The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group.
A prime example of BakerHostetler’s preeminence in the legal industry is on display in its latest Practice Group, Digital Asset and Data Management (DADM), which offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – led by Theodore J. Kobus III, chair of the DADM Practice Group – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal technology R&D team, IncuBaker. It is comprised of more than 100 award-winning attorneys, technologists and support professionals from six diverse teams, enabling clients to better understand and navigate the intersection of digital business, emerging technologies and the law.
The following offers an introduction to one of those six teams.
Healthcare Privacy and Compliance
- Who: The team lead is Partner Lynn Sessions.
- What: The formation of the Healthcare Privacy and Compliance team “allows us to look at the needs of the firm’s healthcare clients from start to finish to ensure that they comply with the current and ever-changing state, federal and international laws related to health information,” said Sessions. In addition to leveraging emerging technologies, managing data and structuring data so it can be handled in a way that is compliant with healthcare-specific regulations, team members are also vigilant in defending against potential internal and external threats to clients. “I’m excited to help protect and foster the trusted relationship that healthcare organizations have with their patients and customers,” said Sessions, who focuses her practice on helping covered entities and business associates through data breaches and investigations with the Office for Civil Rights (OCR) and state attorneys general. The team has handled more than 1,500 healthcare data breaches, more than 500 OCR investigations and a dozen resolution agreements with the federal government. With this daily insight into the OCR’s current focus, the team is able to be at the forefront of issues that are important to OCR and advise clients of these risks, allowing our healthcare clients to address their own compliance absent a patient complaint or OCR investigation.
- The team leverages its deep experience in the healthcare industry to not only work with healthcare clients through incident response and regulatory defense but also help healthcare organizations be compliant with HIPAA and with the ever-changing state and international regulations addressing health information. Recent examples include (1) preparing clients for the OCR HIPAA audits and ensuring proactive HIPAA compliance with the Privacy, Security and Breach Notification rules; (2) determining applicability of the GDPR to academic medical centers with an international reach; (3) advising on the intersection of HIPAA and the Common Rule in clinical trials and other healthcare research; (4) addressing de-identification of patient data to assist with efficiencies in treatment, payment and the curing of disease; and (5) advising on the unique privacy concerns with population health and patients’ access to their information.
- The team works with DADM’s Emerging Technology team to address data analytics and the creation of data lakes to help monetize data aggregated across healthcare businesses. Technology contracting has become increasingly important to healthcare organizations, and this team is able to also bring in DADM’s Privacy Governance & Technology Transactions team to develop and enhance those contracts for healthcare entities.
- The team works with technology companies and other business associates in addressing HIPAA compliance in a rapidly increasing area of risk for these companies, including developing policies and procedures and training, and advising on general HIPAA compliance.
- Why: Patients’ and health plan members’ name, date of birth, Social Security number, prescriptions, medical diagnosis and procedure details – the data maintained by healthcare organizations – rank among these individuals’ most personal and private information. Healthcare providers and insurers as well as employee health plan administrators are particularly vulnerable to data security incidents due to the highly sensitive nature of that data. Healthcare clients also require skilled assistance to navigate extensive and constantly evolving regulations that define their industry. Companies that do business with healthcare entities may not appreciate their exposure as business associates and the information they receive and maintain on behalf of their customers.
- How: With an increase in the amount of dedicated and focused resources that address healthcare clients’ privacy and information security needs, the new DADM Practice Group better synergizes the ways in which to address those risks – particularly for larger healthcare organizations with a national, and often international, reach – and across the various DADM teams.