws, but also identity theft laws that often apply to patient demographic and financial information in the possession of health industry companies.
Enforcement authorities and the media increasingly are focused on electronic data security, given the potential for mass data breaches arising from storage of large amounts of HIPAA protected health information (“PHI”) in electronic formats. We have considerable experience assisting covered entity and business associate clients in connection with their implementation of HIPAA security rule compliance. HIPAA security rule compliance implementation requires a close working relationship between legal counsel and the client’s IT staff and/or external IT consultants in order to sort through the details of how particular security measures achieve compliance with the legal requirements. In addition, although some HIPAA security rule requirements are very specific, many requirements are quite general, which can present a challenge when trying to identify and implement specific compliance responses that would be viewed as reasonable and appropriate if subjected to an audit by enforcement authorities. Accordingly, we often work with third party IT consultants who can bring to bear industry-specific “benchmarking” knowledge that can be very helpful in identifying relevant industry standards and best practices.
We are experienced in integrating HIPAA-specific compliance features into a company’s pre-existing information security program. Finally, we help clients to focus on ensuring that policies and procedures and other compliance measures not only are HIPAA compliant, but are realistic, practical and achievable.