Health Privacy & Security

Our nationally recognized health care privacy and data security team combines health care industry knowledge and legal experience to effectively assist clients with compliance, enforcement, risk avoidance and litigation-related concerns.


In today’s health care industry, data privacy and security issues affect individuals, businesses, and governments worldwide. Improving data privacy and security practices, understanding increasingly complex state and federal privacy and security laws, and meeting data security requirements must be at the top of any organization’s priorities. Ropes & Gray offers a leading, national privacy and data security practice which has been recognized by Chambers USA for excellence in the field.

Practical Knowledge of the Health Care Industry and Law

We know more than just the law – we know the health care industry, health care operations, and health care information systems. Our advice and solutions to privacy, security, and data breach issues address practical, operational and business concerns. We do not provide advice in a vacuum; we seek to solve data privacy and security matters in a way that meets our clients’ business needs.

Deep Compliance, Enforcement & Litigation Experience

When health care clients face their most serious data security issues, they come to Ropes & Gray for representation. Our clients include renowned academic medical centers, major health enterprises, national health plans, physician groups, dialysis companies, disease management companies, pharmacies, medical device companies, medical information technology companies, and global pharmaceutical and life sciences companies.

In offering clients our unsurpassed experience handling the numerous challenges that a data security breach presents, we:

  • Supervise expert forensic investigations
  • Work closely with law enforcement authorities (including the Department of Justice, FBI, and the United States Secret Service)
  • Advise on mitigation and containment obligations
  • Analyze notification obligations and implement notification policies
  • Defend against federal and state regulatory investigations, as well as class action and individual plaintiff lawsuits
  • Work closely with public relations and crisis management teams in charting strategies to minimize exposure

Integrated Team of Professionals

Ropes & Gray’s team features seasoned health care attorneys integrated with experienced litigators and transactional lawyers to provide advice and counseling across a wide range of areas that impact clients in health care.

We are exceptionally familiar with helping our health care clients establish compliance programs, manage data privacy and security risks, and respond quickly to data breach situations, government investigations, litigation, and transaction-related issues that may arise when the privacy or security of data is at risk or compromised. We also have extensive experience in the development and implementation of remediation/corrective action plans following a data privacy/security breach.

Experience & Services

We are retained in many of the most complex and groundbreaking cases. Our recent noteworthy work includes the representation of a:

  • Prominent specialty teaching hospital in negotiation and settlement of an OCR enforcement action relating to the loss of a laptop containing unencrypted protected health information 
  • Boston-area hospital in an OCR investigation relating to the loss of an external hard drive containing protected health information 
  • Well-known Northeast hospital in an OCR investigation of a data breach related to the theft of patient information 
  • Prominent Northeast academic medical center in connection with an ongoing review by OCR stemming from an audit to assess and review client security obligations under HIPAA 
  • Boston-area hospital in the negotiation and settlement of an OCR enforcement action relating to an employee’s loss of certain protected health information. The resolution agreement and corrective action plan were among the first of their type. 
  • National health plan regarding health care compliance, data security and privacy matters and implementing compliance obligations under the corporate integrity agreement entered into with OIG 
  • Global medical device company as regulatory counsel advising on the acquisition of a physician-led health care services company and health care regulatory and compliance matters 
  • Leading private equity firm in its $3 billion acquisition of an information technology services provider to the health care industry 
  • Leading biotechnology company in responding to a data security breach involving the theft of an unencrypted laptop containing confidential patient information

Ropes & Gray’s leading practices in privacy & data security and health care offer clients assistance across the full range of practice areas to address privacy, security and data breach issues, including:

Data Breaches & Intrusions

Our attorneys are skilled at working on multiple fronts simultaneously and develop global strategies to help contain the problems that stem from a data breach or the loss of confidential information, including:

  • Reporting and Notification. We assess state and federal reporting, notification and disclosure requirements under state and federal privacy statutes in response to known or suspected data breach incidents. In addition to HIPAA/HITECH notification requirements, we advise on notification requirements under data breach notification laws in the states and other territories that have enacted statutes, and develop notification plans and communications alerting state regulators, law enforcement authorities, individuals subject to the breach, and credit reporting agencies, of incidents when appropriate. Our notification readiness capability enables us to assess a situation quickly and provide real time counsel in the face of a data breach, which is critical given the short timeframe in which regulators expect notice of a data breach to be issued.
  • Federal and State Regulatory Investigations. We have worked with a number of federal regulators and state Attorneys General on data breach matters and have a thorough understanding of their approach and expectations relating to data breaches. Our experience with state and federal regulators enables us to anticipate issues and work pro-actively to address issues efficiently.
  • Identifying and Remediating the Cause of the Breach. We have worked on matters involving data security breaches resulting from a wide variety of circumstances, ranging from simple human error to the criminal intrusion of information systems by technical means. We also have extensive experience working with third party forensic experts to investigate and contain data breaches. Examples of our work involving security breaches include circumstances connected to: lost or stolen laptops, PDAs, or other unencrypted devices; unintentional uses or disclosures of information by employees and business associates; intentional theft of electronic and hard copy information; information system intrusion through means such as phishing, malware, and brute force attacks; and, extortion attempts following the theft of information. Through our experience, we have developed work plans to identify and contain the cause of the breach and limit our clients' exposure to risk.
  • Litigation and Administrative Proceedings. We defend clients across the full range of disputes and litigation proceedings that often flow from significant data breaches, including claims by government regulators (described above), individuals affected by the breach (in class actions or individually), business partners, and payment card industry members.

Privacy & Security Compliance

Our attorneys have extensive experience advising health care clients on the impact of HIPAA, the HITECH Act, and accompanying regulations. We have completed numerous HIPAA engagements and continue to advise a wide variety of clients on the impact of HIPAA privacy and security regulations and other laws that affect client operations. We work closely with our clients to develop privacy and security compliance strategies that are scalable within the client's organization. Our robust services include:

  • Privacy and Security Compliance Programs. We have assisted numerous clients to establish privacy and security compliance plans. Our work has involved both HIPAA covered entities and business associates, and we have developed comprehensive HIPAA privacy and security policies and procedures for organizations throughout the health care industry. We continually update our policies and procedures to reflect changes in the law and the evolving enforcement environment.
  • Compliance and Risk Assessments. We conduct, participate in, and oversee HIPAA privacy and security compliance assessments and re-assessments. In connection with these projects, we have identified areas of risk common to specific segments of the health care industry and developed checklists and assessment plans to support our clients’ ongoing compliance and risk management efforts. 
  • Training. We have assisted our clients in the development and implementation of HIPAA privacy and security training programs. Our experience in this area includes both general HIPAA training and focused, high level training for specific issues identified in connection with compliance assessments, remediation efforts, and corrective action plans. 
  • Remediation and Corrective Action Plans. We have assisted numerous clients with respect to the analysis of possible privacy and security rule violations, and the development and implementation of corrective action plans. Our experience in this area and deep knowledge of the health care industry enables our team to bring practical guidance to remediation and corrective action planning and implementation processes. 
  • Data Breaches and Breach Notification. As described in the section entitled “Data Breaches & Intrusions,” we regularly counsel health care clients in connection with their response to data breaches, including the assessment of a breach, and development of a plan of action to respond to the breach, and advise on compliance measures with post breach legal requirements. We also work with clients within and outside of the health care industry to address data breaches involving personally identifiable financial or health-related information. 
  • Government Investigations. We have represented clients in connection with pre- and post-HITECH Act data breach matters involving both federal and state enforcement authorities. 
  • Government Audits. We have advised health care providers and health plans in connection with separate HIPAA security rule audits. We assisted these clients in responding to the audits, assessing risks identified through audits, and making appropriate changes to policies, procedures, and business practices to address issues identified by government enforcement authorities. 
  • Business Transactions. We frequently provide advice to clients on the application of the HIPAA privacy and security rules to both strategic transactions and day to day business operations. Our accumulated experience in this context allows us to quickly identify issues and give practical advice relating to compliance with applicable laws and regulations. 
  • Business Associates. We regularly counsel covered entities and business associates with respect to the status of parties as business associates, the terms of business associate contracts, HITECH Act obligations applicable to business associates, risk allocation between business associates and covered entities, breach notification by business associates, and the responsibilities of business associates with respect to implementing privacy and security measures to comply with the terms of business associate agreements. 
  • Emerging Privacy and Security Issues. We are at the forefront of emerging issues in the area of HIPAA privacy and security. Health care reform and other industry changes have created new challenges with respect to HIPAA privacy and security compliance. We are advising clients with respect to privacy and security issues emerging in the context of the development of accountable care organizations (“ACOs”), regional health information organizations (“RHIOs”), health information exchanges (“HIEs”), and other similar organizations that present challenges relating to compliance with privacy and security laws. 
  • Intersection of HIPAA and State Laws. We frequently advise clients with respect to the degree of intersection between state laws and HIPAA requirements, and conduct preemption analyses to determine whether existing state laws are more stringent than the HIPAA requirements.