Healthcare Technology, Privacy and Data Security

We counsel a wide variety of healthcare and related clients on the full range of privacy, data security and transaction and code set requirements. We assist clients whose products—such as medical software—may be regulated by the Food and Drug Administration (FDA). We also provide counseling with regard to state medical record and security breach notification laws.

Morgan Lewis advises on all aspects of the Health Insurance Portability & Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act (GLBA), and state medical privacy laws. We also counsel clients in connection with Federal Trade Commission (FTC) standards, the Red Flags rule, electronic health record meaningful use regulations, and actions of the Office for Civil Rights of the Department of Health and Human Services (OCR).

Utilizing our understanding of emerging industry best practices and guidance (both formal and informal) from state and federal regulators, we develop corporate privacy compliance programs that address the full range of applicable privacy and security laws. We advise both HIPAA-covered entities and service providers to the healthcare industry seeking to demonstrate compliance with HIPAA business associate agreement obligations and other applicable privacy and security legal standards and best practices. Our attorneys also advise institutions on the impact of the HIPAA Privacy Rule on research operations.

Morgan Lewis has represented hundreds of healthcare organizations in responding to security breaches involving medical information and offers knowledgeable, practical advice in these critical situations. We also help organizations take a proactive approach to data security compliance that can both help prevent the occurrence of breaches and aid in effective incident response and mitigation.

OCR is ramping up HIPAA enforcement and audits in the wake of the HITECH Act, and the FTC and state Attorneys General are increasingly concerned with privacy and security matters. In this heightened enforcement environment, our attorneys defend healthcare organizations in connection with administrative, civil and criminal audits, investigations, and litigation relating to privacy matters.

Our clients include:

• Data clearinghouses
• Hospitals
• Healthcare clearinghouses
• Healthcare information technology companies
• Insurers
• Laboratories
• Medical centers
• Medical device manufacturers
• Regional health information organizations
• Pharmaceutical companies
• Pharmacies
• Physicians groups
• Third-party administrators
• Universities
• Vision centers

Our attorneys handle a wide variety of healthcare information technology-related deals, including formation of health information exchanges, spin-offs, sales of companies, acquisitions, financings, and ventures in transaction processing. We guide entrepreneurs through the many legal and business challenges that confront emerging, innovative technology firms, including corporate, tax, intellectual property, securities, employment, and other issues that position a growing company to raise capital, hire and retain talent and achieve business plan goals.

Privacy and security compliance has become an increasingly critical due diligence issue in health care acquisitions and joint ventures. Our attorneys, including members of our Outsourcing Practice, handle a wide range of health care transactions and evaluate risks associated with privacy and security matters.

We represent healthcare information technology companies, as well as traditional health care providers, with respect to strategic alliances and joint ventures with third-party technology companies, and the attendant regulatory implications. Our work includes advising on arrangements that involve the outsourcing of business functions such as Web site maintenance and application development, as well as teaming agreements to jointly market and sell existing healthcare information technology products and services. Our attorneys also assist clients in the protection of intellectual property on the Web, advertising issues, content liability issues, cloud computing, encryption issues, and technology transfer issues.

Our clients include:

• Data clearinghouses
• Emerging companies
• Hardware vendors
• Hospitals
• Insurers
• Health information exchanges
• Regional health information organizations
• Service vendors
• Software vendors
• Telecommunications organizations
• Mobile application developers

In an era of great activity on the part of federal and state governments—including initiatives to utilize information technology to improve medical care, reduce medical errors, make health care administration more efficient, and give more power to patients—we regularly participate in the formation of public policy. In these efforts we represent leading trade associations, standard-setting bodies, physicians’ organizations, hospital groups, and healthcare information technology companies.

We offer a fixed-fee pricing model for a package of HIPAA audit services for healthcare industry clients, customized to ensure their HIPAA privacy and security compliance programs are consistent with best practices and appropriately updated to reflect new HITECH requirements.

Morgan Lewis’s Employee Benefits Practice has developed a number of risk management tools targeted to employers across all industries that sponsor group health plans for their employees, as well as the business associates of those plans. The HIPAA Privacy Compliance Initiative, led by Employee Benefits counsel Georgina O’Hara, Lauren Licastro, and Sage Fattahian, is designed to arm our plan sponsor clients with the tools they need to navigate HIPAA in an new era of increased enforcement activity and heightened civil and criminal penalties that was ushered in by the HITECH Act. These services include self-audit assistance, workforce training, and privacy officer assistance; all offered based on a fixed-fee pricing model designed to meet each client’s needs.