Senior Communications Manager
Law360 Profiles Wiley Rein's Kirk Nahra
Kirk Nahra, chair of Wiley Rein's Privacy Practice and co-chair of the Health Care Practice, was profiled by Law360 as part of a running feature on leading privacy attorneys. Mr. Nahra spoke at length about challenging cases he has faced, lessons learned and important cases in the privacy arena.
On the issue of aspects of the law that need reformed, Mr. Nahra said, "I have been working on privacy and information security issues for more than a decade. In that time we have seen a proliferation of laws and regulations across the country, at both the state and federal level, as well as across the globe. ... While this is a great opportunity for lawyers in the field (because of the challenges of mastering all of these laws), both consumers and businesses would benefit from a much more streamlined approach, where there are fewer laws and regulations with clearer overall goals."
Below appears the full text of Mr. Nahra's interview with Law360.
Q&A With Wiley Rein's Kirk Nahra
Law360 -- Kirk J. Nahra is a partner in the Washington, D.C., office of Wiley Rein LLP, where he specializes in health care, privacy, information security, and overall compliance litigation and counseling. He is chairman of the firm's privacy practice and co-chairman of its health care practice. He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. A member of the board of directors of the International Association of Privacy Professionals, he is the editor of Privacy Advisor, the monthly newsletter of the IAPP. He is also a certified information privacy professional.
Q: What is the most challenging case you have worked on and what made it challenging?
A: Most of my work today involves counseling clients on privacy issues, with the occasional enforcement proceeding or litigation matter thrown in. My entrance into the privacy space, however, came in one of the most important cases of my career, an early 1990s Racketeer Influenced and Corrupt Organizations Act/health care fraud case brought by a group of health insurers (our clients) against a company called National Medical Enterprises.
This case focused on allegations related to fraudulent billing for various psychiatric and substance abuse facilities. In the course of this litigation, the defendant used the various state health care privacy laws as a shield, to prevent access to their billing records that were relevant to the questions about the billing practices. I needed to become immersed in the details of these privacy laws, as a means of discovering the truth about the billing records in question.
This was a particular challenge because these laws had been on the books for many years, but there was essentially no history of them being enforced or interpreted, and no precedent on how they would apply in this context (where both parties knew the identities and even the medical conditions of all of the patients in question). When the Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act rules were developed, there was a logical progression for me from analyzing the state laws to helping my clients understand and work with these new and highly complicated regulatory schemes. That led to an entire new practice area for me over the past decade.
Q: What aspects of your practice area are in need of reform and why?
A: I have been working on privacy and information security issues for more than a decade. In that time we have seen a proliferation of laws and regulations across the country, at both the state and federal level, as well as across the globe. Many of these laws, particularly some of the state variations, simply tweak an existing approach, with the result being that a state law is simply different, not better. Many of the laws overlap, and often are inconsistent or, at a minimum, difficult to understand and follow.
While this is a great opportunity for lawyers in the field (because of the challenges of mastering all of these laws), both consumers and businesses would benefit from a much more streamlined approach, where there are fewer laws and regulations with clearer overall goals. Today's structure is simply too complicated and confusing to provide either effective individual privacy or reasonable compliance approaches. Too much time and energy is spent figuring out what the rules mean, rather than focusing on protecting privacy and security.
Q: What is an important case or issue relevant to your practice area and why?
A: One of the biggest ongoing projects in the health care industry today is the potential development of state or national health information exchanges, where individual medical information can be made available to those who need to use it quickly and efficiently, with more accuracy and more completeness. These networks -- coupled with the ongoing movement to electronic medical records, present an almost unique opportunity in the health care system -- the possibility of improving overall health care while also reducing costs.
However, the development of these networks has been bogged down in a wide variety of important details -- many involving cost and control but also due to concerns and complications about patient privacy and the security of health information. It clearly is crucial to maintain the privacy and security of these records. However, we also are seeing the possibility that concerns about these issues will impede and perhaps even prevent these networks from being built or from achieving these goals.
To date, an enormous amount of time and energy is being spent (and replicated) across the country, developing rules and procedures for these networks. We need to find a way to move these networks forward, and, while protecting privacy, not let vague and imprecise concerns about privacy prevent the accomplishment of these important societal goals.
Q: Outside your own firm, name an attorney in your field who has impressed you and explain why.
A: I am impressed with attorneys who can represent their clients effectively without being overly aggressive and without sacrificing the business implications of the legal work being done. One attorney I respect tremendously in the privacy field is Deven McGraw, director of the Health Privacy Project at the Center for Democracy & Technology. She has a thorough knowledge of all aspects of the health care privacy space and represents consumer interests admirably, but also has the intelligence and perspective to put privacy issues in the context of the remainder of the health care field. She is a highly responsible and effective consumer advocate.
Q: What is a mistake you made early in your career and what did you learn from it?
A: I have been at one firm my entire career, more than 20 years now. So, in general, my career has worked out reasonably well. However, I also have found that my early years at the firm, while providing important training, did not really prepare me for the challenges of being a partner more than 20 years later. In particular, my "mistake" early in my career (and when doing my job search in law school) was a failure to recognize how important it is to blaze one's own trail and be prepared to anticipate and respond to changes in the future, rather than trying to "pick" a field for work from the start.
While I have been at one firm this whole time, 100 percent of the work I do now is work that did not exist at this firm when I started as a first-year associate. Most of the work (health care fraud litigation and privacy counseling, for example) were not even existing legal disciplines at the time. So, as advice to younger lawyers, it is crucial to be prepared to be responsive to change, and to be ready and willing to make your own way in this profession, since it changes so constantly.