Crowell & Moring represents clients on a broad range of issues related to the privacy of individually identifiable personal information that is gathered and used in the performance of business operations. We counsel clients and structure transactions for compliance with U.S. privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Gramm-Leach-Bliley Act, and federal and state information security breach notification laws, as well as obligations that arise under other state laws and the European Union Directive, the CAN-SPAM Act and Do-Not-Call Rules. We litigate both federal and state attorney general and insurance department privacy and security breach enforcement matters, and class actions involving alleged security breaches of privacy lapses
The clients we represent include multi-state health plans, hospitals and health systems, pharmacy benefit management companies, government health benefit program contractors, insurers, pharmaceutical and medical technology and equipment manufacturers, software developers, major employers and prescription benefit management companies. Representative activities include:
- Developing policies and procedures and compliance plans to protect the privacy of information.
- Structuring joint ventures and other business arrangements to comply with data protection laws.
- Counseling clients in the development of software and other business practices to comply with applicable privacy protections.
- Formulating action plans following information security breach incidents (e.g., lost laptops or hard drives).
- Defending clients accused of violating privacy/confidentiality/security breach laws in criminal, civil and administrative proceedings, including federal grand juries and the Department of Health and Human Services Office for Civil Rights (OCR).