BIG DATA
We counsel clients on a broad variety of “Big Data” issues, including:
- Advising clients on the appropriate use of health information for data analytics, research, quality improvement initiatives, care coordination platforms, and other uses of large, longitudinal, multi-party data sets;
- Leveraging our relationships with statisticians and other leading experts to de-identify information and protect against re-identification of individuals;
- Advising clients on collaboration agreements related to sharing data in compliance with federal and state laws; and
- Counseling clients on commercialization and other secondary data use.
DATA BREACHES AND INCIDENTS
We assist clients in preventing, assessing, and responding to privacy and security incidents, including data breaches. Our lawyers have dealt with an incredibly wide range of incidents, from sophisticated hacking incidents involving millions of patients, to lost laptop computers, misdirected emails, improper disposal of data, and employee theft. We are regularly:
- Working with forensic experts and other IT consultants to investigate and remediate breaches;
- Assessing whether disclosures of information and other security incidents are reportable breaches under HIPAA, FTC breach reporting regulations, and state breach reporting laws;
- Assisting clients in complying with breach reporting obligations, such as notifying patients or other individuals, government agencies (including the Office for Civil Rights (OCR) and state AGs), and the media;
- Responding to investigations by OCR, state AGs, and other federal and state agencies;
- Working with clients to mitigate harm and improve their practices to prevent future breaches; and
- Advising clients on responding to data incidents caused by vendors or other business associates, including seeking reimbursement and/or indemnification for costs and fees.
DIGITAL HEALTH AND TELEHEALTH
We advise telehealth companies, health IT companies developing digital health products, and health systems and academic medical centers using or developing digital health, on the following issues:
- Data strategy, including ensuring broad data use of data for product development and potential commercialization of data as a revenue source;
- Negotiating collaboration and other agreements to support the development of AI and other digital health tools;
- Negotiating license agreements for secondary use of data;
- Contracting with the users of digital health products, including HIPAA business associate agreements;
- Advising on federal and state requirements for digital health;
- Advising on TCPA compliance and handling TCPA litigation; and
- Providing advice on website and mobile app terms of use and privacy policies.
EUROPEAN UNION GENERAL DATA PROTECTION REGULATION (GDPR)
We counsel clients in the United States about when the GDPR applies to their organizations, and guide clients through necessary compliance activities, including:
- Working with consultants to chart personal data flows and processing arrangements;
- Supervising GDPR readiness assessments;
- Developing GDPR-compliant policies;
- Negotiating data processing agreements to support data exchange with European data sources;
- Advising on GDPR research requirements, including de-identification of personal data and implementing GDPR research rules and exceptions; and
- Advising on individuals’ rights under the GDPR.
FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA)
We advise clients on how to use and disclose educational records in compliance with FERPA, including how FERPA interacts with other state and federal privacy laws, like HIPAA and 42 C.F.R. Part 2.
FEDERAL TRADE COMMISSION (FTC)
The FTC is becoming a major player in the data privacy and security space. We help clients in:
- Understanding the scope and application of the FTC health data breach reporting regulations;
- Advising clients on FTC compliance in implementing website and mobile app privacy policies;
- Counseling clients in implementing digital advertising programs; and
- Handling FTC investigations.
HEALTH IT CONTRACTS AND DATA SHARING AGREEMENTS
Our team of data attorneys have deep experience drafting and negotiating a wide variety of vendor and customer health IT contracts and data sharing agreements that address:
- “Big data” arrangements;
- Development and implementation of AI;
- Digital health platform and application services;
- Telehealth services;
- HIN/HIE services;
- Data privacy, security and interoperability content, including HIPAA business associate agreements, state consumer data law compliance addenda, security addenda, and interoperability addenda;
- Patient and provider portals, as well as other external-facing portal technologies; and
- Research.
HEALTH INFORMATION NETWORKS & EXCHANGES
We work with many public and private health information networks and exchange (HIN/HIEs) and their participants, including:
- Helping to create Arizona’s HIE;
- Drafting legislation and policy to support HIN/HIEs, including drafting the Arizona Health Information Organization (HIO) Law and subsequent amendments to the HIO Law to improve health information exchange in Arizona;
- Structuring regional and national data sharing collaborations, advising on data governance, and drafting and negotiating regional and national data sharing agreements;
- Advising on the integration of sensitive health information into HIN/HIE, including 42 CFR Part 2 data integrations;
- Advising and commenting on HIN/HIE participation in regional and national interoperability framework, such as Carequality, CommonWell, the Trusted Exchange Framework and Common Agreement (TEFCA), the Data use and Reciprocal Support Agreement (DURSA), and the California Data Exchange Framework (DxF); and
- Working on compliance with the IBR, as it applies to HIEs and HINs.
HIPAA
Over the past 25 years, we have guided hundreds of clients with HIPAA compliance and complex HIPAA-related issues, including:
- Drafting HIPAA policies and other HIPAA-related documents (such as Notice of Privacy Practices and access and authorization forms) for covered entities and business associates;
- Drafting and negotiating HIPAA business associate agreements;
- Advising on HIPAA organizational arrangements, including hybrid entities, affiliated covered entities (ACEs) and organized health care arrangements (OHCAs);
- Analyzing patient access issues;
- Handling subpoenas and other third-party requests for health information;
- Evaluating proposed marketing efforts, including through the use of text and email messages;
- Working closely with clients on the use of tracking technologies and compliance with the OCR’s Guidance on the Use of Online Tracking Technologies;
- Structuring complex data sharing arrangements, such as those supporting value-based care arrangements including Accountable Care Organizations (ACOs) and Clinically Integrated Networks (CINs), and those supporting research collaborations;
- Establishing clinical data repositories for research and data analytics;
- Guiding clients through de-identification of patient health information (including working with de-identification experts); and
- Working with clients on participating in shared electronic health records.
INTEROPERABILITY
We assist a wide variety of clients in assessing, complying with, and leveraging opportunities arising out of the dynamic new field of health care interoperability, including:
- Implementing compliance programs for the federal Information Blocking Rule, ONC Certification Program requirements, CMS interoperability mandates (g., Patient Access API, Provider Access API, Payer-to-Payer API, and Prior Authorization API), CMS Promoting Interoperability programs, and state interoperability laws (e.g., California, Connecticut and Tennessee) that support compliance with underlying federal and state data privacy and security requirements;
- Assessing technical solutions (ranging from patient and provider portals to data segmentation solutions);
- Negotiating technology/service contracts for vendors and customers that align with the complex interoperability, privacy and security requirements;
- Assessing participation in, and meeting compliance challenges with, participating in national wide data exchange under state, regional and national interoperability frameworks, including the Trusted Exchange Framework and Common Agreement (TEFCA), Carequality, CommonWell, the Data use and Reciprocal Support Agreement (DURSA), and the California Data Exchange Framework (DxF);
- Assisting in interoperability audits and investigations involving private organizations and governmental agencies (g., OIG and FTC), as well as disputes involving interoperability obligations; and
- Working with clients to leverage interoperability requirements to improve data sharing.
RESEARCH (CLINICAL & HEALTH SERVICES)
We routinely work with clients on issues related to privacy and security in clinical and health-services research, including:
- Advising on HIPAA compliance in research arrangements;
- Guiding clients on de-identification of health information for research, including working with statisticians to obtain statistical certification of de-identification for research data sets;
- Evaluating genomic/genetic privacy under federal and state law, including how to integrate consent for sharing genomic information for research; and
- Assisting in the creation and use of data repositories and biobanks for research.
SENSITIVE HEALTH DATA
We work with a wide range of clients on how to manage particularly sensitive health data, such as substance use disorder data protected by 42 C.F.R. Part 2, reproductive health care information, genetic data, and other data subject to heightened privacy protections under state and federal laws. We assist with:
- Mapping sensitive data flows;
- Drafting sensitive data policies and procedures;
- Drafting and negotiating health IT vendor and data sharing contracts;
- Responding to requests/demands for records, such as law enforcement and administrative requests, subpoenas, and court orders;
- Integrating sensitive data into electronic medical records, health information networks/exchanges, and value-based care platforms;
- Addressing new state consumer law requirements specific to the use, disclosure and sale of sensitive personal data;
- Developing and implementing sensitive data segmentation solutions; and
- Advising on limitations and requirements for the use and disclosure of sensitive data in a variety of contexts.
STATE LAW COMPLIANCE
We help clients comply with the ever-expanding number of state privacy laws. That includes breach-reporting laws, laws protecting sensitive data (such as reproductive health, genetics and substance use disorder), state consumer data privacy laws like the California Consumer Privacy Act (CCPA), state data broker laws, state biometric privacy laws, and state children’s privacy laws. Our work in this area includes:
- Assisting clients in understanding what state laws apply to their data collection, use and disclosure;
- Advising clients in structuring their data compliance programs to minimize the impact of state laws;
- Developing privacy policies and notices, including website and mobile app privacy policies, information-collection notices, opt-in and opt-out notices, and notices of financial incentives;
- Assisting clients in responding to individual requests under state privacy laws, such as requests for access, amendment and deletion; and
- Assessing whether disclosures of information and other security incidents are reportable breaches under state breach-reporting laws and assisting clients in meeting their breach-reporting obligations.