What Does a HIPAA Lawyer Do?

Lawyers (unless they are doing charity work) represent someone with the expectation of payment, whether contingency or hourly. If a law provides a monetary remedy for its violation, there is an opportunity for a lawyer to get paid. Some laws, however, do not allow people to obtain money damages for a violation. Individuals cannot file suit for money damages on the basis of a HIPAA violation. This means there is less of an incentive for lawyers to take “HIPAA” cases than ones that are tied to a law allowing for money damages. So, then, what does a HIPAA lawyer do? 

In some cases, a HIPAA lawyer provides clients with legal advice as to what an organization can do to become compliant. In other cases, if an Office for Civil Rights (OCR) investigation is already underway, a HIPAA lawyer can assist the client in responding to the investigators’ questions and demands.  For any of these services, the HIPAA lawyer may charge by the hour, or the HIPAA lawyer may charge a flat fee (e.g., $3,000) that covers all of the work the HIPAA lawyer will provide for the client.

What Kinds of Advice Does a HIPAA Lawyer Give?

Frequently, a HIPAA lawyer is asked to help a covered entity or business associate assess its compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, or the HIPAA Breach Notification Rule.


Would you pass a HIPAA audit? Take this quiz to find out! 


The HIPAA Lawyer: During an Investigation

Covered entities and business associates may seek a HIPAA attorney’s advice in the middle of an ongoing Department of Health and Human Services (HHS) investigation. In such situations, the HIPAA lawyer can advise the organization as to the procedure-related aspects of the investigation, such as when the organization can appeal a fine, when the appeal must be filed, what content must be included in the appeal, and when the organization can file a lawsuit. 

The HIPAA lawyer also works with covered entities and business associates in preparing a defense. When OCR accepts a complaint for investigation, a covered entity or business associate is asked to present information about the incident or problem described in the complaint. Here, the HIPAA lawyer can fashion the response, by describing how the entity complied or attempted to comply with the HIPAA rules, or by describing that a violation deserves a lesser penalty or fine. Covered entities and business associates must cooperate with investigations of complaints. The HIPAA lawyer assists in this cooperation by ensuring that filing deadlines are met; that investigation questions are answered; and that the specific information OCR asks for is provided.

The HIPAA Lawyer: Preventive Measures

Alternatively, the HIPAA lawyer may work with a covered entity or business associate in that organization’s preventive self-audit to reduce the risk of an unauthorized disclosure.

In recent years, HHS has emphasized the need for organizations to conduct an enterprise-wide HIPAA risk analysis of privacy and security risks and vulnerabilities. The HIPAA lawyer can assist the covered entity or business associate in performing the analysis, by ensuring all of the required steps of the analysis have been fulfilled; and by assisting the covered entity in risk remediation efforts.

For example, a HIPAA lawyer assisting with a security self-audit may provide advice to an organization after that organization gives the HIPAA lawyer the results of a risk assessment.  

The HIPAA lawyer may provide advice through:

  • Developing a risk management plan to address and mitigate any risks uncovered during the risk analysis;
  • Reviewing and revising a covered entity’s or business associate’s privacy and security policies and procedures;
  • Establishing and periodically updating training materials for all employees and other workforce members; and
  • Developing procedures to terminate access to PHI when employees and other workforce members leave employment.

The HIPAA Lawyer: When a Breach is Detected

In some instances, a client will seek the advice of a HIPAA lawyer not to assist with investigation response or with creation of preventive measures. There is a third, “in between” category where the assistance of a lawyer is sought: the time period immediately following a breach or suspected breach. Here, the HIPAA lawyer can assist the client in determining whether the event suspected to be a breach is, in fact, a breach. The lawyer can also assist in the determination of whether the breach is a reportable breach – that is, if the breach involves unsecured PHI. Finally, the lawyer can advise the covered entity or business associate that sustained a reportable breach as to the entity’s notification obligations – as to whom the entity must notify, what the notification must consist of, and when the notification must be sent. In short, the lawyer can assist an organization in providing proper, timely notification as required by the HIPAA breach notification rule.