Successfully developed the strategy for the assignment of various critical software packages and the handling of employee data for an international asset purchase transaction under which the company was buying assets and acquiring US and European employees. The plan for handling the data and transitioning the associated technology was accomplished with no disruption to the operation of the business.
One of our clients, a specialty grocery store chain, experienced an attack on its point of sale system that resulted in a theft of customer payment card information. Our team worked with the client from the moment the breach was discovered to investigate the incident, engage forensic experts and auditors, notify law enforcement authorities, negotiate with affected payment card companies, and develop position statements and press releases. We helped the client handle every aspect of the breach, advising on how to proceed and ensuring that the negative impact of the breach on our client’s business was minimized as a result of a prompt, thorough response.
Our client, a vendor for the State of Wisconsin, was involved in the inadvertent disclosure of the Social Security numbers of more than 700,000 Wisconsin taxpayers. Our team worked with the client during the highly publicized incident to negotiate and address corrective measures with the state. We drafted and coordinated a notice to the affected taxpayers, as well as helped the client put credit monitoring services in place for those affected. We also counseled the client in connection with the legal and business ramifications of the publicity associated with the event.
Our team assisted a large health care system with a security incident involving malware attacking its computer systems. We helped the client obtain outside experts for its investigation using our contacts in the industry and developed a security incident response plan. We analyzed and advised on whether the incident rose to the level of a breach of unsecured protected health information under the HIPAA Security Breach Notification Rule. We also analyzed the applicable state breach notification laws and aided in the drafting of the required notifications to affected individuals and covered entities, the media, and regulatory bodies. We also assisted in the development of fact sheets and other materials that were used for internal and external communications regarding the incident.
The federal Office for Civil Rights (OCR) investigates possible HIPAA violations. In 2015, a health care client received an OCR investigation request regarding a patient complaint. We assisted the client by reviewing the alleged incident, the client’s policies and procedures, and by proposing a response to OCR. The matter was then closed by OCR, without further action.
Our attorneys have assisted hundreds of clients with HIPAA privacy and security matters. We maintain model policies and procedures and related forms, such as business associate agreements. We have also trained clients on these rules. For example, in 2015 we conducted an in-person training session for a Midwestern client. However, this client has operations throughout the country and needed to train personnel in those locations. We took the customized training program and recorded a web seminar of the program. As a result, the client could train both current and future employees.
Our team advised a Midwestern dairy cooperative in connection with the development and implementation of its “Bring Your Own Device” technology policy and with implementation of a data retention and destruction program.
Our team assisted a client purchasing a business with U.S. and overseas locations with the handling of employee data transfers and with a transition services agreement through which data would be processed.
Our team assisted in the development of several health information exchanges for integrated delivery systems and affiliated providers. We performed an analysis of federal and state privacy laws to determine the use and disclosure restrictions on the sharing of data in health information exchanges and related consent, authorization, notice, and opt-in requirements.
Our team guided a client establishing U.S. and European e-commerce websites by preparing the necessary privacy policy, terms of use, and terms of sale.