Our privacy and security attorneys help clients navigate the complexities of state, federal, and international privacy and security laws and regulations. We assist clients by:

  • Advising on corporate transactions that require an assessment of privacy and security compliance
  • Counseling with respect to data breach reporting and notification under state and federal law, including drafting and coordinating individual and agency notifications with OCR and across states and foreign countries, and developing and implementing remediation efforts and corrective action plans
  • Responding to government investigations and negotiating resolution agreements with OCR
  • Analyzing privacy and security issues arising in the research context, including requirements for the use and sharing of data with research sponsors and among academic collaborators
  • Providing workforce training regarding the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule as well as other federal and state laws, with a focus on the practical implications of those rules for the client's workforce
  • Helping clients comply with non-U.S. data protection laws such as the EU General Data Protection Regulation (GDPR)
  • Drafting data use and sharing agreements, customized policies and procedures, training materials, and business associate agreements

Firm Highlights


Privacy/Security Compliance Strategy

Advised a health technology company on privacy and security compliance strategy for its behavioral health services website and mobile application.


European Union GDPR—Institution

Drafted policies, notices, consent documents, and data processing agreements for compliance with the GDPR for various academic medical centers and health systems in relation to research, clinical and other activities.


Data Breach Investigation

Investigated data breaches by hospitals and medical groups, drafted Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state breach notifications, and negotiated settlements with the Office for Civil Rights.



Created HIPAA and Health Information Technology for Economic and Clinical Health Act policies and procedures for covered entities and business associates.


European Union GDPR—Pharmaceutical Company

Advised pharmaceutical company on all aspects of compliance with the European Union General Data Protection Regulation (GDPR), including gap analysis, policy and procedure development, and vendor and other third party contract revisions.


Privacy Shield

Assisted a client with all aspects of its initial certification of compliance with the European Union-United States Privacy Shield (Privacy Shield), advising its leadership on the benefits and risks of proceeding with Privacy Shield...


Health Information Exchange

Worked on behalf of a client to effect statutory changes to a state law that would allow for the creation of one of the nation's first state-wide health information exchanges.

Contact Verrill at (855) 307 0700