Sidley lawyers regularly provide counsel to a wide range of healthcare clients ― health plans, healthcare providers, business associates, and employers that sponsor group health plans ― on matters involving the confidentiality and security of health information and healthcare-related data transactions. Since federal rules were first proposed in 1999, we have been following, interpreting, and applying the Privacy and Security Standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We also have considerable experience with state laws protecting the confidentiality of health information and prescription data and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which represents the most significant expansion of HIPAA since its inception.
Sidley also regularly works with healthcare clients to comply with the Department of Justice (DOJ) Data Security Program (DSP) Rule ― the progeny of 2024 Presidential Executive Order 14117 ― Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. This complicated and comprehensive regulation impacts a wide swath of companies’ data transactions (including ‘omic, biometric, precise geolocation, personal health, personal financial, and covered personal identifiers data) with “countries of concern” and “covered persons.” Our knowledge of the DSP Rule is the result of extensive review and application of the DSP to client’s data transactions, coupled with our lawyers’ prior government experience. Compliance with this dense and sweeping regulation is imperative to avoid tripwires for criminal prosecution and civil liability for knowing or willful violations. Sidley can help organizations with their efforts to comply with the DSP Rule, including evolution as DOJ refines its guidance and enforcement operations.