Data Security, HIPAA & Compliance
For over 30 years, Rich has helped his clients navigate the maze of ever-changing state, federal, and international data security and privacy requirements that affect their businesses. Rich works closely with clients’ management and professional staff to promote compliance and, in the event an incident occurs, to mitigate risk and manage costs and reputational harm.
Contract Negotiation and Drafting
  • HIPAA Business Associate Agreements and Subcontractor BAAs
  • Information security agreements
  • Non-disclosure agreements
Regulatory Compliance
  • Review and advise on HIPAA and other federal and state requirements
Data Security, Privacy Counseling, and Workforce Training
  • HIPAA assessments and audits
  • ISO preparedness and audits
  • Confidentiality and HIPAA education
Privacy and Security Breaches
  • Situation analysis
  • Risk assessment
  • Mitigation and remediation
  • Federal and state
Freedom of Information Act
  • Defense and prosecution of requests

Representative Transactions

  • Four unencrypted laptops were stolen from rental car of client’s employee. The missing devices contained personally-identifiable information from four different corporate customers, including one that de-installed years earlier; 50k affected individuals.
    Outcome
    Managed the security and risk assessment and the data breach notification process; no lawsuits filed, no damages paid, and no negative publicity. Client estimated total cost of remediation at $20k. Worked with client to revise data collection and storage practices, processes, and procedures to prevent recurrence.
  • Software company client was notified by its customer that a setup error resulted in personally-identifiable information being available online to all customer employees.
    Outcome
    Rapid investigation led to determination that the breach resulted from end user’s own procedural breakdown. No reporting and no adverse publicity to client. Worked with my client to assess and update its procedures to anticipate and prevent a similar occurrence by other end users.
  • Healthcare IT client was notified by a Medicare fiscal intermediary of an alleged HIPAA violation.
    Outcome
    Managed security and risk assessments; determined that the incident did not constitute a reportable HIPAA breach. Worked with client to document the incident; updated client’s HIPAA compliance program to anticipate and avoid similar incidents that could result in a reportable breach.
  • Several instances of clients contracting with state or county government entities, followed by a losing bidder seeking disclosure of the winning contract under the state’s freedom of information act (FOIA) or freedom of information law (FOIL).
    Outcome
    Successfully limited disclosure to the minimum required by law, thereby avoiding the disclosure of trade secret information such as technology specifications and implementation methodologies.