The Covid-19 era has amplified the need for specialized law firms with expertise in both privacy and life sciences as attorneys navigate an ever-changing slate of health-care regulations and an intricate patchwork of data laws.
Hospital hacks, compromised health records, and the use of bitcoin to pay off ransomware demands are among the matters landing on the desks of the modern law firm’s health-care practice. A move toward cross-sector specialty practices was already underway, but the explosion of telemedicine and a rise in patient data collection is expected to exacerbate the trend.
“Covid has really changed the landscape for health care,” said Heather Deixler, a member of Latham & Watkins LLP’s health-care and life sciences practice. She’s part of a team within that practice that focuses on life sciences privacy issues.
Clients in the health-care space are increasingly using remote tools to enable patient observation. That means lawyers need to “think through a lot of privacy issues” for clients, both established and emerging, that are deploying such tools in hospitals and other situations, she said.
Latham is the country’s second-largest law firm and reported more than $4.3 billion in revenue to The American Lawyer last year. Latham is one of several big U.S. law firms that have attorneys fluent in privacy law working in the health space.
“Our litigation and defense docket for health-care companies is the highest it’s ever been because of privacy and security issues,” said Mark Melodia, head of Holland & Knight’s data strategy, security and privacy team.
While it’s difficult to say how much of this is directly because of Covid-19, data breaches and security issues have “corresponded with the pandemic,” he said.
Shift to Digital
BakerHostetler said in a 2021 data security response report that while “continuous monitoring and surveillance and contact tracing became key pillars of the fight against COVID-19, complex issues related to data sharing, consent, and data privacy quickly came to the fore.”
The pandemic also “forced a shift to telemedicine” Melodia said. “The ways in which traditional health-care providers were figuring out how to go to market and reach their patients safely, effectively in ways consistent with HIPAA and other obligations have become a more significant part of our day-to-day practice.”
Melodia said the firm anticipated this shift several years ago, which is and part of why it put together a digital health initiative. But the firm hadn’t expected the transition to happen as dramatically as it has.
Holland & Knight’s digital health-care group brings together attorneys in life sciences, data privacy, and other areas of law to help tech companies navigate Food and Drug Administration regulations and advise them on the legal risks posed by emerging technologies such as blockchain and digital medicine, according to the firm’s website.
Among the focuses of Latham’s life sciences privacy team include the collection of data as it relates to digital health, including mobile apps, as well as clinical trials. The team works to solve the often thorny legal issue of who has the rights to data generated in clinical trials and in what circumstances that data can be used.
The biggest issue daily is using health information on mobile apps for commercialization purposes, Deixler said. “It all goes back to patient consent and notice and patient understanding of what you’re doing with the data and how that data will be shared.”
Privacy attorneys are a key component for big law firms’ health-care practices, business analysts say.
“As an industry, health care was among the earliest to have strong privacy rules,” said Jim Jones, principal at Legal Management Resources LLC. That’s due in part to the Health Insurance Portability and Accountability Act (HIPAA), a legal framework setting standards for protecting patient health information.
Hogan Lovells is also among the firms in the fray of privacy’s crossroads with health. In 2001, the firm brought on Marcy Wilder, a former Health and Human Services deputy general counsel who led the drafting of HIPAA.
“This is our sweet spot,” said Wilder, who founded Hogan Lovells’ privacy and cybersecurity practice. She said that industry-agnostic incidents like cyberattacks and ransomware “come with a special flavor for life sciences companies.”
Hacking is an increasing problem for health. Data from the HIPAA Journal show that 9.71 million health records were compromised in September 2020—up from 2.17 million the previous month. In October 2019, the number was 677,296.
Health sector data is “very sensitive” because it’s comprised of physician, patient, and even genetic data, Wilder said. Hackers often threaten to publish the information if they’re not paid or use it to commit fraud on insurers, she said.
Paying off a hacker can be a costly endeavor. BakerHostetler found in its report that in health care, the average initial ransomware demand is about $4.6 million dollars, with companies typically paying just shy of $1 million.
Privacy Law Patchwork
The growing patchwork of state privacy laws is another catalyst for collaboration within law firms. The push for comprehensive privacy bills is at a high, and multiple states have urged for legislation following passage of California’s Consumer Privacy Act in 2018, according to the International Association of Privacy Professionals.
The various state-by-state data rules are driving the need for cross-specialty privacy teams to help clients as they dabble in emerging technologies like artificial intelligence, a space where Deixler said regulations may still be catching up with the science.
“That’s something our clients are constantly managing and trying to think through,” she said. “A number of clients work with AI and machine learning and are thinking through the types of data that are appropriate to use for those algorithms. And the regulations are just being written right now.”
“The way that patients are interacting with companies now, that’s something HIPAA didn’t anticipate when the regulations were drafted,” Deixler added.
While firms are increasingly incorporating privacy into their health practices, some say it’s far from the norm.
“Fewer firms have figured out how to truly integrate different practice areas into a single focus,” said Marcie Borgal Shunk, president and founder of the Tilt Institute, a law firm transformation advisory group. “If you look at the largest firms in the world who successfully did that, you are going to have a very small number who have done that repeatedly” for different practice areas.
Going more collaborative is “a work in progress,” as it involves changing compensation structures, training and development, support from leadership, and non-lawyer hires, Borgal Shunk said.
But it’s still seen as a must for much of Big Law as the transformation to digital health, and the privacy issues that come with it, accelerates, Melodia said.
“We’re not many years away from dropping the ‘digital’ and ‘tele-' and just calling it health,” he said.