Close Menu
KOMahonyLaw - Law Office of Kevin P. O'Mahony
Healthcare, Business
& Litigation Services

HIPAA, Health Information Privacy & Security Compliance

At the Law Office of Kevin O’Mahony, we advise clients on the numerous privacy and security laws that physicians, healthcare providers and businesses working with healthcare providers must follow on a daily basis in their medical practices, healthcare entities or businesses. Implementing and following proper business and security practices that comply with state privacy laws on patient information, as well as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy, security and transactions rules, is essential for physicians and healthcare entities to avoid lawsuits, fines, penalties and damage awards.

The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium — whether electronic, on paper or oral. The Privacy Rule calls this information protected health information (“PHI”). The HIPAA Privacy Rule requires that covered entities, their business associates and any subcontractors handling PHI apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI in any form.

Covered entities are defined in the HIPAA Rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health & Human Services (“HHS”) has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations or persons.

The Health Information Technology for Economic and Clinical Health Act (“HITECH”) (enacted in 2009) was created to motivate the implementation of electronic health records (“EHR”) and supporting technology in the United States. Because this legislation anticipated a massive expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act widens the scope of privacy and security protections available under HIPAA. It also increases the potential legal liability for non-compliance, and provides for more enforcement.

Business Associate Agreements

A HIPAA Business Associate Agreement (“BAA”) is a contract between a HIPAA covered entity and a vendor used by that covered entity. A vendor of a HIPAA covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (“BA”) under HIPAA.

HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” A vendor is also classified as a BA if, as part of the services provided, ePHI passes through their systems. However, exclusions to this definition exist, and it may be the case that a covered entity’s relationship with a vendor changes over time.

A signed HIPAA Business Associate Agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI. And since the HITECH Act was passed and incorporated into HIPAA in 2013, subcontractors used by business associates are also required to comply with HIPAA. A business associate must likewise obtain a signed HIPAA business associate agreement from its subcontractors before access is given to PHI or ePHI. If subcontractors use vendors that require access to PHI or ePHI, they too need to enter into business associate agreements with their subcontractors.

The Business Associate Agreement is a contract that specifies the types of PHI that will be provided to the business associate (or subcontractor), the allowable uses and disclosures of PHI, the measures that must be implemented to protect that information, both at rest on-site and in transit (e.g., encryption), and the actions that the BA must take in the event of a security breach that exposes PHI. The contract should state that the BA (or subcontractor) must implement appropriate administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA Security Rule. Some of those measures may be stated in the BAA or they may be left to the discretion of the BA.

The BAA should also include the allowable uses and disclosures of PHI to meet the requirements of the HIPAA Privacy Rule. In the event that PHI is accessed by individuals unauthorized to view the information, such as an internal breach or cyberattack, the business associate is required to notify the covered entity of the breach and may be required to send notifications to individuals whose PHI has been compromised. The time frames and responsibilities for notifications should be detailed in the BAA.

A business associate should also be made aware of the consequences of failing to comply with the requirements of HIPAA. Business associates can be fined directly by regulators for HIPAA violations. Both HHS’s Office for Civil Rights (“OCR”) and state attorneys general have the authority to issue financial penalties for violations of HIPAA Rules.

Unlike most contracts, a HIPAA business associate agreement does not necessarily indemnify a covered entity against financial penalties for a breach of PHI. If a covered entity fails to obtain “satisfactory assurances” that a BA is HIPAA-compliant prior to entering into a contract, and a breach of PHI subsequently occurs, the covered entity may be considered liable for the breach.

Covered entities can be fined for not having a HIPAA business associate agreement in place, or for having an incomplete agreement in place. This is true even though HITECH regulations state that BAs are obligated to comply with the HIPAA Security Rule, even if no HIPAA business associate agreement is executed.

In May 2019, the OCR issued a new fact sheet to highlight the provisions of HIPAA that apply to business associates and for which they can be held directly liable for non-compliance. The fact sheet spells out the specific requirements that could trigger OCR’s enforcement authority against business associates, including failing to comply with the HIPAA security rule, failing to provide breach notifications to a covered entity or another business associate, and impermissible uses and disclosures of protected health information. See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.

HIPAA & HITECH Penalties

HIPAA penalties vary depending on the type of conduct involved. When enacted in 2009, HITECH established four categories for HIPAA violations, with penalty tiers commensurate with the level of culpability for each violation.

  • Tier 1 violations are those where the person did not know (and, by exercising reasonable diligence, would not have known) that he or she violated the provision. Tier 1 violations were capped at $25,000 per calendar year.
  • Tier 2 violations are those where “the violation was due to reasonable cause, and not willful neglect.” Tier 2 violations were capped at $100,000 per calendar year.
  • Tier 3 violations are those due to willful neglect that is timely corrected. Tier 3 violations were capped at $250,000 per year.
  • Tier 4 violations are those that occurred due to willful neglect that is not timely corrected. Tier 4 violations were capped at $1.5 million per year.

In 2013, the OCR implemented a final rule allowing for enhancements of HITECH’s penalty provisions. Under the enhanced penalty scheme, while the range of penalties for each violation continued to differ by tier, the total yearly cap for all violations under all tiers became $1.5 million (an amount which formerly was only applicable to the most serious violations). But in April 2019, HHS exercised its discretion to lower the annual cap for certain types of penalties (reducing the financial impact of HIPAA violations that fall into the lower tiers) as follows:

Culpability
Minimum Penalty per Violation
Maximum Penalty per Violation
Annual Limit for Identical Violations
Person did not know, and by exercising reasonable diligence would not have known, that person violated HIPAA
$100
$114 per recent inflation adjust.
$50,000
$57,051 per recent
inflation adjust.
$25,000
$28,525 per recent
inflation adjust.
The violation was due to reasonable cause, not willful neglect
$1,000
$1,141 per recent
inflation adjust.
$50,000
$57,051 per recent
inflation adjust.
$100,000
$114,102 per recent
inflation adjust.
Person acted with willful neglect, but corrected the violation within 30 days
$10,000
$11,182 per recent
inflation adjust.
$50,000
$57,051 per recent
inflation adjust.
$250,000
$285,255 per recent
inflation adjust.
Person acted with willful neglect and failed to correct the violation within 30 days
$50,000
$57,051 per recent
inflation adjust.
$50,000
$57,051 per recent
inflation adjust.
$1,500,000
$1,711,533 per recent
inflation adjust.

While reduced annual caps are certainly good news, covered entities and business associates should keep in mind:

  1. The penalty amounts are subject to annual cost of living adjustments.
  2. The new annual caps only apply to identical violations. A single act or omission may result in different violations that are not identical. For example, an impermissible disclosure may violate separate HIPAA requirements, each of which may trigger a different penalty and separate annual cap. Moreover, OCR may impose a separate penalty for each individual whose information was improperly accessed or disclosed. In the case of a continuing violation (e.g., the failure to implement a required safeguard or obtain a required business associate agreement), a separate violation occurs each day the covered entity or business associate is in violation of the provision.
  3. If an entity does not act with willful neglect and corrects the violation within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence, would have known of the violation, the OCR may not impose a penalty; such correction is an affirmative defense to penalties. However, if the entity acts with willful neglect, the relevant penalty is mandatory.
  4. A covered entity or business associate is vicariously liable for the violations of their respective agents, including workforce members or business associates acting within the scope of their agency under the federal common law of agency.

In other words, HIPAA penalties may add up quickly despite the reduced annual cap on identical types of violations. And covered entities and business associates must ensure that they continue to comply with HIPAA, avoid acting with “willful neglect” at all costs, and correct any violations within 30 days to invoke the affirmative defense to penalties.

Health & Mobile Apps

Health apps are application programs that offer health-related services for mobile devices such as smartphones, smartwatches, personal digital tablets, patient monitoring devices, wearable technology and other wireless devices. Because they are accessible to patients both at home and elsewhere, health apps are part of a burgeoning movement towards mobile health (“mHealth”) programs in healthcare. There are many varieties of health apps available for purchase from app stores. Some (such as fitness, weight loss, wellness and exercise trackers) are designed to help consumers make healthier choices in their everyday life by offering advice about fitness or nutrition. Others are aimed at physicians and other healthcare providers themselves, combining mHealth with electronic medical records (“EMR”), and allowing providers to keep accurate records that are easily accessible. And others help doctors and patients communicate remotely, such as apps for diabetics that automatically send glucose readings to their primary care physicians.

HIPAA does not provide full, comprehensive coverage over, or protection to, all medical/health/wellness information, regardless of the manner in which it is transmitted or by whom. HIPAA is limited to “covered entities” and their “business associates,” who share or transmit “protected health information” (“PHI” or “ePHI” for electronic information) concerning “covered transactions.” All of these terms are specifically defined by HIPAA, and most third-party healthcare apps do not qualify as a “covered entity” or a “business associate” having “PHI,” or engaging in a “covered transaction,” for purposes of triggering HIPAA’s requirements. But many do.  And because HIPAA does apply to many healthcare apps, healthcare providers, mobile app developers, and other health-related businesses need to keep HIPAA Rules in mind whenever PHI is transmitted or disclosed to third parties.

Given the growing number of apps that patients may choose to receive and use their PHI, and the limited control covered entities and EHR system developer business associates have following patient-directed disclosure, HHS issued new guidance in the form of Frequently Asked Questions (“FAQs”) in April 2019. These FAQs clarified (at least to some extent) potential HIPAA liability for transmitting PHI among covered entities, their EHR system developers, and patient-designated apps. Here are the five FAQs and HHS’s answers:

  1. Q: Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app’s use or disclosure of the health information it received?

A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual’s direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.

If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

  1. Q: What liability does a covered entity face if it fulfills an individual’s request to send their ePHI using an unsecure method to an app?

A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

  1. Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

  1. Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?

A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.

  1. Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?

A: It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app’s facilitation of access to the individual’s ePHI at the individual’s request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).

HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).

However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity’s business associate), then a business associate agreement would be required.

More information about apps, business associates, and HIPAA is available at: https://hipaaqsportal.hhs.gov

See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party,” available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html

Business Associates’ Direct Liability Under HIPAA

In May 2019, the OCR released a fact sheet outlining and clarifying violations of HIPAA for which a business associate can be held directly liable. Published shortly after the release of the new guidance from OCR in the form of FAQs discussed above, the fact sheet was another example of OCR’s recent efforts to clarify its position and answer outstanding questions from the ever-changing healthcare industry.

In the May 2019 fact sheet, OCR first noted the history by which the application of certain aspects of HIPAA extended to business associates – the HITECH Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which further extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since then, business associates have tried to comply with these HIPAA requirements, but with little guidance or certainty as to whether OCR will take action against them (as opposed to only covered entities) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.

OCR’s fact sheet finally provided some clarity regarding business associates’ own liability under HIPAA. Citing the HITECH Act and the 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). Specifically, business associates can be held directly liable under HIPAA for:

  1. Failure to provide the Secretary of HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the HIPAA Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of ePHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BAA) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.

In one telling example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Although OCR did not explicitly say it would enforce a business associate’s failure to sign a BAA with a covered entity, it said it would with respect to BAAs with business associate subcontractors. And OCR’s example confirms that the agency will hold business associates accountable for certain contractual obligations made with covered entities, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.

OCR’s clarification regarding the direct liability of business associates came as the agency’s enforcement against business associates has been rising. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach.

Recent HIPAA Enforcement Actions Show Exposure on Multiple Fronts

In June 2019, an unprecedented settlement was announced, arising from a federal lawsuit brought by 16 state attorneys general (“AGs”) in the U.S. District Court for the Northern District of Indiana. In that case, a medical software provider agreed to pay the states $900,000 for alleged violations of a combination of federal and state privacy laws. The settlement represented the resolution of the first-ever multistate data breach suit based on alleged violations of HIPAA, as well as state deceptive trade practices acts, state personal information protection acts, and state breach notifications acts. The case arose out of a 2015 data breach, in which an Indiana-based electronic health record software provider and its subsidiary (the “EHR Provider”) discovered that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million individuals whose healthcare providers used the EHR Provider’s software. The information exposed by the breach included names, dates of birth, Social Security numbers, and clinical information.

In the lawsuit, the state AGs asserted that the EHR Provider ran a web application with a security framework that allowed the breach to occur. The EHR Provider allegedly failed to take appropriate measures to protect its computer systems and failed to take reasonable steps to prevent breaches. The state AGs claimed that the EHR Provider, as a business associate under the provisions of HIPAA, was required to comply with the HIPAA Security Rule, and had failed in numerous instances to meet the Security Rule’s enumerated requirements.

Although the sheer number of individuals impacted by the breach was significant, the major takeaway from the case was the nationwide collective effort by the state AGs. In addition to using their statutory authority to enforce HIPAA, the state AGs also brought claims under their respective data breach and personal information protection statutes. The combined effect was a powerful case in which the EHR Provider was accused of 38 separate counts of state law violations, all emanating from the same breach. The settlement with the state AGs was finalized about one month after the EHR Provider agreed to pay $100,000 to the OCR, the federal agency tasked with enforcing HIPAA, for alleged HIPAA violations associated with the same breach. In addition to the monetary consequences, the EHR Provider also agreed to numerous injunctive provisions and a corrective action plan, requiring the company to implement and adhere to specific data security policies and procedures.

These settlements represent cautionary tales for the healthcare industry for several reasons. First, the affected entity in this instance was a business associate governed by HIPAA. The settlements show that to the extent a HIPAA-covered entity must take specific measures to protect the ePHI of its patients, the business associate that handles the information on the covered entity’s behalf also must do so. Business associates should assess their data security programs and ensure that they have procedures in place to monitor, detect and address data vulnerabilities and breaches, consistent with HIPAA Security Rule requirements. As demonstrated by the federal suit, business associates are not only on OCR’s radar, they also are on state radars. HIPAA-covered entities should also pay close attention to their business associates’ HIPAA compliance to ensure that they are adequately protecting the covered entity’s information.

Second, the increasing use of web-based applications for electronic health information management represents not only an opportunity for innovation and progress, but also a threat of increased exposure and liability. Transmission of ePHI via the Internet enables healthcare organizations to better treat and engage patients, and helps facilitate the beneficial exchange of medical information among providers. Utilized properly, this electronic network improves healthcare and makes its delivery more efficient. However, as the electronic network of patients and providers continues to grow, it becomes a more valuable and data-rich target for hackers. This means that covered entities and business associates participating in any given electronic network are exposed to potential hazards that may impact individuals in multiple states, and are subject to multiple state and federal laws and threats of enforcement action. Consequently, attention to data privacy and security must grow in scale with the size of the network managing the highly-regulated information.

Finally, the federal suit and settlements show that states are willing to utilize and combine their resources and efforts nationwide to hold health industry participants accountable for compliance with both federal and state laws when it comes to data protection and health information privacy. As already noted, electronic networks transmitting health information are growing. This growth means the activities of healthcare entities will reach more and more patients, which means handling highly-regulated information in more and more states. With the no-longer-theoretical prospect of multistate enforcement actions, it is essential that covered entities and business associates take measures to comply with HIPAA and applicable state laws wherever their businesses are conducted.

How We Can Help & Services We Provide

We advise and assist healthcare providers, mobile app developers and other health-related businesses with their implementation of measures necessary to comply with the complex requirements imposed on healthcare providers and their vendors by the HIPAA Privacy and Security and HITECH Act requirements, as well as state privacy laws and regulations. Our services include:

  • Advice and legal assistance in connection with protecting the confidentiality of patients’ medical records and PHI.
  • Drafting and negotiating Business Associate Agreements and Subcontractor BAAs from Covered Entities’, Business Associates’ and Subcontractors’ perspectives.
  • Assisting both healthcare providers and healthcare vendors in integrating requirements of the security and privacy rules in their operational documents.
  • Providing advice, guidance and assistance to clients as they conduct privacy and security assessments and audits, develop compliance plans, and implement policies, procedures and forms for compliance.
  • Advising and assisting clients as they choose appropriate consultants to help them prepare, improve and implement necessary policies and procedures, and respond to audits.
  • Assisting on incident response and breach reporting, including counseling on OCR compliance reviews, HIPAA audits or other government investigations.
  • Representing healthcare clients in legal actions alleging violations of federal or state privacy laws or regulations.

Our law firm is experienced in counseling and assisting healthcare clients regarding medical privacy and security matters in a cost-effective manner. We have broad experience counseling clients regarding how they can meet the requirements of the various federal and state privacy and security rules in their day-to-day business activities. And we can assist if a legal action is brought alleging a violation. Please call or email us if you wish to schedule a consultation.

© 2018 - 2019 Law Office of Kevin P. O'Mahony. All rights reserved.
This law firm website is managed by Proven Law Marketing.

Site Map | Disclaimer