Data Privacy and Cybersecurity

Counseled a private equity firm regarding the assessment of the types of data gathered and maintained by its multiple entities, including applicable regulatory requirements for each entity and relevant risks and considerations for the private equity firm.
Worked with numerous financial institutions in the implementation of the FDIC’s Financial Guidance on Response Programs.
Drafted policies and procedures for numerous covered entities and business associates to implement revisions to the HIPAA regulations under HITECH.
Drafted privacy and security policies and procedures for regulated financial institutions to comply with Gramm-Leach-Bliley Act.
Coordinated security risk assessments for organizations handling personally identifiable information or protected health information, including engagement of security consultants for HIPAA assessments, PCI-DSS audits, and red team assessments.
Developed a vendor management program for a large healthcare organization including implementation of a vendor risk assessment process, standard business associate and non-business associate vendor agreements, and training for contracting staff regarding effective implementation.
Created a data extraction process for a company serving as third party administrator to standardize and coordinate the processing of data requests from its self-insured health plan clients and their other contracted vendors.

Prepared consumer notices for numerous banking institutions under Gramm-Leach-Bliley.
Revised Notice of Privacy Practices for health care providers and health plans to incorporate revisions under HITECH and the Omnibus HIPAA regulations.
Created an organized healthcare arrangement among a group of covered entities, including a Joint Notice of Privacy Practices, to structure a new primary care service model.
Drafted privacy notices and terms of use for multiple organizations engaged in on-line retail and e-commerce.

Analyzed a wide variety of privacy and security incidents occurring within organizations that are covered entities or business associates to determine the probability of compromise to the protected health information and whether notification is required under HIPAA or state law.
Managed the investigation of a breach at a large physician group that included financial information collected through an online payment portal and online employment applications and provided notifications to affected individuals across forty-two states.
Coordinated the investigation and notification process on behalf of a critical access hospital following the unauthorized access and disclosure of patient records by one of its former employees.
Participated in the development of notifications on behalf of one of six covered entities affected by a business associate breach that involved collective notification to over three million individuals.
Managed the incident response of a consumer products firm regarding a breach of customers’ personal data from its e-commerce platform, including investigation, response and notification requirements

Resolved an investigation with Office for Civil Rights through voluntary compliance following a breach reported by the hospital after its vendor inadvertently published the financial information of over 8,000 individuals on the internet.
Responded to inquiries from several state Attorney Generals related to voluntary breach notifications or consumer complaints regarding privacy or security practices.
On behalf of a non-profit organization, resolved an Office for Civil Rights and Attorney General investigation following a ransomware attack affecting the organizations’ computer systems and storage of personal information.
Defended claims brought by patients alleging privacy violations against hospitals and other health care providers in state court.

Practices