Rachel Weiss

Privacy and security compliance and breach counsel

Rachel Weiss helps health care providers, health plans and other organizations of all sizes with data privacy and security issues, among other matters. In particular, she advises on the HIPAA Privacy and Security Rules; data breach prevention, response and investigations; state data privacy and confidentiality laws; privacy and security-related due diligence; and federal and state pharmaceutical laws and regulations.

Rachel encourages clients to take proactive risk management steps to avoid experiencing costly incidents in the future. She works hand-in-hand with clients to improve their privacy and security compliance while keeping in mind overall business goals, timelines and budgetary constraints, to secure optimal outcomes.

Rachel also serves as the firm’s associate privacy officer.

• Counsels clients through all stages of security incidents and breaches, including initial investigation, incident response, vendor engagement, notifications to affected individuals and state and federal government regulators, and subsequent investigations and audits by the Office for Civil Rights and state attorneys general.
• Assists covered entities and business associates in complying with HIPAA through effective compliance programs. Rachel does this by drafting and revising policies and procedures, assisting in workforce training development, drafting security reminders, negotiating privacy and security issues in contracts (including business associate agreements) and counseling clients through HIPAA risk analyses.
• Advises on federal data privacy and security laws, including HIPAA and 42 C.F.R. Part 2 (Confidentiality of Alcohol and Drug Abuse Treatment Records).
• Provides guidance on compliance with comprehensive state data privacy laws and breach notification laws, and state laws governing the confidentiality of medical records, mental health records and records containing other sensitive information, and agency guidance.

• Successfully assisted a large health care client in a data breach investigation and response, including guiding the client through post-breach investigation by the Office for Civil Rights, resulting in no enforcement action taken against the client.
• Proactively worked with a newly established health care entity to establish a HIPAA compliance program, including policies and procedures, required contracts, workforce training and engagement of risk analysis vendor, to ensure compliance with HIPAA’s Privacy Rule and Security Rule requirements.