The Pros and Cons of Performing Security Assessments Under Privilege

A security assessment, such as a HIPAA Security Rule risk analysis, can reveal all of an organizations greatest vulnerabilities. In the hands of a hacker, it can serve as a roadmap of how to attack the organization. In the hands of a plaintiff’s attorney or regulator, it can serve as damning evidence of information security failures. In 2024, the Federal Trade Commission placed a healthcare provider under a 20-year consent order for deceptive trade practices because it claimed that it was HIPAA-compliant but the results of its independent HIPAA gap assessment found only 60-percent compliance. One method to protect the confidentiality of a risk assessment or compliance review is to conduct it under the direction of legal counsel and claim the benefit of attorney-client privilege. This session will explore the pros and cons of such an approach, such as the benefits of a claim of privilege; the extra time, cost, and burden of involving legal counsel; and the risks that a claim of privilege will fail and the assessment will be used against the organization. The session also will discuss the operational elements of performing an assessment under the direction of counsel, with practical tips and strategies.