HIPAA and Data Security and Privacy


Despite the fact that the industry has been living with HIPAA for well over a decade, keeping patients health information private and secure in the Internet age continues to be an area where many health care providers are vulnerable to penalties, sanctions, and litigation.  The increasing reliance on electronic data and the implementation of electronic health records has added a new wrinkle, opening providers up to data breach allegations under both HIPAA and state breach laws.  Simultaneously, access to large electronic data sets and the use of analytics holds significant promise for improving personalized care, population health, and biomedical research.  Health care providers need a trusted advisor in their corner, one with a solid understanding of the intricacies of this complex area of law.  Smith Moore Leatherwood fills that advisory role for providers across the country.

Our team has served as counsel to three state health information management associations, and we participate regularly in the activities of national organizations focusing on health information management and privacy issues.  We also count nationally-recognized professionals among our HIPAA and Data Security and Privacy team who have published and spoken extensively on these topics at state and national meetings.  On a daily basis, we assist providers—from single-physician practices to large multi-hospital systems—in assessing privacy risks, responding to requests for patient information, evaluating their privacy and data security infrastructures, and considering how they may use health information in innovative ways.

Whether you have identified privacy and data security concerns at your organization, are looking for assistance in reviewing and strengthening existing policies and practices, need help starting an effective privacy program, or are interested in determining how to use analytics software to improve your bottom line, our HIPAA and data security and privacy team can help.  Contact one of our team members today for more information.


As representative examples of work for our clients in this area, we have:

  • Created practical packages of template HIPAA/HITECH policies, forms, and guidance documents tailored to specific provider types (physicians, hospitals, skilled nursing facilities) and specific state legal requirements for states across the Southeast
  • Prepared HIPAA/HITECH policies and procedures for hospital systems' self-insured health plans
  • Assisted providers in responding to subpoenas received for patients' protected health information
  • Advised a software designer hired by provider to develop an electronic charting system that was HIPAA/HITECH compliant
  • Met with local law enforcement agencies on behalf of hospital systems to educate law enforcement on limitations imposed by HIPAA and state law on disclosures of patient information and documentation needed to comply with such requests
  • Taught courses for nursing and physician personnel regarding HIPAA basics, as well as specialized topics such as HIPAA and disclosure of behavioral health records; approaches when an employee is also a patient; access to and disclosure of minor patients' records; and working with law enforcement
  • Assisted large physician practice in demonstrating Meaningful Use Stage 2 compliance, including compliance with HIPAA and privacy requirements
  • Assisted multi-hospital system in responding to post-payment Meaningful Use Stage 1 audits and in preparing for compliance with Meaningful Use Stage 2 requirements
  • Assisted in development of regional and enterprise health information exchange organizations, including establishment of governance structure, data use agreements, privacy and security policies and procedures, and advice on operational matters
  • Evaluated regulatory implications of licensing de-identified health data from organizations and sub-licensing such de-identified data sets to organizations seeking large data sets for research, population health, and quality improvement on behalf of a business analytics start-up
  • Assessed possible corporate structures and the resulting data privacy, security, and operational requirements for a telemedicine mobile application start-up
  • Assisted hospital and physician practice clients in preparing and negotiating contracts for the donation of electronic health record items and services in accordance with Stark law and Anti-Kickback Statute requirements
  • Assisted hospital systems in addressing "one patient, one record" safeguards to implement when moving to single electronic health record system for use by all provider entities within the systems
  • Provided guidance to hospitals regarding Health Information Management and privacy issues during Epic implementation
  • Reviewed and negotiated health information technology contracts, including electronic health record software contracts, cloud storage agreements, value-added reseller agreements, and clinical data registry agreements
  • Reviewed business associate agreements and related contracts on behalf of covered entities and business associates
  • Drafted response and accompanying documentation on behalf of multiple clients in response to Office of Civil Rights (OCR) HIPAA complaint notices and investigations
  • Defended claims and suits that raised HIPAA and privacy issues, including privacy class actions
  • Assisted various provider clients in determining whether specific data breach circumstances require breach notification under HIPAA and applicable state data breach laws, and assisting in breach notification efforts
Thought Leadership


October 6, 2015
September 22, 2015
September 2011
November 2009
Metadata, Legal HIMformation
September 2008
HIPAA Security Audits, Legal HIMformation
March 2008
December 2007
June 2007
April 2005
HIPAA Q&A – Prisoner PHI, Legal HIMformation

Media Coverage


Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.