Healthcare News
Articles, Jobs and Consultants for the Healthcare Professional
Home      View Jobs     Post Jobs     Library     Advertise     Plan Financials     About     Subscribe     Contact    
Healthcare News
Erica Erman, Attorney, Dickinson Wright PLLC

Imagination Is Essential for Good Legal Defense



By Erica Erman
Attorney
Dickinson Wright



See all this Month's Articles

Original Publish Date: September 2, 2025

Growing up, my family played an unusual game around the dinner table. After sharing about our days, my dad (also a health care attorney) would ask my sisters and me to argue. He’d pick a topic, such as why my younger sister should have a later bedtime than me, or what movie we should rent at Blockbuster, and then we’d each be given roughly three minutes to present our arguments and another minute for rebuttal. The most challenging (and fun) part of the game was that we always had to argue the side other than what we naturally would have wanted. As it turns out, my dad gave my sisters and me a gift with this game - the ability to think critically about a topic, and a lifelong tool for how to critique our own arguments to make them stronger and recognize the strengths and weaknesses of others’ arguments. My little sister and I both became attorneys (my older sister became an educator) and all three of us use these skills every day.

Learning to identify your opponent’s strongest arguments paves the way for the strongest defense and for resolution. Here are questions I ask regularly when evaluating a case:

If everything the opposing side alleges is true, can I still win? Which specific facts that the opposing side claims are true are actually incorrect? Can I prove they are incorrect? Do the specific laws that opposing counsel says govern this dispute actually say what opposing counsel believes they say? Can those rules reasonably be interpreted differently, or indeed, do they apply at all here?

Take a real-world example that is all too common for health care providers and entities: the dreaded HIPAA breach. The best way to identify the appropriate course of action in regard to HIPAA breach concerns (and when conducting the required risk analysis) requires imagination. When clients ask me if a particular unauthorized disclosure constitutes a reportable HIPAA breach, the underlying question I have while walking through the risk factors is: “If I were a pirate or a professional hacker, what could I possibly reasonably do with the information that has been inadvertently shared?”

Examples of Common Non-Malicious HIPAA Unauthorized Disclosure Issues that Cross My Desk

These examples are common, preventable mistakes. Each instance of a suspected or known HIPAA breach needs to be examined to determine exactly what information was disclosed, where it went, and what mitigating efforts can be or have been taken to prevent further unauthorized disclosure.

A Quick Refresher While We’re on the Topic of HIPAA Breaches

Consequences of Failing to Conduct Risk Analyses

It is important to make sure your entity conducts and that each staff member attends regular HIPAA compliance training and refresher courses. It is incredibly easy to make mistakes and it is vitally important to avoid those mistakes. Just as important, make sure your entity is up-to-date with Security Rule requirements, which include significant risk analysis updates.4

In a recent example from this summer, HHS’ Office for Civil Rights (OCR) announced a $225,000 settlement including a two-year corrective action plan with a behavioral health provider over unauthorized disclosures of electronic PHI. The information disclosed included discharge summaries that were mistakenly publicly viewable online (with patient names, DOB, patient identification numbers, facilities, and diagnoses) for over a year. Later, the same entity experienced a ransomware attack and extortion threats, affecting over 171,000 individuals.5

Based on its investigation into both incidents, OCR found that the entity “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.”6

OCR has made clear that they will enforce the HIPAA Security Rule, and as this example shows, will investigate, fine, and monitor entities that fail to conduct comprehensive risk analyses.

Whether your entity needs to review an unauthorized disclosure incident to determine if it is a reportable HIPAA breach, is in the process of conducting a Security Rule risk analysis, or is caught in any other type of legal dispute, it pays to think outside the box and understand both your own and your opponent’s strongest arguments. It also makes excellent dinner table conversation (de-identified, of course).

Erica Erman is an attorney at Dickinson Wright in Phoenix, Arizona, where she practices health law and administrative and regulatory law with a particular interest in behavioral healthcare and interactions between municipal law and healthcare law. She can be reached at EErman@dickinsonwright.com.

1See 45 CFR § 160.103
2See 42 USC § 1320d(6)
3See 45 CFR § 164.402
4You can read more about the proposed HIPAA Security Rule update here: https://healthlawblog.dickinson-wright.com/2025/02/security-security-hhs-proposes-updates-to-hipaas-security-rule/
5You can find the Resolution Agreement entered into for this case here: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-deer-oaks.pdf.
6See https://www.hhs.gov/press-room/ocr-hipaa-racap-deer-oaks.html