skip to content
HIPAA and Data Security and Privacy

HIPAA and Data Security and Privacy


Despite the fact that the industry has been living with HIPAA for well over a decade, keeping patients health information private and secure in the Internet age continues to be an area where many health care providers are vulnerable to penalties, sanctions, and litigation.  The increasing reliance on electronic data and the implementation of electronic health records has added a new wrinkle, opening providers up to data breach allegations under both HIPAA and state breach laws.  Simultaneously, access to large electronic data sets and the use of analytics holds significant promise for improving personalized care, population health, and biomedical research.  Health care providers need a trusted advisor in their corner, one with a solid understanding of the intricacies of this complex area of law.  Smith Moore Leatherwood fills that advisory role for providers across the country.

Our team has served as counsel to three state health information management associations, and we participate regularly in the activities of national organizations focusing on health information management and privacy issues.  We also count nationally-recognized professionals among our HIPAA and Data Security and Privacy team who have published and spoken extensively on these topics at state and national meetings.  On a daily basis, we assist providers—from single-physician practices to large multi-hospital systems—in assessing privacy risks, responding to requests for patient information, evaluating their privacy and data security infrastructures, and considering how they may use health information in innovative ways.

Whether you have identified privacy and data security concerns at your organization, are looking for assistance in reviewing and strengthening existing policies and practices, need help starting an effective privacy program, or are interested in determining how to use analytics software to improve your bottom line, our HIPAA and data security and privacy team can help.  Contact one of our team members today for more information.


Our data privacy team works with providers across the country in both a preventative and crisis/breach response capacity.  Representative examples of our work in the HIPAA and data security and privacy arena include:

Crisis/Breach Response

  • Drafted response and accompanying documentation on behalf of multiple clients in response to Office of Civil Rights (OCR) HIPAA complaint notices and investigations
  • Defended claims and suits that raised HIPAA and privacy issues, including privacy class actions
  • Assisted various provider clients in determining whether specific data breach circumstances require breach notification under HIPAA and applicable state data breach laws, and assisting in breach notification efforts
  • Represented health system in responding to a stolen laptop with PHI of over 500 patients
  • Assisted health plan business associate in addressing posting of electronic file containing 500+ patients' information to incorrect third party administrator site
  • Worked with physician practice on public and government reporting of release of HIV status on 300+ patients
  • Advised a hospital on response to investigation by US Attorney due to business office HIPAA breaches in bankruptcy proceedings
  • Represented a nursing home in addressing disclosure of social security information on the outside of envelopes sent to numerous employees
  • Defended patient claims of improper PHI disclosure in debt collection suits
  • Assisted a health system in responding to HIPAA and North Carolina law notice requirements involving system employee's storage of health records in rental home
  • Advised hospital in record copying vendor employee's improper retention of paper copies of medical records
  • Counseled hospitals, numerous physician practices and nursing homes on response to investigations by HHS Office of Civil Rights
  • Addressed improper taking by a former employee and potential whistleblower of PHI of numerous employees used in connection with background and exclusion checks
  • Handled issues arising when a lockbox containing patient medical records was stolen during a break-in at a medical practice
  • Addressed improper disposal of medical records in a dumpster with media publicity
  • Responded to questions raised and deficiencies cited by surveyors concerning texting of PHI by nursing home employees to physicians
  • Addressed disclosure of employee HIV status by health plan to employer
  • Defended claim of improper PHI disclosure by former patient in connection with health system response to patient's published comments to the media
  • Addressed health system response when contract ED physician left patient medical records in rental car 
  • Assisted clients in responses to patient allegations of improper PHI disclosure to employees and physicians not involved in care
  • Addressed patient claims of improper access to PHI by physicians not involved in care
  • Handled improper videotaping of patient examinations
  • Advised concerning disclosure of adult child's medical information to parent who had been guarantor while child was a minor
  • Counseled providers on employee disciplinary matters involving release of PHI on social media sites

Counseling and Preventative Activities

  • Created practical packages of template HIPAA/HITECH policies, forms, and guidance documents tailored to specific provider types (physicians, hospitals, skilled nursing facilities) and specific state legal requirements for states across the Southeast
  • Prepared HIPAA/HITECH policies and procedures for hospital systems' self-insured health plans
  • Worked with a software designer hired by provider to develop an electronic charting system that was HIPAA/HITECH compliant
  • Met with local law enforcement agencies on behalf of hospital systems to educate law enforcement on limitations imposed by HIPAA and state law on disclosures of patient information and documentation needed to comply with such requests
  • Taught courses for nursing and physician personnel regarding HIPAA basics, as well as specialized topics such as HIPAA and disclosure of behavioral health records; approaches when an employee is also a patient; access to and disclosure of minor patients' records; and working with law enforcement
  • Assisted large physician practice in demonstrating Meaningful Use Stage 2 compliance, including compliance with HIPAA and privacy requirements
  • Assisted multi-hospital system in responding to post-payment Meaningful Use Stage 1 audits and in preparing for compliance with Meaningful Use Stage 2 requirements
  • Assisted in development of regional and enterprise health information exchange organizations, including establishment of governance structure, data use agreements, privacy and security policies and procedures, and advice on operational matters
  • Evaluated regulatory implications of licensing de-identified health data from organizations and sub-licensing such de-identified data sets to organizations seeking large data sets for research, population health, and quality improvement on behalf of a business analytics start-up
  • Assessed possible corporate structures and the resulting data privacy, security, and operational requirements for a telemedicine mobile application start-up
  • Assisted hospital and physician practice clients in preparing and negotiating contracts for the donation of electronic health record items and services in accordance with Stark law and Anti-Kickback Statute requirements
  • Assisted hospital systems in addressing "one patient, one record" safeguards to implement when moving to single electronic health record system for use by all provider entities within the systems
  • Provided guidance to hospitals regarding Health Information Management and privacy issues during Epic implementation
  • Reviewed and negotiated health information technology contracts, including electronic health record software contracts, cloud storage agreements, value-added reseller agreements, and clinical data registry agreements
  • Reviewed business associate agreements and related contracts on behalf of covered entities and business associates
  • Assisted providers in responding to subpoenas received for patients' protected health information
Thought Leadership


February 5, 2018
December 8, 2017
September 27, 2017
Just Patch It, Cybersecurity Updates
October 6, 2015
September 22, 2015
September 2011
November 2009
Metadata, Legal HIMformation
September 2008
HIPAA Security Audits, Legal HIMformation
March 2008
December 2007
June 2007

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.