Healthcare Firms Weigh Legal Privilege in Security Risk Assessments
Attorneys have discovered a strategic avenue for healthcare firms by conducting security risk assessments under the cloak of client privilege. This tactic serves to protect sensitive findings from surfacing during discovery in potential litigation. However, Adam Greene, a partner at the law firm Davis Wright Tremaine, cautions that while there are advantages to this approach, healthcare organizations must thoroughly evaluate both the benefits and drawbacks before proceeding.
Greene elaborated on this strategy during an interview with Information Security Media Group at the HIMSS 2026 Conference in Las Vegas, Nevada. He explained that a risk assessment performed by an attorney or legal counsel carries certain protections, ensuring that the insights garnered from the assessment cannot be easily weaponized against the organization. "Anytime you’re doing a risk assessment and potentially uncovering negative issues that might be undesirable to disclose to a plaintiff’s attorney in the event of a breach case, the privilege provides a layer of protection," Greene noted.
However, he emphasized that the privilege associated with legal counsel is not absolute. "To qualify for legal privilege, the assessment must be conducted for the purposes of obtaining legal advice or preparing for litigation," he explained. This means that healthcare organizations could face significant risks, particularly if they fail to navigate the nuances of privilege correctly.
One key concern is that asserting privilege for a routine Health Insurance Portability and Accountability Act (HIPAA) security risk analysis may not be well-received in the eyes of regulators. Greene warned that if a healthcare firm declines to share the findings of a HIPAA risk analysis with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) under a claim of privilege, regulators might interpret this refusal as an indication that the organization did not adequately conduct the required risk assessment. Consequently, this could expose the firm to potential enforcement actions for non-compliance with HIPAA regulations.
In his comprehensive discussion, Greene also addressed other vital considerations related to conducting risk analyses under the veil of privilege. He highlighted the complexities surrounding forensic findings during data breach investigations, which could pose additional challenges when determining whether to claim privilege. As organizations navigate these turbulent waters, the ramifications of mishandling a privilege claim could extend beyond legal consequences, impacting the organization’s reputation and stakeholder trust.
Moreover, Greene touched upon emerging regulatory issues tied to privacy and security that healthcare firms should be vigilant about. As the landscape of healthcare technology evolves—including the incorporation of artificial intelligence (AI) and machine learning—new legal challenges arise that necessitate a robust understanding of applicable privacy and security laws.
Greene possesses extensive expertise in health information privacy and security legislation, and his previous role as senior health information technology and privacy specialist at HHS OCR has equipped him with a wealth of knowledge. In that capacity, he significantly contributed to the administration and enforcement of HIPAA privacy, security, and breach notification regulations.
In summation, while conducting security risk assessments under the color of attorney-client privilege can offer a valuable layer of protection for healthcare firms, the decision to do so should not be taken lightly. Organizations are encouraged to consider the implications carefully, recognizing that assumptions about privilege might not hold up in regulatory scrutiny. As healthcare professionals prepare for mounting challenges in privacy and security, understanding the interplay of legal implications and business strategies will remain paramount in safeguarding their operations and maintaining compliance with evolving regulations.