HIPAA Compliance

Fox understands compliance with the Health Insurance Portability and Accountability Act (HIPAA) isn’t limited to hospitals and medical practices. We provide comprehensive services focused on the proper handling of Protected Health Information (PHI) that include:

  • Preparing required policies and procedures for health care providers, health plans and business associates
  • Drafting business associate agreements, data use agreements for health information exchanges accessed by multiple providers, HIPAA-compliant authorizations for disclosure of PHI and access request forms to be used by covered entities for patient or plan member PHI access requests
  • Providing HIPAA compliance reviews for researchers receiving or using PHI

Fox also advises insurers, medical debt collectors, health-related software providers and other entities that come into contact with PHI and can be held accountable for failing to keep it private in the event of a breach. In fact, Fox was one of the first law firms in the country to appoint its own HIPAA Privacy & Security Officer.

HIPAA Compliance Work:

  • Provided guidance to a national medical debt collector in an investigation and analysis of a potential breach implicating PHI. Concluded the facts did not require OCR reporting.
  • Represented a drug and alcohol rehabilitation facility in connection with an FBI investigation of identity theft involving patients and former client employees. Provided advice related to HIPAA and 42 CFR Part 2 (substance abuse treatment program confidentiality requirements) compliance.
  • Provide HIPAA counseling for the SAG-AFTRA Health Plan and the SAG-Producers Health Plan.
  • Represent self-funded health plans (ERISA and governmental) with respect to the sharing of information with providers in direct-contracting relationships and for care coordination activities in compliance with HIPAA.
  • Represented a New Jersey-based hospital in an incident involving an employee who improperly transmitted patient information to a new employer. Performed breach analysis and secured certifications that no other transmissions were made and that copies of the data had been destroyed. Reviewed the client’s policies and procedures regarding employee access and use of hospital computer systems and mobile devices to make recommendations for implementing new privacy and security policies.
  • Served as outside privacy counsel for a Fortune 500 technology company and device manufacturer, with special focus on international and health care compliance.
  • Represented a health care client in connection with an investigation of a firewall breach. Worked closely with a forensic team to understand and interpret the results of the investigation. Conducted a breach analysis under HIPAA/HITECH. Concluded the client did not have a reporting obligation under HIPAA/HITECH.
  • Represented a nursing facility with respect to the sale of facility disclosures of protected health information by email and in a virtual data room; performed a risk analysis and determined disclosures were not subject to HIPAA “sales” exception, but involved a low risk of compromise.
  • Represented a provider practice with respect to breach of protected health information that occurred when a former employee retained patient names and addresses on a personal laptop and subsequently used the information to mail marketing materials to patients.
  • Represented the buyer in an extensive breach that began before and continued after the purchase of a business. Retained and worked with IT and PR consultants in this matter, which involved several health care providers and was ultimately resolved favorably.
  • Represented a consulting firm in connection with a vendor that posted the firm’s protected health care data on an unprotected server.
  • Assisted a medical school in reporting a HIPAA breach to authorities and affected persons.
  • Represented a nonprofit community clinic in connection with access to their office by unauthorized individuals and evaluated the incident with regard to HIPAA breach and reporting obligations.
  • Assisted a nonprofit agency in evaluating the impact of the theft of a computer and drafting HIPAA breach notices to affected individuals.