HIPAA and HITECH

As reliance on electronic medical records (EMR) and other technologies continues to grow, healthcare organizations must ensure the proper handling of sensitive data in order to avoid liability. The provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act in February 2009, greatly expanded the reach of the Health Insurance Portability and Accountability Act (HIPAA) concerning data privacy and security requirements and other industry standards and regulations.

McGuireWoods represents clients in matters arising under both HIPAA and the HITECH Act, as well as regulations accompanying these and other state data privacy, data security and data breach laws. Our experience includes:

• HIPAA compliance counseling
• Policy development and implementation
• Employee training
• Drafting and negotiation of HIPAA-compliant business associate agreements and subcontracts
• Assistance with internal investigations, breach reporting and responding to government investigations, including investigations by the Office of Civil Rights (OCR)
• Compliance with federal and state mental health and substance abuse laws and regulations, as well as in related litigation, including discovery requests involving health records and HIPAA-qualified protective orders

We advise clients on the full range of risk-mitigation options and requirements, including data encryption, data storage and data breach issues, as well as in the application of data encryption and data destruction standards set forth in the HITECH Act breach notification safe harbor. We regularly conduct internal investigations and audits involving computer intrusions and corporate security. Where data thefts, losses, breaches or unauthorized disclosures have occurred, McGuireWoods has worked with clients in providing required notices. We have developed comprehensive compliance programs that cover model form contract arrangements, employee data management transfers, and binding corporate rules for international organizations that handle personal data transfers.

We understand the complex business environment facing the healthcare industry as a whole, and focus on the unique objectives and requirements and of each of our clients. We regularly represent hospitals, physician practices, pharmacies, health plans, disease management providers, pharmaceutical and medical device companies, telecommunications companies, healthcare consultants, application service providers, software vendors and various other entities that service the healthcare industry. We partner with each of our clients to facilitate HIPAA compliance in harmony with the client’s business strategy.

McGuireWoods’ cross-departmental team of HIPAA lawyers meets regularly to monitor current developments and to plan and implement a range of related educational programs. In addition, our lawyers are frequent speakers at conferences and webinars and regularly publish articles regarding current issues arising under HIPAA, the HITECH Act and other federal and state data privacy and security laws.