Steven J. Fox

Steven J. Fox is Senior Counsel and Chair of the Firm’s Information Technology Practice Group, and Co-Chair of its Data Privacy & Cybersecurity Practice Group. Mr. Fox is an acknowledged and well-known national authority on legal issues regarding information technology, data privacy, and healthcare information technology. Since 1990, he has been assisting clients with legal issues and strategic counseling involving technology, healthcare information systems, data privacy matters, healthcare regulatory compliance, and e-commerce. In particular, he has significant experience in the development, acquisition, negotiation, transfer and licensing of complex information systems; Health Information Exchanges (HIEs); Regional Health Information Organizations (RHIOs); networks and software; outsourcing transactions; acquisition and implementation of Electronic Health Records (EHRs); data privacy protection, including Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance; Internet and technology-use policies; consulting/services agreements; and corporate, contractual and intellectual property matters. Additionally, Mr. Fox advises client companies in the hospitality industry, including hotels and restaurants, on the legal issues involved in data privacy and management and information systems.

Read full bio > Read less >

• Collaborated with the respective General Counsels and Information Technology teams of two large, regional health systems to negotiate complex, multi-layered, multimillion dollar agreements with a provider of comprehensive inpatient and ambulatory clinical information systems. Result: As a result of the separate negotiations, the final agreements included significant protections for the health systems that had not been present in the original agreements, including expanded warranties, pricing protection, indemnification, significant modifications to the limitation of liability, and expansion of technology vendors’ liability in the event of third-party claims due to the vendor’s breach or negligence.

• "Meaningful Use Audits: Preparation is the Best Representation," American Health Lawyers Association's (AHLA) Journal of Health & Life Sciences Law (October 2016)
• "Update on Extension of Stark Exception and Anti-Kickback Safe Harbor EHR Regulations," AHLA Health Information and Technology Practice Group Alert (December 20, 2013)
• "Gaining Contract Advantage with EHR Vendors: Using Contract Provisions to Protect Your Organization and Create Successful Vendor Partnerships," Healthcare Informatics (March 2011)
• "Caveat Doctor: Let the Healthcare IT Buyer Beware," Government Health IT (October 29, 2010)
• "Effect of Healthcare Reform on Health Information Technology," American Health Lawyers Association (AHLA) Health Reform Resource Guide (July 2010)
• "Protecting Patient Data -- New Rules, New Headaches, Risk Management: What Board Members and Senior Managers Need to Know," AHLA Business Law and Governance Practice Group Executive Summary (April 2010) (with Peter D. Hardy) 
• "Negotiating Contracts For Vendor-Financed Purchases Of EHR Systems," Journal of Health Information Management, Vol. 24, No. 1 (Winter 2010)
• "New Terminology in the HITECH Act," Advance for Health Information Executives, Vol. 13, No. 12 (December 2009)
• "Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology" (April 1, 2009)
• "Summary of EMR Incentives and New HIPAA Provisions in HITECH Act," MD HIMSS Newsletter (Spring 2009)
• "Secure Messaging Software May Be Ineligible for Donation by Hospitals to Physicians," HITS Newsletter (January 15, 2009)
• "Identity Theft Prevention Program Deadline Postponed; Overview of Program Requirements" (November 25, 2008) (with Edward F. Shay)
• "HIPAA Lessons Learned From HHS-Providence Resolution Agreement"(September 24, 2008) (with Edward F. Shay)
• "Health Care Providers and the Red Flag Rules: Time is Running Out" (August 21, 2008) (with Edward F. Shay)
• Co-Author, "Implementation Solutions and Unintended Gaps of Cost Sharing: HHS Final Rules for e-Prescribing and Electronic Health Records," The Journal of Healthcare Information Management, Vol. 21, No. 3 (Summer 2007)
• "Guide to Establishing a Regional Health Information Organization," HIMSS (2007)
• Co-Author, "Guide to Medical Privacy and HIPAA," Thompson Publishing Group, Washington, D.C. (2002)

• Quoted in, "Obama Cybersecurity Plan Could Change Healthcare Processes," by Joseph Goedert in HealthCareData Management (January 15, 2015)
• Video Interview "Is Your Data At Risk in the Cloud?" with H&HN Magazine's Matthew Weinstock (September 24, 2014)
• Quoted in "Navigating Negotiations With Cloud and Mobile IT Vendors," by Dave Fornell in Imaging Technology News (ITN) (June 3, 2014)
• Interviewed in "Signing an EMR contract? Avoid these 5 gotchas," by Anne Zieger in Healthcare Dive (October 31, 2013) 
• Interviewed in The Health Record Review by Patty Enrado in EHR Watch (November 3, 2010)
• Quoted in "Staying Ahead of the Curve" by John Degaspari in Healthcare Informatics (September 29, 2010)
• Quoted in "Due Diligence a Key Part of Data Security" by John Degaspari in Healthcare Informatics (September 8, 2010)
• Quoted in "Health IT Contracts Offer Little Protection for Buyers" by Nicole Lewis in InformationWeek Healthcare (August 23, 2010)
• Quoted in “Zero Tolerance" by Gregg Blesch & Joe Carlson in Modern Healthcare (March 1, 2010)
• Quoted in “Privacy Policies Over Electronic Health Records Expand Reach” by Anya Litvak in the Pittsburgh Business Times (February 19, 2010)
• Quoted in “IT Vendor Negotiations in the ARRA Era” by Greg Goth in For The Record (February 15, 2010)
• Quoted in “Shore Up Your HIPAA Compliance Before Enforcement Storm Hits This Year” in inhealthcare.com (February 3, 2010)
• Quoted in "User Authentication Strategies" by Howard J. Anderson in Health Data Management Magazine (January 1, 2010)
• Quoted in "Health Information Exchanges Are Getting More Federal Funding, But Tougher Strings Are Attached" by John Moore in Government Health IT HIEwire (November/December 2009)
• Article, Breach Rules Require New Look at HIPAA in "Health It Stimulus Summit Offers Multiple Lessons" by Dan Rode in Health Data Management Magazine (November 2009)
• Quoted in "The Big Push" by Lindsey Getz in For the Record, Vol. 21, No. 10 P. 8 (May 11, 2009)
• Quoted in "Free EMR Systems Winning Over Practices, but Won’t Solve Compliance and Integration Challenges" by Neil Versel in Part B News 
  (May 4, 2009)
• Quoted in "Attorney: Don’t Wait for Stimulus Work Health Data Management" by Joseph Goedert in Health Data Management Magazine (May 1, 2009)
• Interviewed in "One-on-One with Post & Schell Attorneys Steven Fox & Edward Shay, Part IV," by Anthony Guerra in Healthcare Informatics (March 31, 2009)
• Interviewed in "One-on-One with Post & Schell Attorneys Steven Fox & Edward Shay, Part III," by Anthony Guerra in Healthcare Informatics (March 30, 2009)
• Interviewed in "One-on-One" with Post & Schell Attorneys Steven Fox & Edward Shay, Part II," by Anthony Guerra in Healthcare Informatics (March 20, 2009)
• Interviewed in "One-on-One with Post & Schell Attorneys Steven Fox & Edward Shay, Part I," by Anthony Guerra in Healthcare Informatics (March 19, 2009)

• Co-Presenter, "Hot HIPAA Topics: Breaches and Enforcement," Maryland Health Care Commission Senior Staff Summit-Growing Challenges to Securing, Using, and Transmitting PHI, Baltimore, MD (September 13, 2018)
• Co-Presenter, "Panel: Patient Data Security Legal Briefing," HealthSystemCIO Webinar (April 12, 2016)
• Presenter, “Advanced Issues in HIT Contracts and Negotiation Strategies,” HIMSS16 Conference, Las Vegas, NV (March 3, 2016)
• Moderator, "Phishing - Combatting the Most Dangerous Game," Privacy & Security Forum presented by HIMSS and Healthcare IT News, Boston, MA (December 1, 2015)
• Co-Presenter, "The Ethics of Mobile Computing and Cybersecurity: Protecting Physicians and Securing Patient Data Across the Continuum of Care,” New Jersey and Delaware Valley Chapters of HIMSS, Fall Conference, Atlantic City, NJ (October 29, 2015)
• Presenter, “Dangers of Cloud Computing," National HIMSS Webinar (May 7, 2015)
• Presenter, "The Dangers of Cloud Computing," Fact or Fiction: ICD-10 & Security in 2015,  HIMSS (Healthcare Information Management Systems Society) Maryland Chapter, Baltimore, MD (March 12, 2015)
• Co-Presenter, "The Ethics of Mobile Computing: Protecting Client and Health Data Outside the Office," ABA 16th Annual Conference on Emerging Issues in Healthcare Law, Lake Buena Vista, FL (March 6, 2015)
• Co-Presenter, "Ensuring Privacy and Security of Health Information,” New Jersey and Delaware Valley Chapters of HIMSS, Fall Conference, Atlantic City, NJ (November 13, 2014)
• Moderator, "The Security Supermarket: Best Practices for Vendor Contracting and 3rd Party Compliance," The Privacy Security Forum, Boston, MA (September 8, 2014)
• Presenter, "Deploying and Leveraging Health Information Technology in an Integrated System of Care Hidden Risks of Cloud Computing," AHA Leadership Summit, San Diego, CA (July 22, 2014)
• Co-Presenter, "Avoiding HIT Disasters," AHLA Webinar (May 19, 2014)
• Presenter, “Privacy and Security Update for PA – 2014 and Beyond,” PAeHI Summit, Harrisburg, PA (May 14, 2014)
• Co-Presenter, "Privacy & Security Whitepaper, PAeHI (Pennsylvania eHealth Initiative) Webinar, KINBER Annual Conference, Harrisburg, PA (April 23, 2014)
• "HIT Issues in Mergers & Acquisitions," ABA eHealth Privacy and Security Webinar (April 4, 2014)
• "Advanced HIT Contracting Issues," AHLA HIT Conference, Baltimore, MD (March 28, 2014)
• Co-Presenter, Privacy & Security Whitepaper, PAeHI (Pennsylvania eHealth Initiative) Webinar (March 26, 2014)
• "Dangers Lurking in the Clouds," (PBI Health Law Institute), Philadelphia, PA (March 14, 2014)
• "Dangers of Cloud Computing," HFMA (Healthcare Financial Management Association), Baltimore, MD (March 4, 2014)
• "Hidden Pitfalls with Cloud, Mobile Technology and Mobile Data," HIMSS (Healthcare Information Management Systems Society), Orlando, FL (February 24, 2014)
• “HIT Software Licensing Contract Education Seminar,” WellSpan Health, York, PA (August 27, 2013)
• Panelist, “HIPAA and HITECH Compliant HIT Infrastructure: Practical Privacy and Security Implementation Measures to Protect EHRs, CDS, CPOE, E-Prescribing and Ensure Interoperability," ACI's 3rd Annual Health Care Privacy & Security Forum, New York, NY (May 23, 2013)
• "Health Information (Not Insurance) Exchange in PA: The Legal and Policy Implications," Meeting of the Pennsylvania eHealth Initiative (PAeHI), Harrisburg, PA (March 27, 2013) (Co-presented with Robert Torres)
• "Maryland HIE Structure," Webinar presentation to HIMSS Legal Task Force (March 25, 2013) (Co-presented with Jim Wieland of Ober, Kaler, Grimes & Shriver)
• "Health Information (Not Insurance) Exchange in PA: The Legal and Policy Implications," PBI's Health Law Institute 2013, Philadelphia, PA
  (March 13, 2013) (Co-presented with Robert Torres)
• "Indemnification and Health IT Contracts," Webinar presentation to HIMSS Legal Task Force (January 28, 2013)
• Panelist, "Building a HIPAA and HITECH Compliant HIT Infrastructure: Practical Privacy and Security Implementation Measures to Protect EHRs, CDS, CPOE, E-Prescribing and Ensure Interoperability," ACI's 2nd Annual Health Care Privacy & Security Forum, Philadelphia, PA (December 6, 2012)
• Co-Presenter, "A Health Care Data Breach Dissected - How and Why Having the Right Counsel and Vendor Expertise Makes All the Difference," Chubb Group of Insurance Companies Sponsored Webinar (September 20, 2012)
• Panelist, “The Cloud in Healthcare,” iHT2 (Institute for Health Technology Transformation) Summit, San Francisco, CA (March 27, 2012)
• Panelist, "Compliance Checklist for HIPAA & HITECH," Chesapeake Regional Tech Council, Linthicum, MD (December 7, 2011)
• "HIPAA Privacy & Security: Still Here and More Important Than Ever," presentation to the Board of Directors of University Medical Associates, Medical University of South Carolina, Charleston, SC (September 1, 2011)
• "Negotiating EHR Contracts," AHLA's Riding the HIT Tidal Wave Conference, Washington, D.C. (April 27, 2011)
• Co-Presenter, "Risk Analysis: Meeting HIPAA, HITECH and Meaningful Use Requirements," HIMSS Privacy & Security Committee Webinar
  (February 2, 2011)
• Co-Presenter, "HIPAA Privacy & Security Changes Under HITECH Act"
  (October 7, 2010) (with Kroll Fraud Solutions)
• Co-Presenter, "A Lawyer's Take on the Implications of Meaningful Use on Healthcare Providers,"  American College of Surgeons, Washington, D.C. (September 8, 2010; September 14, 2010)
• "How Strong Contract Negotiation Strategies Can Impact EHR and HITECH Act Success," 2010 AHIMA Legal EHR Conference, Chicago, IL (August 16, 2010)
• "Meaningful Use Update," Maryland HIMSS Conference, Baltimore, MD
  (March 25, 2010)
• "Electronic Health Records Technology Contracts After HITECH," Strafford Continuing Legal Education Webinar (March 23, 2010) (with William Gillespie of WellSpan Health)
• "Negotiating Must-Have Provisions in HIT Contracts," Post & Schell, P.C. Webinar (March 18, 2010)
• "Defusing Data Privacy, Confidentiality & Security Land Mines: Negotiating the HIT Deal, Implementing Compliance, Responding to Crisis," (with Peter D. Hardy); and "Electronic Health Records: Licensing and Incentives," (with William J. Gillespie of WellSpan Health, Pennsylvania Bar Institute program, Philadelphia, PA (March 12, 2010)
• "A Lawyer’s Take on Meaningful Use," Post & Schell, P.C. Webinar
  (February 25, 2010)
• "Legal Strategies on the Road to Meaningful Use: Negotiating Strategies to Manage Expectations and Avoid Disputes," HIMSS ARRA Road Show, Chicago, IL (January 15, 2010)
• Panelist, Discussion on Privacy & Security Issues, Health Information Exchange Summit, Sponsored by the Consulate of Canada, Philadelphia College of Physicians, Philadelphia, PA (November 10, 2009)
• "Privacy and Security: How HITECH is changing HIPAA," Health IT Stimulus Summit, Boston, MA (September 18, 2009) (with Edward F. Shay)
• "Untangling the Health Care Stimulus Package: 7 Months Later - ARRA’s Impact on HIPAA," The Health Care Connectivity Summit, Baltimore, MD
  (September 23, 2009)
• Moderator, "A Real World Look at Successful Strategies for Acquisition, Implementation and Operation of an EHR in a Hospital Setting," CBI's Access Federal Stimulus Incentives for Electronic Health Records Conference, Alexandria, VA (September 24, 2009)
• "Ensuring Privacy and Security of Health Information Exchange," Collaborative Communications Summit, Fort Lauderdale, FL (June 17, 2009) (with William Gillespie, VP-Chief Technology Officer & CIO Emeritus at WellSpan Health)
• "Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable," SCCE Conference, Austin, TX (June 2, 2009) (with Peter D. Hardy)
• "Ensuring Privacy and Security of Health Information Exchange," Maryland Tech Council's First Annual Mid-Atlantic Healthcare IT Conference, Bethesda, MD (April 30, 2009) (with William Gillespie, VP-Chief Technology Officer & CIO Emeritus of WellSpan Health)
• Co-Presenter, "Privacy and Security Aspects of the HITECH Act," AHLA Teleconference - Part II, Washington, D.C. (March 26, 2009)
• "American Recovery and Reinvestment Act of 2009's Impact on Health IT and the Government's Role in Adoption of Electronic Health Records," FOSE 2009 Conference, Washington, D.C. (March 11, 2009)
• "Security and Privacy Issues in Connection with Wireless Technologies," Maryland HIMSS Conference, Baltimore, MD (October 31, 2008)
• Panelist, "Privacy and Security: Health Information Exchange in Pennsylvania," Western PA HIMSS Conference, Pittsburgh, PA (October 16, 2008)
• Moderator, "The Role of Stark Reform in the Transformation of Healthcare in Rural Maine," HIMSS Summit, Washington, D.C. (June 9, 2008)
• "E-Discovery: Practical Knowledge About Data Retention and Management Under the Federal Rules on E-Discovery," Central Pennsylvania Health Information Management Association (CPHIMA), Hershey, PA
  (December 14, 2007)
• "Complying with the Amended Stark & Anti-Kickback Regulations," West Virginia HIMSS Chapter, Roanoke, WV (December 13, 2007)
• "Legal Implications of the Ambulatory EHR - Complying with the Amended Stark & Anti-Kickback Regulations," Maryland HIMSS Conference, Sheppard Pratt Conference Center, Baltimore, MD (October 12, 2007)
• Co-Author, "Implementation Solutions and Unintended Gaps of Cost Sharing: HHS Final Rules for e-Prescribing and Electronic Health Records," The Journal of Healthcare Information Management, Vol. 21, No. 3 (Summer 2007)
• "Complying with the Amended Stark & Anti-Kickback Regulations," Connecting Communities Regional Forums, Boston, MA (May 10, 2007); Orlando, FL
  (May 3, 2007); Chicago, IL (December 14, 2006); Salt Lake City, UT
  (December 12, 2006)
• "Stark & Anti-Kickback Impact on EHR Adoption," HIMSS Summit, Washington, D.C. (June 6, 2006)
• "RHIOs: Legal Issues," BIO-IT Coalition Conference on Using Advanced Information Technologies to Develop Personalized Medicine-Healthcare, George Mason University, Fairfax, VA (May 4, 2006)
• "e-Health Initiatives: Collecting, Connecting and Collaborating with Electronic Health Records," Sponsored by New Jersey Hospital Association, Princeton, NJ (March 23, 2006)
• "RHIOs: Laws and Ethics," HIMSS Forum, San Diego, CA (February 12, 2006)
• "Legal Issues and Considerations for RHIOs," sponsored by World Research Group, Las Vegas, NV (November 29, 2005)
• "Connecting Providers to RHIOs - Legal Issues & Challenges for Regional Health Information Organizations," SoftMed Executive Forum, Aventura, FL (January 15, 2005)
• "Implications of First HIPAA Criminal Conviction," Audio conference, Sponsored by Strafford Publications, Inc., Washington, D.C. (November 9, 2004)
• "Protecting Your Organization with Internal Policies and Procedures," Workaday HIPAA Conference, Sponsored by UCG, Boston, MA (April 11, 2003)
• "A HIPAA Primer," sponsored by InfraGard Philadelphia Chapter, Philadelphia, PA (March 4, 2003)
• "HIPAA Privacy Implementation: Steps for Last 90 Days," Audio
  (January 30, 2003)
• "Protect Your Organization with Internal Policies and Procedures," Workaday HIPAA Conference, Sponsored by UCG, San Diego, CA (December 6, 2002)
• "HIPAA for New Managers, Department Heads, Supervisors and Members of HIPAA Committees," Audio Conference, Sponsored by Health Resources Publishing (November 6, 2002)
• "CIOs and the New HIPAA Privacy Rule," Audio Conference, Sponsored by HIS Insider Weekly, Washington, D.C. (October 2, 2002)
• "HIPAA for Heath Care Vendors," Audio Conference, Sponsored by Health Resources Publishing, Washington, D.C. (September 12, 2002)
• "Contracting and Negotiating for Health Care Information Systems," TEPR 2002, Seattle, WA (May 14, 2002)
• "The New Privacy NPRM: An Authoritative Analysis," Audio Conference, Sponsored by Phoenix Health Systems (April 9, 2002)
• "HIPAA Overview - Solutions to the HIPAA Deadline Challenge," 6th Annual Compliance Strategies Conference, Las Vegas, NV (March 13, 2002)
• "Complying with HIPAA Deadlines," HIMSS 2002, Atlanta, GA (January 31, 2002)
• "The Final Privacy Regulations — What Are They and How Do You Comply," HIPAA 101 Conference, Pittsburgh, PA (December 14, 2001)
• "Preparing & Implementing Patient Privacy Requirements for HIPAA – Patient Consents & Authorizations," Audio Conference, Sponsored by Temple University School of Pharmacy, MediMedia Managed Care and Abbott Laboratories (November 14, 2001)
• "What If You Don’t Meet the Deadlines," The Third National HIPAA Summit, Washington, D.C. (October 26, 2001)
• "Legally HIPAA! A Summer Audio Conference Series," Washington, D.C., Handling Consents and Authorizations (June 20, 2001); Handling Chain of Trust & Business Associate Agreements (July 18, 2001); Developing Privacy/Security Policies and Procedures (August 22, 2001)
• "HIPAA Update and the Privacy Standards," Maryland Society of Healthcare Information Systems Management, Baltimore, MD (May 2001)
• "Successful Health Care Information System Planning and Contracting," ACHE 2001 Congress, Chicago, IL (March 2001)
• "RFP Development and HIS Contract Negotiations Under HIPAA," HIMSS 2001, New Orleans, LA (February 2001)
• "HIPAA Update – Making Sense Out of the Final HIPAA Privacy Regulations," HIMSS 2001, New Orleans, LA (February 2001)
• "HIPAA Compliance Issues," Straight Talk on HIPAA Conference, Washington, D.C. (July 2000)
• "Nuts and Bolts of HIS Vendor/Product Evaluations and Contract Negotiations," HIMSS 2000, Dallas, TX (April 2000)
• "Advanced Health Care Information Systems Licensing Issues," American Health Lawyers Association, Chicago, IL (May 1999)
• "Nuts and Bolts of RFP Development and HIS Contract Negotiations," HIMSS 1999, Atlanta, GA (February 1999) (with William J. Gillespie and Deborah Kohn)
• "Merger Mania CPR Contract Issues," Straight Talk on the Computerized Patient Record Conference, Fort Lauderdale, FL (January 1999)