Compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements can be an onerous process for hospitals and other healthcare providers, health plans and the business entities that work with them. Day Pitney lawyers have extensive experience in guiding all types of covered entities and business associates through their obligations under the HIPAA Privacy, Security and Breach Notification Rules. Our lawyers can provide useful tools and practical advice to address the spectrum of privacy and security concerns in today's challenging regulatory environment.
HIPAA Compliance Planning and Readiness Assessment
Data breaches affecting the healthcare industry have reached epidemic proportions and are not likely to abate anytime soon, making risk assessments, training of personnel and breach response planning critical. Equally important is assessing vendors’ security measures and their HIPAA policies and procedures, and entering into appropriate business associate agreements.
Businesses that maintain or access “protected health information” are well advised to identify areas of vulnerability and follow best practices, both internally and in contracting with vendors and other third parties. Day Pitney lawyers prepare HIPAA Policies and Procedures Manuals and other compliance controls for healthcare entities, and business associate agreements to document their relationships with their outside contractors, to help facilitate HIPAA compliance, optimize risk allocation, and reduce the likelihood or potential severity of a federal penalty.
To help clients evaluate compliance with federal guidelines and readiness for a HIPAA audit by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), Day Pitney has developed a cybersecurity toolkit, including a self-assessment protocol that is based on the published OCR HIPAA audit program protocol and a template incident response plan that incorporates best industry practices. Once an organization has completed development of policies and protocols, our lawyers can assist in training employees to facilitate compliance and preparedness at all levels.
Our lawyers also review vendor contracts to address loss allocation and other provisions that can impact the risks associated with vendor security incidents or breaches.
Data Breach and Litigation Response
In the event of a data breach, our cross-disciplinary legal team provides rapid and comprehensive incident response under the protection of the attorney-client privilege. By maintaining close relationships with the governmental agencies that investigate data protection and privacy matters, as well as a network of forensic and technical experts, the Day Pitney team can assist in effectively investigating data breach incidents and managing the activities of outside experts, law enforcement authorities, and state and federal regulators. We help healthcare institutions determine the source and scope of the breach, assess regulatory compliance requirements, manage notifications and call centers, and conduct after-action review.
Notwithstanding the best planning and response, data breaches may sometimes lead to litigation. The Day Pitney response team includes litigators who work together to respond quickly to both regulatory investigations and civil litigation that may follow a data breach.
When the OCR comes knocking to investigate a HIPAA complaint or potential violation, the Day Pitney team is prepared to support your response and will work with you to reduce the likelihood or potential severity of a federal penalty.