In an environment of enhanced enforcement, dramatically higher penalties, and tougher privacy and security requirements, our health information privacy and security team offers clients the guidance and resources they need to overcome the challenges they face.

Experience from the birth of HIPAA to today's evolving regulatory environment

The firm has been working with HIPAA rules since they were in draft form, and we help our clients stay on top of agency pronouncements, enforcement actions and other industry developments. Our attorneys combine deep knowledge of HIPAA, the HITECH Act, and state privacy and data breach laws with broader experience in health care, insurance regulation, technology law, employee benefits, litigation and liability management to deliver tailor-made, cost-effective solutions for our clients' privacy and security issues.

When they face a security incident or data breach, clients rely on Katten. Our attorneys routinely help clients evaluate whether a given incident requires notification under HIPAA/HITECH and state law and applicable business associate agreements, and we assist with remediation and breach notification. We also work with clients to quickly and effectively respond to Office for Civil Rights and other regulatory agency investigations of their privacy and security practices. Because an ounce of prevention is worth at least a pound of cure, our attorneys can work closely with covered entities and business associates to prospectively identify HIPAA compliance gaps and mitigate related risks through corrective action. Whether that requires developing additional policies and procedures and training tools or merely refining existing ones to deal with a newly-identified threat, we can help. We strive to provide practical, easy-to-understand feedback.

On an ongoing basis, we help clients understand how HIPAA, HITECH and related state laws affect a wide range of business models and actual or proposed operations—from information-sharing within a clinically integrated network to implementing critical cloud storage arrangements to addressing issues involved in implementing patient-facing communications portals, mobile apps and other provider or patient communications platforms. We represent both covered entities and business associates in negotiating and putting in place the necessary agreements when protected health information will be accessed, used or disclosed, and work to address any issues expeditiously. We also help companies investing in HIPAA-regulated businesses conduct due diligence and related negotiations.

Our clients include:

  • large public health systems
  • academic medical centers
  • hospitals and health systems
  • physician group practices
  • ancillary service providers
  • health plans and other payors
  • health care clearinghouses
  • health data analytics companies
  • accountable care organizations
  • patient safety organizations
  • medical device companies
  • revenue cycle management companies
  • mobile clinical communication platforms

"They do a great job, and they really know the material and the issues."

Chambers USA 2019
(Illinois, Healthcare) survey response


  • Counsel numerous clients on array of actual or potential HIPAA data breaches, security incidents and related reporting obligations.
  • Assistance to numerous covered entity and business associate clients in revising HIPAA policies, procedures and forms.
  • Develop internal HIPAA training materials and provision of training programs to covered entities and business associates.
  • Counsel clients in drafting and negotiation of numerous business associate agreements and HIPAA subcontractor agreements.
  • Help clients in conducting internal HIPAA compliance audits.