Healthcare Technology, Privacy & Data Security

As healthcare privacy and data security laws evolve along with fast-advancing technology, Morgan Lewis provides the state-of-the-art advice necessary for our clients to stay abreast of this ever-changing field. We represent healthcare providers, pharmaceutical and medical device companies, health maintenance organizations (HMOs), healthcare clearinghouses, and healthcare technology companies across the entire continuum of medical privacy and data security issues—from compliance with Health Insurance Portability and Accountability Act (HIPAA) and other domestic and international mandates to mobile health applications (apps) and healthcare devices that are part of the Internet of Things.

We advise on transactional concerns—including the regulatory implications of healthcare technology agreements and joint venture arrangements—as well as performing privacy and security due diligence in healthcare industry acquisitions. The firm also assists with integrating privacy and data security policies and procedures into the formal corporate compliance programs that are so important to our healthcare industry clients. Our approach in all matters is comprehensive, integrated, and practical—combining top-shelf regulatory, transactional, and litigation capabilities.

Regulatory compliance and litigation

We counsel clients from all sectors of the healthcare industry on the full range of privacy and data security requirements. We assist clients whose products (e.g., medical software) may be regulated by the US Food and Drug Administration and also provide counseling with regard to state medical record and security breach notification laws.

Morgan Lewis advises on all aspects of HIPAA, as well as the Gramm-Leach-Bliley Act, and state medical privacy laws. We also counsel clients in connection with Federal Trade Commission (FTC) standards, electronic health record meaningful use regulations, Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information (ONC) interoperability rules, and investigations, audits, and enforcement actions of the Office for Civil Rights (OCR) of the US Department of Health and Human Services and state attorneys general. The firm also advises clinical trial sponsors, contract research organizations, institutional review boards, and privacy boards on clinical trial privacy issues.

We also advise healthcare industry clients on emerging regulatory issues, such as the use of artificial intelligence/machine learning and the application of the California Consumer Privacy Act (CCPA) and other new state privacy laws on digital health companies.

Our understanding of emerging industry best practices and guidance (formal and informal) from state and federal regulators helps us develop corporate privacy compliance programs that address the full range of applicable privacy and security laws. We advise both HIPAA-covered entities and service providers to the healthcare industry seeking to demonstrate compliance with HIPAA business associate agreement obligations and other applicable privacy and security legal standards and best practices. Our lawyers also advise institutions on the impact of the HIPAA Privacy Rule on research operations.

Having represented hundreds of healthcare organizations in responding to security breaches involving medical information, we help clients with dynamic and agile response and mitigation strategies in these fast-moving and often critical situations. We also help organizations take a proactive approach to data security compliance that can both help prevent the occurrence of breaches and aid in the development of effective incident response plans and mitigation.

OCR is ramping up HIPAA enforcement and audits, and the FTC and state attorneys general are increasingly concerned with privacy and data security matters. In this heightened enforcement environment, our lawyers defend healthcare organizations in connection with administrative, civil and criminal audits, investigations, and litigation relating to privacy matters.

Our regulatory clients include:

  • Hospitals
  • Healthcare clearinghouses
  • Healthcare information technology companies
  • Insurers
  • Laboratories
  • Medical centers
  • Medical device manufacturers
  • Health information exchanges
  • Pharmaceutical companies
  • Pharmacies
  • Physician groups
  • Third-party administrators
  • Universities
  • Vision centers
  • Mobile health app developers

Transactional and corporate matters

Our lawyers handle a wide variety of healthcare IT–related deals, including the formation of health information exchanges, spin-offs, sales of companies, acquisitions, financings, and ventures in transaction processing. We guide entrepreneurs through the many legal and business challenges that confront emerging, innovative technology firms—including corporate, tax, intellectual property, securities, employment, and other issues—to position our clients with growing companies to raise capital, hire and retain talent, and achieve business plan goals.

Because businesses are increasingly data-driven and mishandling of privacy and security can result in significant liability, privacy and security compliance has become a critical due diligence issue in healthcare acquisitions and joint ventures. Our lawyers, including members of our outsourcing practice, handle a wide range of healthcare transactions and evaluate risks associated with privacy and security matters. For healthcare organizations with international operations, the firm’s privacy team includes lawyers with knowledge of the requirements for cross-border data transfers of health information in the European Union and around the world, as well as international privacy and de-identification standards.

We represent healthcare IT companies, as well as traditional healthcare providers, with respect to strategic alliances and joint ventures with third-party technology companies and the attendant regulatory implications. Our work includes advising on arrangements that involve the outsourcing of business functions such as website maintenance and mobile app development, as well as teaming agreements to jointly market and sell existing healthcare IT products and services. Our lawyers also assist clients in the protection of intellectual property on the internet, as well as advertising, content liability, cloud computing, encryption, and technology transfer issues.

Our transactional clients include:

  • Emerging companies
  • Hardware vendors
  • Hospitals
  • Insurers
  • Health information exchanges
  • Regional health information organizations
  • Service vendors
  • Software vendors
  • Telecommunications organizations
  • Mobile application developers
  • Health care clearinghouse

Public policy assistance

In an era of great activity on the part of federal and state governments—including initiatives to utilize IT to improve medical care, reduce medical errors, make healthcare administration more efficient, and give more power to patients—we regularly participate in the formation of public policy. In these efforts, we represent leading trade associations, standard-setting bodies, physicians’ organizations, hospital groups, and healthcare IT companies.

Employee benefits: Special resources

Morgan Lewis’s employee benefits practice has developed a number of risk management tools targeted to employers across all industries that sponsor group health plans for their employees, as well as the business associates of those plans. Our HIPAA Privacy Compliance Initiative is designed to arm our plan sponsor clients with the tools they need to navigate HIPAA in this new era of increased enforcement and heightened civil and criminal penalties ushered in by the HITECH Act. These services include self-audit assistance, workforce training, and privacy officer assistance.