HIPAA—Health Information Privacy & Security


The protection and security of patient information presents challenges to all those in the health care field. The Health Insurance Portability and Accountability Act (HIPAA) requires health care providers, health plans and health care clearinghouses to adhere to strict confidentiality and security protections for patient “protected health information” or “PHI”. The HIPAA compliance ante was significantly upped by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH), which was operationalized in January 2013 with the promulgation of a long-awaited Omnibus Rule implementing the HITECH Act. Under HITECH and the Omnibus Rule, penalties for HIPAA violations can reach $1.5 million per violation in a calendar year. The federal government has significantly stepped up HIPAA enforcement, and state attorneys general are now able to bring HIPAA enforcement actions in their states. The federal government intends to conduct HIPAA audits to assess compliance. And now, for the first time, “business associates” are directly liable to the federal government for HIPAA violations. The scope of entities that are considered “business associates” was expanded in a number of ways so that now downstream subcontractors can be caught in the HIPAA net. It is more important than ever for those subject to HIPAA to maintain fail safe data security measures and patient information privacy programs.

Dykema’s interdisciplinary team of health care, employee benefits, information technology, and intellectual property lawyers provides the full range of customized services and solutions designed to help health care providers, managed care organizations, insurers, employee benefit plans, employers and business associates fully comply with HIPAA and HITECH. Our services include counsel on HIPAA requirements; preparation for and assistance with government HIPAA audits; assisting clients in responses to complaints and government HIPAA investigations; drafting and reviewing HIPAA and HITECH forms, policies, procedures and business associate agreements; designing and implementing HIPAA compliance plans; training staff; developing breach response plans; and managing HIPAA-protected information in litigation.

Experience Matters

Representative work includes:

  • Drafting a comprehensive HIPAA compliance manual for a national health professional trade association.
  • Preventing the imposition of civil money penalties for alleged HIPAA violations for hospitals, ambulatory surgery centers, physician practices, other health care providers, and group health plans by effective interaction with the Office for Civil Rights of the U.S. Department of Health and Human Services.
  • Overseeing a large dental provider’s response to a HIPAA audit, and interpreting audit findings for improved compliance.
  • Assisting health care providers, including hospitals, physicians, hospices and mental health facilities, group health plans and business associates to determine if a HIPAA breach requiring notification has occurred and fashioning appropriate notices and mitigation strategies.
  • Assisting health care providers, health plans and business associates in responding to government investigational subpoenas involving PHI, as well as responding to subpoenas in private civil litigation.
  • Assisting mental health providers in responding to law enforcement and governmental requests for information.
  • Advising mental health and substance abuse plans and providers on HIPAA-compliant procedures to enable data sharing for care management, data aggregation and utilization and quality reviews.
  • Analyzing complex business associate and data sharing relationships, including those involving Pioneer and Medicare Shared Savings ACO participants, and customizing business associate agreements to capture the unique requirements of these relationships.

Events & Speaking Engagements