Health care organizations operate at the intersection of some of the most demanding regulatory frameworks in any industry. HIPAA, HITECH, the Information Blocking Rule, 42 CFR Part 2, and a growing body of state law create layered and sometimes conflicting obligations that require both legal acuity and operational experience to navigate effectively.
This practice provides specialized compliance counsel to covered entities, business associates, health systems, physician groups, life science organizations, academic medical centers, and the legal teams that advise them. Engagements range from discrete gap analyses and expert opinions to sustained fractional officer services and program development support.
Tailored gap reviews against HIPAA’s Privacy Rule, Breach Notification Rule, and Security Rule, with actionable compliance recommendations for covered entities and business associates. Assessments are structured to support ongoing program development and demonstrate organizational due diligence.
Technical cybersecurity reviews designed to satisfy the risk analysis requirement of the HIPAA Security Rule and the HITECH “recognized security practices” amendment. Assessments are conducted against industry-standard frameworks including the CIS Critical Security Controls (CSC) and the NIST Cybersecurity Framework (CSF).
Forensic analysis of websites and mobile applications used by health care organizations for the presence of cookies, pixels, and other online tracking technologies that may disclose protected health information to third parties. Services support class action defense, regulatory investigations, proactive compliance audits, and litigation counsel.
Advisory and compliance support for covered entities, health systems, and health IT developers on ONC’s Information Blocking Rule and Interoperability Rule. Includes policy development, exception analysis, and dispute support.
Expert-level de-identification analysis and accompanying reports for HIPAA-covered organizations using health data for research, commercial, or operational purposes. Services apply both the Expert Determination and Safe Harbor methods, and address advanced anonymization considerations at the intersection of HIPAA, GDPR, and the Common Rule.
Design and execution of data interview, inventory, and mapping engagements to identify and document personal and protected health information across systems, processes, and business associate relationships.
Utilizing a risk-based philosophy, we help organizations build and mature data compliance programs calibrated to their unique regulatory exposure — through policy and procedure development, staff training design, work planning, and governance structure advice.
Advisory and implementation support for privacy technology tools essential to modern compliance programs, including data mapping platforms, consent management, individual rights workflows, third-party management, and incident response systems.
Interim and fractional engagement as Privacy Officer, Security Officer, Chief Privacy Officer, or Compliance Officer for organizations that need credentialed executive-level leadership. Prior engagements include health systems, state universities, academic medical centers, medical societies, and technology companies.
Rapid-response compliance resources during OCR investigations, state enforcement actions, cure periods, or litigation. Experience supporting organizations under DOJ inquiry and serving as independent monitor for settlement obligations under attorney-client privilege.