Healthcare Privacy, HIPAA


Healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, are required to implement extensive measures to comply with federal laws. We assist clients on a daily basis with their compliance planning and implementation, mitigation of risks, and audit responses occasioned by HIPAA and the HITECH Act. We also assist clients with navigating the frequently conflicting or broader state privacy laws and with keeping up with this evolving and complex area of government regulation.

Our services in the arena of healthcare privacy and security laws include:

  • Assisting companies with comprehensive implementation plans for HIPAA/HITECH compliance.
  • Preparing educational and training materials appropriate to a client’s unique organization.
  • Assisting in responses to and the reporting of security breaches.
  • Advising clients on response to Office of Civil Rights and state attorneys general audits and investigations of privacy and security law violations or denials of rights of access to medical records.
  • Updating HIPAA policies to meet new requirements under the American Recovery and Reinvestment Act.
  • Applying privacy and security laws to innovative models of information connectivity, such as Health Information Exchanges and cloud computing arrangements.
  • Conducting state law preemption analyses.
  • Preparing and negotiating business associate agreements, including for “downstream” business associates.
  • Drafting risk allocation clauses in service agreements involving the transfer of large amounts of sensitive data.
  • Due diligence of Covered Entities’ and Business Associates’ levels of HIPAA/HITECH compliance.


  • Advised clients with regard to investigations and responses to HIPAA breaches.

  • Advised clients with regard to HIPAA-related investigations by the Office for Civil Rights.

  • Advised clients on HIPAA compliance matters that arise in the course of operations, including analyzing permitted uses and disclosures of protected health information, negotiating business associate agreements, reviewing and revising policies and procedures.

  • Assisted a national REIT in its minority investment in a portfolio of a variety of healthcare providers, including assisted living, memory care, hospice, and private-pay in-home care. The providers were located in multiple states, including Arizona, California, Illinois, Texas, Utah, Washington, and Wisconsin. AGG’s involvement included in-depth diligence, including a review of the providers’ licenses, permits, certifications, and accreditations, PEPPER reports, government investigations and surveys, hospice cap calculations, compliance program, background screening, HIPAA, medical directorships, admission agreements, commercial payor audits, and corporate practice of medicine. AGG also assisted with preparing the underlying investment agreement and related disclosure schedules.

  • Represented a national medical practice and management company in the evaluation and response to federal and multi-state HIPAA security and privacy matters, including review of the alleged breach, assembly of patient and business partner communications, notification of state and federal parties.

  • Represented a national medical practice and management company with regard to the negotiation of a new billing and collection agreement, including privacy and security matters and related indemnity obligations.

  • Represented a multi-state medical practice management company start-up in the acquisition of multiple additional medical practices, including all aspects of the transaction from letter of intent to due diligence to transaction documents.

  • Advice to national hospice provider regarding compliance with breach reporting and notice requirements and indemnification rights where a potential breach was caused by an IT vendor Business Associate.

  • Evaluated scope of cyber-security insurance coverage for investor.

  • Advised multiple clients (both covered Entities and Business Associates) on updating of policies, forms and training materials in light of HITECH Act and breach reporting.

  • Advised a national hospitalist firm on federal and state breach notification obligations arising from a potential breach experienced by a subcontractor which may have exposed protected health information over the internet.

  • Provided an analysis of Georgia laws impacting health system’s adoption of an electronic health record function.

  • Performed due diligence on HIPAA compliance for private equity investor considering investment in cloud services vendor.

  • Conducted internal compliance investigation to determine whether data shared with a pharmaceutical company was appropriately de-identified.

  • Assisted academic medical center on HIPAA and state-level privacy issues applicable to its development of a Health Information Exchange.

  • Provided legal and policy counsel, with particular focus on health information privacy and security issues, to the Department of Community Health related to Georgia’s Health Information Exchange.

  • Assisted numerous clients in evaluating and responding to data breaches.

  • Represented one of the 115 Covered Entities nationwide to be audited by KPMG on behalf of the Office for Civil Rights in 2012.

  • Advised skilled nursing facility company on compliance policies and training for multi-location operations.

  • Analyzed the interplay of the Family Educational Rights and Privacy Act (FERPA) and HIPAA for health system providing services in educational settings.

  • Conducted internal compliance investigation in response to allegations by former employee of client that client had  terminated employee in retaliation for having reported 1) a significant HIPAA breach of Protected Health Information which was not fully de-identified before being provided to pharmacy companies; and 2)non-compliance with law related to the client’s implementation of its financial hardship policy.

  • Advised a client regarding the development of a HIPAA/HI-TECH Act compliance program covering its potential obligations as a business associate of HIPAA covered entities. Assisted the client in the conduct of a gap analysis to identify areas where further action may be necessary depending upon proposed changes to the HIPAA privacy, security, and breach notification regulations.

  • Advised data network services provider contracted with government agencies and providers of health care and human services, including homeless shelters, with respect to the sharing of TB information in compliance with applicable privacy laws, including HIPAA.

  • Advised long-term care provider, with facilities in multiple states, in revising HIPAA privacy policies and procedures, notice of privacy practices, and other HIPAA documentation for use company-wide following 2013 rule changes. Also worked with local counsel to include relevant state-law provisions in privacy policies and procedures.

News & Insights