Law of Health Information Privacy
Saturday, September 22, 2018
9:00 AM - 3:30 PM
Data is everywhere today, and is being used by a broader range of entities for a broader range of purposes every day. Lawyers in an increasingly broad variety of fields must understand the key principles surrounding the use and disclosure of personal data when providing virtually all aspects of legal advice to companies, in both regulated and unregulated industries, including compliance, mergers and acquisitions, litigation and the full range of specific privacy and data security laws and regulations.
This series will explore the primary legal and policy principles surrounding the use and disclosure of personal data in connection with the health care industry and health care data. We will focus on a specific industry – the health care industry – and review and analyze how privacy and data security principles apply specifically for this industry and for health care information. This day will emphasize the primary privacy and information security principles set out in the Health Insurance Portability and Accountability Act (“HIPAA”) as a baseline framework, and will explore how these rules apply in theory and in practice. In addition to this review of the HIPAA Privacy, Security, and Breach Notification Rules, this course will survey other potentially applicable laws for the health care industry, including state law (and the impact of preemption), and other relevant federal laws. We also will examine new developments in health care privacy and data security, including the evolving principles governing healthcare research, the privacy and data security challenges arising from mobile applications and the emerging implications of “big data” principles on privacy rights and the health care industry.
This will be relevant for attorneys working in the areas of compliance, data security, mergers/acquisitions and in healthcare.
Kirk Nahra is a partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling, along with a variety of health care and compliance issues. He is chair of the firm’s Privacy Practice and co-chair of its Health Care Practice. He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. He provides advice on data breaches, enforcement actions, contract negotiations, business strategy, research and de-identification issues and privacy, data security and cybersecurity compliance. He advises companies in virtually all industries, ranging from Fortune 500 companies to start-ups. He also works with insurers and health care industry participants in developing compliance programs and defending against government investigations into their practices.
A long-time member of the Board of Directors of the International Association of Privacy Professionals, he is the editor of Privacy Advisor, the monthly newsletter of the International Association of Privacy Professionals. He is also a founding Board Member of the Privacy Bar Section of the IAPP. He is a Certified Information Privacy Professional and serves on the Advisory Board for the Health Law Reporter, the Privacy and Security Law Report and the Health Care Fraud Report. He served as the Co-Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC) on privacy and security issues arising from health information technology. He has held leadership positions with various groups within the American Health Lawyers Association and the American Bar Association Health Law Section.
Mr. Nahra received his law degree from Harvard Law School, Cum Laude, in 1987. He received his undergraduate degree from Georgetown University, magna cum laude and Phi Beta Kappa, in 1984.
Mr. Nahra regularly speaks before a broad variety of audiences, including lawyers, nonlawyers, privacy and data security personnel, medical professionals and others, on topics including privacy, data security, cybersecurity, and overall healthcare issues. He has taught a Health Care Privacy and Security at the Washington College of Law at American University since 2016. He will teaching a curse of The Law of Information Privacy at the Washington College of Law beginning in September 2018. He also has taught privacy-related “mini-courses” at the Case Western Reserve University Law School and the University of Maine Law school, and has lectured at the University of Pennsylvania and Washington University.
Mr. Nahra is an active author and lecturer in the health care, compliance, privacy, information security and anti-fraud areas. Some of his most recent publications include:
“The Top Ten Privacy and Data Security Developments to Watch in 2018,” Bloomberg Law Privacy and Security Law Report (January 8, 2018) “A Privacy and Security Checkup for 2018,” Privacy in Focus (January 2018) “The Past, Present and Future of Health Care Privacy,” Health Law Handbook (2017 Edition) “The Top Ten Health Care Privacy and Security Concerns for 2017,” Bloomberg BNA’s Health Law Reporter (January 5, 2017) “Privacy and Security Impacts of the 21st Century Cures Legislation,” IAPP's The Privacy Tracker (December 19, 2016) “Responding to Security Breaches,” The Practical Lawyer (October 2016) “Impact of the EU-U.S. Privacy Shield on Health-Care Data Transfers,” Bloomberg BNA’s Privacy and Security Law Report (August 1, 2016) “Is the Sectoral Approach to Privacy Dead in the U.S.?,” Bloomberg BNA’s Privacy and Security Law Report (April 4, 2016) “HIPAA Phase 2 Audits Begin: Prepare but Don’t Panic,” Privacy in Focus (April 2016) “The Top Ten Privacy and Security Issues Companies Need to Watch in 2016,” Bloomberg BNA’s Privacy and Security Law Report (Jan. 4, 2016) “Big Data, Privacy, Research, and De-Identification,” Privacy in Focus (December 2015) “A Privacy and Data Security Checklist for All,” Privacy in Focus (July 2015) “Privacy, Research and the Evolution of Health Care in the 21st Century,” Bloomberg BNA's Medical Research Law & Policy Report (March 18, 2015) “Obama’s drive to introduce new privacy and security laws,” E-Commerce Law and Policy (February 2015) “Health Care Privacy and Security Developments: Top Issues to Watch in 2015,” Bloomberg BNA's Health Law Reporter (January 8, 2015)
Continuing Legal Education Readings
Moot Courtroom (A59)
11075 East Blvd.
Cleveland, Ohio 44106
9:00 am – 9:15 am
Topic 1 - Introduction to the scope and approach of the Health Insurance Portability and Accountability Act (“HIPAA”).
We will discuss the development of the HIPAA Privacy and Security Rules, focusing on the scope of the rules and the overall approach set out by them.
9:15 am – 10:15 am
Topic 2 - The HIPAA Privacy Rule - Core principles of use and disclosure, consent, authorization, public policy disclosures, notice of privacy practices. Key definitions.
We will discuss the core elements of the HIPAA Privacy Rule, focusing on the use and disclosure principles. We will also touch on individual rights and administrative requirements under the Privacy Rule.
10:15 am – 10:30 am
10:30 am – 11:15 am
Topic 3 - The HIPAA Security Rule, Security Standards for the Protection of Electronic Protected Health Information. Discuss the lawyer’s role in connection with data security.
We will discuss the overall approach to the HIPAA Security Rule, including the key provisions and the challenging aspects of providing legal advice in connection with the Security Rule.
11:15 am – 11:45 am
Topic 4 - HIPAA Breach Notification Rule/Security Breach Issues.
We will discuss the HIPAA/HITECH breach notification rule. For an in class exercise, we will provide a sample breach situation. You will be expected to discuss a risk assessment and evaluation of steps related to addressing the breach.
11:45 am – 12:30 pm
12:30 pm – 1:30 pm
Topic 5 – Business Associates
We will discuss the application of the HIPAA rules to business associates, including various issues that have specific implications for business associates. We will discuss some examples of categories of business associates (e.g., accounting firm, billing consultant), and will evaluate the particular issues of interest for this company in connection with business associate agreements and other key HIPAA issues for this company/category.
1:00 pm – 1:15 pm
Topic 6 – HIPAA Enforcement; Rule; AG Role
We will discuss the HIPAA enforcement process and the overall enforcement approach, along with the implications of this approach on the health care industry.
1:15 pm – 1:30 pm
Topic 7 - Health Privacy Litigation
We will discuss some of the key litigation issues that are arising in connection with the HIPAA Privacy and Security Rules and other health care privacy issues.
1:30 pm – 2:00 pm
Topic 8 - Non-HIPAA Health Care Data
We will discuss the expansion of the amount and nature of “non-HIPAA” health care data, and how this activity is altering the environment for health care privacy and security rules. We will evaluate the implications for both lawyers and the health care business from these developments.
2:15 pm – 2:30 pm
Topic 9 - Health Privacy Laws Beyond HIPAA: Discussion of State Law and HIPAA Pre-emption; other Federal Privacy Laws.
We will discuss how HIPAA impacts state law and other federal laws.
2:30 pm – 2:45 pm
Topic 10 - Research, De-identification, and Big Data
We will discuss the role of big data in the health care industry, focusing on two related issues: the process for healthcare research and the concept of “de-identification” of health care information.
2:45 pm – 3:00 pm
Topic 11 - Evaluating HIPAA: How has it worked and where are we going?
We will discuss how the HIPAA rules have changed over time and the changes that might be needed (or might happen) in the future, and then will evaluate how the rules have worked, from the perspective of individuals, the healthcare industry and the public.
3:00 pm – 3:30 pm
Topic 12 - Questions and Conclusions