Conducting a Security Risk Analysis Under Legal Privilege

Governance & Risk Management , HIPAA/HITECH , Risk Assessments Conducting a Security Risk Analysis Under Legal Privilege Attorney Adam Greene of Davis Wright Tremaine Outlines the Pros and Cons Marianne Kolbasuk McGee (HealthInfoSec) • March 13, 2026     11 Minutes    Credit Eligible Get Permission Audio Player 00:00 00:00 Use Up/Down Arrow keys to increase or decrease volume. Adam Greene, partner, Davis Wright Tremaine (Image: DWT) Attorneys can conduct security risks assessments under the color of client privilege, making it less likely to surface in discovery during litigation. But healthcare firms should consider the cons, as well as the pros, before they take that route, said attorney Adam Greene, partner at the law firm Davis Wright Tremaine. A security risk assessment conducted under privilege by an attorney or legal counsel has certain protections so that the findings cannot be "readily used against you," he said. "Anytime you're doing a risk assessment and you might get negative things identified that you wouldn't want in the hands of a plaintiff's attorney in a breach case, for example," he said in an interview with Information Security Media Group during the HIMSS 2026 Conference in Las Vegas, Nevada. But, a claim for privilege "won't be perfect," Greene said. "To qualify for legal privilege it has to be for purposes of obtaining legal advice or in preparation of litigation." Asserting in court or to regulators that a routine HIPAA security risk analysis was performed under privilege in hopes of avoiding a potential HIPAA regulatory enforcement action could backfire, he said. That's because depending on the circumstances, declining to turn over the findings of a HIPAA risk analysis to the Department of Health and Human Services Office for Civil Rights under a claim of privilege could instead make regulators view that as a failure of having conducted a risk analysis - which itself could be subject to a possible enforcement action, Greene said. In this audio interview with Information Security Media Group (see audio link below photo), Greene also discussed: Other considerations, and pros and cons, in conducting a risk analysis under privilege; Issues involving forensics findings in a data breach investigation; Upcoming privacy and security regulatory issues to watch. Greene specializes in health information privacy and security laws, including applying those laws to new technologies, such as artificial intelligence and machine learning. He formerly was senior health information technology and privacy specialist at HHS OCR, where he played a significant role in administering and enforcing HIPAA privacy, security and breach notification rules.