Overview of Privacy and Security Services Offered:

At Epstein Becker Green, we counsel our clients on a daily basis regarding federal and state laws related to health information privacy and security. Our attorneys are frequent authors and lecturers on privacy and security topics, and also serve on the advisory boards of such publications as Report on Patient Privacy, The Medical Information Technology Law Report, Thompson's Employer's Guide to HIPAA, and The Privacy Officers Advisor, the official newsletter of the Privacy Officers Association.

Epstein Becker Green provides legal services to all sectors of the health care industry. Our services include:

  • Assisting organizations with HIPAA implementation and compliance advice
  • Preparing and implementing FTC Red Flag Rule and Address Discrepancy Rule policies, and providing compliance advice
  • Conducting privacy and security risk assessments and creating policy development tools and services
  • Creating privacy use and disclosure compliance inventories
  • Conducting client educational and training seminars on various privacy and security issues
  • Advising organizations on Gramm-Leach-Bliley Act ("GLB") compliance
  • Assisting organizations with responses to security breaches in order to mitigate the impact of, and reduce or prevent, identity theft
  • Assisting clients with responses to government audits and investigations of privacy and security breaches
  • Counseling organizations regarding the European Union Directive on Data Protection safe harbor

In addition, Epstein Becker Green has been designated by the Health Information Trust Alliance ("HITRUST") as a Common Security Framework ("CSF") Assessor. HITRUST provides training to develop and maintain effective security programs for health care and life sciences companies that use sensitive data, including but not limited to, protected health information ("PHI").

The CSF Assessor designation enables Epstein Becker Green to offer clients assessment services associated with the CSF. This framework provides a comprehensive approach, methodology, and tool to help clients establish efficient security programs that comply with applicable security laws, regulations, and standards, including HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state and business requirements. Epstein Becker Green acquired this designation to better serve our client base of health care, life sciences, and health information technology companies as well as our business partners (e.g., HIPAA-covered entities and business associates) that use PHI.

Epstein Becker Green is the first law firm to become a CSF Assessor and the designation exemplifies the firm's distinct capability to identify and address risk for health care industry clients.

Health care organizations are facing increased challenges in securing patient medical information while making it electronically accessible wherever and whenever it is needed or authorized. Epstein Becker Green understands the importance of protecting our clients from potential breaches in security, which is why we made obtaining this certification a high priority. We will continue to evolve our services as the market demands it. 

— Mark Lutes, a Member of the Firm in the Health Care and Sciences practice in Washington, DC

Examples of Privacy and Security Legal Services Epstein Becker Green Attorneys Recently Provided to Clients:

  • Drafted written identity theft prevention programs in compliance with FTC Red Flag Rules
  • Updated HIPAA policies and procedures to comply with the new requirements under the American Recovery and Reinvestment Act of 2009
  • Assisted clients with discovery issues associated with medical records and PHI
  • Utilized Internet-based expert system to document clients' compliance with the HIPAA standard
  • Created, in conjunction with a health care consulting company, a HIPAA privacy and security implementation and compliance manual for 10 national medical specialty societies
  • Conducted multistate surveys of state health privacy laws to prepare HIPAA preemption analyses in connection with health care providers and suppliers operating in multiple states
  • Prepared Notices of Privacy Practices for managed care entities and employer group health plans in accordance with HIPAA, GLB, and state law requirements
  • Analyzed hospital and health system privacy and security practices, provided advice regarding HIPAA implementation and compliance, prepared HIPAA guidance and compliance materials, and conducted HIPAA educational seminars
  • Created Business Associate Agreements designed to address our clients' needs — from simple documents that track the regulation, to complex and annotated contracts
  • Assisted organizations throughout the health care industry to implement the various HIPAA requirements related to the privacy standards and the transaction and code set standards
  • Drafted clinical research and sponsored research agreements provisions relating to HIPAA privacy standards
  • Provided advice on HIPAA compliance during recruitment and conduct of clinical trials