Health Information Technology & Electronic Health Records

Ropes & Gray provides comprehensive guidance on health information technology transactions, regulatory compliance, data preservation, and health-related data privacy and security strategies and relevant legal obligations.


Highly Experienced Team

Our multi-disciplinary team of lawyers brings profound experience in all areas relevant to vendors and users of Health IT services and products. We also possess a keen understanding of our clients’ business exigencies, the rapidly evolving regulatory landscape, and current industry practices.

Comprehensive Services

We advise clients on all aspects of health IT (HIT) including financing, developing, commercializing, procuring, licensing, deploying, and managing health-related technology and information. We regularly assist hospital systems, providers, physician groups, quasi-state agencies and information technology vendors with designing, implementing and operating HIT that securely and effectively integrates patient health information into a centralized electronic network. We also advise clients regarding the management of state disclosure and federal accounting requirements in connection with the unauthorized access of patient information.



  • Health IT Customers and Users. We represent Health IT users in all aspects of technology, service and data procurement, licensing, outsourcing, and business process arrangements. Our clients include prominent health care institutions, universities and physician groups, such as: Stanford University Medical Center, Dana Farber Cancer Institute, Children’s Hospital (Boston), Lahey Clinic Hospital, Beth Israel Deaconess Medical Center, Massachusetts Eye and Ear Infirmary, Mt. Sinai School of Medicine, El Camino Hospital (CA), and Morris Heights Health Center (NY), PriMed Management, and Settlement Health (NY).
  • Health IT Companies. We represent a broad range of companies that develop, market and sell Health IT technologies, software and services in transactions designed to generate financing, monetize their technology and IP assets, structure and restructure their IP portfolios, and penetrate markets.
  • Health IT Investors and Underwriters. We represent numerous leading private equity and venture capital firms and underwriters in the Health IT sector with respect to all corporate and due diligence aspects of their investments. We help them assess their target companies' compliance with federal and state regulations, including potential exposure for non-compliance and formulate remedial steps.
  • Comprehensive Transactional Services. We are experienced, domestically and globally, in:
    • Technology and IP asset acquisitions, divestitures and spin-outs 
    • Joint ventures, alliances, teaming and collaborations 
    • Outsourcing and insourcing for applications development, supply side/manufacturing, service, and business processes functions 
    • Complex licensing and distribution 
    • Structuring and restructuring IP portfolios 
    • Cross-border transactions, especially those involving the European Union, Japan, India, China, Korea, Latin America, and Israel

Regulatory Compliance

We routinely counsel on the implementation of interoperable HIT and EHR systems in the public and private sectors. We work closely with hospitals, providers, physician groups, quasi-state agencies, and Health IT vendors to design, license, implement and operate systems that integrate patient health information into a centralized network compliant with federal and state regulations, including:

  • HIPAA: HIT compliance with privacy and security regulations including the Health Insurance Portability and Accountability Act (HIPAA), and the extension of HIPAA to business associates and breach notifications laws 
  • Physician Self-Referral (Stark) Laws: Referrals of Medicare patients to related entities for “designated health services” 
  • Anti-Kickback Laws: The legality of remuneration for referrals of items or services reimbursable by a federal health care program 
Privacy & Security

We advise on all aspects of privacy and information security applicable to HIT, including:

  • Compliance and Counseling: Federal, state, and industry-based data protection and privacy requirements, under: HIPAA, Gramm-Leach-Bliley (GLBA), Children’s Online Privacy Protection Act (COPPA), Fair and Accurate Credit Transactions Act (FACTA), Fair Credit Reporting Act (FCRA), U.S.-EU Safe Harbor Program, and a multitude of state privacy and information security laws 
  • Data Breaches and Intrusions: Litigation, government investigations, and transaction-related issues arising out of data security breaches, including risk analysis and post-incident responses 
  • Information Security Programs: Development of comprehensive information security and privacy compliance programs