We practice in a group dedicated to provider, life sciences, research, payor, medical technology, and digital health clients so we can spot issues and provide practical advice consistent with the market as part of seamless, cross-functional, multi-jurisdictional teams. We advise on the full range of regulatory, transactional, and litigation needs that may arise as clients seek to use health data and emerging technologies to make health care more precise, efficient, affordable, and personalized in accordance with continually changing and expanding laws and regulations.
Our privacy, data protection, and cybersecurity work focuses on:
United States
HIPAA, HITECH, and related frameworks, including Part 2
Our team regularly advises clients on a wide range of data privacy issues under HIPAA and its implementing regulations, and related regulatory frameworks, including developing and implementing HIPAA compliance programs, advising on and negotiating data sharing and business associate agreements, counseling on marketing and clinical research considerations, and advising on application of these frameworks to hot button issues such as reproductive and gender-affirming care.
In addition, our team closely follows regulatory guidance and changes to the HIPAA regulations proposed by the U.S. Department of Health & Human Services’ Office for Civil Rights, while also successfully defending clients in HIPAA enforcement actions. For more information on our investigations and enforcement work, please visit our Health Care & Life Sciences Investigations page.
We also advise providers on compliance with the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2, which impose certain distinct patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records that are different from those under HIPAA.
Because HIPAA does not protect health information generally and instead regulates covered entities and business associates specifically, life sciences manufacturers are generally not subject to HIPAA, with the exception of certain product support programs or patient access programs. However, these clients remain HIPAA adjacent and therefore contend with the law in order to gain access to limited health information from covered entity health care providers, such as when they need to adjudicate outcomes-based contracts or sponsor research and clinical trials. We regularly advise manufacturers in these contexts. We have also worked with manufacturers who strategically self-select to become covered entities.
Non-HIPAA federal and state privacy and cybersecurity laws and regulations
In addition to counseling life sciences and health care clients on compliance with HIPAA, our team advises clients on federal and state privacy and cybersecurity laws and regulations. These include the Federal Trade Commission’s Health Breach Notification Rule, the Telephone Consumer Protection Act, the CAN-SPAM Act, and state corollaries, as well as state privacy and data protection laws, including comprehensive consumer privacy laws, biometric privacy laws, consumer health privacy laws, medical records laws, and cybersecurity laws and regulations. We also track privacy and cybersecurity bills in Congress and state legislatures to help keep clients apprised of the potential impact of those bills on their businesses.
Cybersecurity and data breach response
We help health care and life sciences clients develop, strengthen, and streamline their cybersecurity compliance program and respond to data privacy and security incidents. We assist clients in drafting, implementing, and updating custom, thorough, and practical cybersecurity policies and procedures and incident response plans.
We also organize and run incident response training and practice exercises for our clients. These include tabletop exercises where we help guide the client’s incident response team through a realistic cybersecurity incident scenario so the team can practice analyzing relevant information and making necessary decisions. Following an exercise, we provide a list of considerations that the organization can use to improve its cybersecurity incident response plan and procedures.
When a cybersecurity incident or data breach occurs, we provide crisis management services to manage the response or coach the incident response team through the response to help the client quickly and defensibly stop the incident, mitigate the harm, and fix the cause. We also address legal considerations, including assistance with drafting notices to regulators and affected individuals and ensuring the preservation of legal privilege.
Public data breaches usually result in government inquiries or investigations and class action litigation. We assist our clients in responding to the extensive follow-up requests from regulators and defending against class actions.
Research and development
We advise life sciences and medical technology companies on data acquisition strategies to support research and development activities. Recently, this work has focused on navigating HIPAA, FDA, and human subject protection rules in the acquisition of personal health data to support AI development, including AI that will be embedded within medical devices. Our multidisciplinary team approach allows our clients to work with a single firm as they navigate myriad regulatory frameworks and evaluate potential future regulations.
Interoperability and information-blocking
We also advise industry clients on compliance with the Interoperability, Information Blocking, and Patient Access final rules, which collectively establish new data-sharing principles for the health care sector that extend existing HIPAA requirements. We help clients design compliant processes that maintain essential investments in health IT while enabling appropriate access, exchange, and use of electronic health information.
Novel issues
Life sciences and health care organizations can attract significant interest from regulators, politicians, patient advocates, and others given the personal nature of the services they provide and the sensitivity of the data they collect and use. This public interest can create significant risk for those organizations as they create and use sensitive data and emerging technologies to improve patient care and consumer wellness.
For example, we are currently helping health industry clients evaluate their residual risk, come into compliance with existing privacy laws, and respond to threats and litigation related to the use of third-party tracking on their websites, mobile apps, and online platforms. We are also helping clients respond to threats and litigation related to their use of third-party AI tools in the course of patient care. Our assistance involves evaluating whether prior and current use of third-party tracking or AI tools on websites, mobile apps, and online platforms constitutes a data breach under federal or state law and, if so, evaluating legally required reporting requirements. We are also helping clients evaluate strategies to mitigate risk under existing regulatory frameworks given recent enforcement trends and class action litigation.
Additionally, our work includes developing detailed policies and practical guides for clinic staff and receptionists, outlining step-by-step procedures to follow in the event of immigration enforcement activity at health care facilities; advising on evolving standards related to reproductive health information; and advising on the risks associated with offshoring patient information, providing risk assessments and recommendations to protect patient data and ensure compliance with applicable laws.
UK and Europe
We have substantial experience assisting life sciences and health care clients with compliance with global data protection regulations in the UK and Europe, including the EU General Data Protection Regulation (GDPR); the UK Data Protection Act; EU-wide cybersecurity legislation; the EU Privacy and Electronic Communications Directive; the EU Health Data Space Regulation; the EU Data Act; and EU member states’ national laws regarding medical confidentiality.
Rest of the world
We are also well positioned to advise life sciences and health care clients on compliance with privacy and security laws and regulations around the world, including Brazil’s Lei Geral de Proteção de Dados Pessoais, Singapore’s Personal Data Protection Act, and China’s Data Security Law and Personal Information Protection Law.
For additional information on our wider privacy and data protection capabilities, please visit our Data Protection, Privacy & Cybersecurity page.
