Search Our Website:


Healthcare providers and related entities have a special obligation to maintain the confidentiality, privacy and security of protected health information. Today’s providers rely on hardware, software and information technology to function. Increased regulation regarding patient privacy and information confidentiality, combined with increasing cyberattacks, has made information security one of the top priorities in healthcare.

Our attorneys have advised providers, health plans, technology companies, pharmaceutical and device manufacturers, biotechnology companies, financial institutions and other types of organizations that are covered entities or business associates. We help you craft strategies and policies to keep your data safe. We can also help you if your data is compromised, including helping you manage the post-breach process.

Healthcare Data Security: Reducing the Risks and Minimizing the Damage

Today’s Security Challenge

Information security and privacy concerns permeate healthcare at every level, with healthcare organizations facing information security challenges on more than one front. 

Organizations must protect the privacy, security and confidentiality of patient information. The privacy, security and confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) and related state laws should not be taken lightly, and consequences for violations can be dire.

Additionally, healthcare entities are businesses that maintain information that no organization wants to have stolen, such as employee information, customer information, credit card or banking information, corporate files and much more.

The cost to healthcare providers of a data breach has been estimated at $363 per record, more than twice the overall cross-industry average.

As technology advances, the risk of a breach and the attendant harm from such a breach increases. The cost of a breach is far greater than financial fines and penalties; ramifications may include damages to an organization’s reputation, as well as harm to patients.

Let Us Assess and Reduce Your Risk

Our attorneys are experienced and highly skilled in compliance and regulatory matters, including HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) Act matters relating to protected health information and data security.

How can an experienced law firm help ensure information security? In a variety of ways. For example, we can help by:

  • Conducting institutional or system-wide assessment of compliance with HIPAA, HITECH and other regulatory requirements.
  • Drafting and reviewing privacy and security policies/procedures and conducting training to reduce the likelihood of a breach.
  • Assisting in developing an effective breach response plan.
  • Advising regarding existing and proposed regulations and industry standards.
  • Drafting business associate agreements.
  • Drafting agreements that take information security into consideration, such as:
    • IT transition in advance of a merger.
    • Private sector/university collaboration.
    • Electronic contracting.
    • Biotechnology transfer.
    • Content licensing.
    • Maintenance, support and service.
  • Developing internet terms of use and privacy policies.

In addition to the information technology-related matters we have handled for our healthcare clients, Buchanan's Technology, Licensing and Commercial Contracts group has substantial experience in handling these types of issues for clients in any industry.

When Security or Privacy Incidents Occur

Privacy and security incidents happen. There’s much you can do to minimize the risk, but even the most privacy and security-conscious healthcare organizations occasionally experience a potential incident. In such circumstances, we can help you by:

  • Conducting an investigation, including employee interviews, and due diligence.
  • Conducting and advising regarding risk assessments and breach mitigation.
  • Advising you on all potential legal actions.
  • Assisting with crisis management.
  • Representing you through post-breach litigation.
  • Providing necessary notices and reports.
  • Responding to OCR and AG investigations related to a breach or patient complaint.
  • Helping to put into place mechanisms to avoid a future incident.