Hinshaw's health care attorneys advise health care providers on issues regarding federal and state privacy and security concerns. With the implementation of the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH), and the Omnibus Final Rule, health care providers face a complex set of regulatory requirements dealing with privacy and security of health information. Because state and federal law covering this area are not always consistent, we also assist in negotiating such conflicts. This complex set of rules affects the use and disclosure of health information by health care providers, business associates who provide services to health care providers utilizing protected health information, insurers and clearinghouses and vendors and contractors of health care providers or business associates. Hinshaw's health care attorneys regularly counsel clients on:
- Privacy and security policies and procedures
- Use and disclosure of protected health information
- Electronic Health Records (EHR) and meaningful-use
- Conducting risk assessments
- Use of off-shore contractors
- Technology licensing and other arrangements
- Breaches and breach notification
- Development of forms such as the Notice of Privacy Practices
- Patients' rights
- Business associate agreements and subcontractor agreements
- Health information exchanges
- Sharing information from state to state
- Telemedicine and diagnostic tools, IT software and hardware
Health Care Privacy & Security Compliance
The highly complex regulatory framework involving patient privacy and security makes compliance a particular challenge for providers and business associates alike. Hinshaw's health care attorneys assist clients to help ensure not only that HIPAA requirements are included in general compliance programs, but that providers and business associates are up to date on current HIPAA requirements, and that policies and procedures are evaluated and updated on a periodic basis and in response to current legal developments. To help ensure ongoing compliance and mitigate risk, we conduct risk analysis and provide train-the-trainer program sessions, as well as revise applicable forms, policies and procedures, and agreements, such as business associate agreements.
We assist with all types of forms, and help clients develop and implement applicable privacy and security policies and procedures, and evaluate and audit those policies and procedures for effectiveness.
Privacy & Security Breaches and Breach Notification
If providers or other organizations accessing patient data suspect or confirm inappropriate use of PHI or a related security breach, the next steps they take can prove critical for the business. Hinshaw's health care attorneys work with clients to identify what disclosure was made and the circumstances of such disclosure to determine if breach has occurred and whether notification—and what type of notification—is required. Each situation must be evaluated individually and a proper risk assessment must be performed. Hinshaw's health care attorneys have worked with clients in many situations in which, although PHI may have been disclosed, under HIPAA, breach notification was not required.
Our attorneys advise large health systems, community hospitals, ambulatory surgicenters, sleep centers, clinics, large physician practices, individual physician practices, long-term care facilities, behavioral health and drug and alcohol treatment facilities and other ancillary providers in achieving and maintaining compliance with privacy and security rules. Our attorneys have also worked with various associations and other entities that have been categorized under HIPAA laws as business associates — including law firms, accounting firms, consultants and other professional services firms that work with or represent health care providers and business associates. We also work with clients to help ensure that they meet the rapidly expanding requirements for business associates under HIPAA, the HITECH Act and the Omnibus Final Rule and to ensure compliance and mitigate risk of civil monetary penalties and other sanctions.