Data Privacy & Security

Coppersmith Brockelman has a nationally recognized data privacy and security practice.  We serve a wide range of clients in the health care industry, including universities and academic medical centers, health systems and hospitals, other institutional providers, physician groups, health plans (including self-insured employer plans), health IT vendors, and other companies that provide services to the health care industry. We also provide data privacy and security advice to clients outside the health care industry, in both the nonprofit and for-profit sectors. We can help with the following areas:

HIPAA Compliance

Health care organizations and their business associates take information privacy and security very seriously. We share the same concern and authored the “HIPAA Privacy Tool Kit,” an extensive compliance manual and policies/forms for HIPAA compliance.

Over the past twenty years, we have guided hundreds of clients through complex HIPAA and other health information privacy and security compliance:

  • Drafting HIPAA compliance policies and other HIPAA-related documents (such as Notice of Privacy Practices, hybrid entity designations, and access and authorization forms) for covered entities and business associates;
  • Negotiating HIPAA business associate agreements (BAAs);
  • Structuring complex data sharing arrangements to support Accountable Care Organizations and Clinically Integrated Networks;
  • Advising clients on use of Big Data, including establishing clinical data repositories for research and data analytics, and guiding clients through de-identification of patient health information; and
  • Advising clients on participating in integrated medical records systems, where legally separate entities share the same electronic health records.

Big Data

We advise a wide range of clients on a broad variety of “Big Data” issues, including:

  • Advising clients on the appropriate use of health information for data analytics, research, quality improvement initiatives, care coordination platforms, and other uses of large, longitudinal, multi-party data sets;
  • Leveraging our relationships with statisticians and other leading experts to de-identify information and protect against re-identification of individuals; and
  • Advising clients on collaboration agreements related to sharing data in compliance with federal and state laws.

Behavioral Health Data 42 C.F.R. Part 2

We work with a wide range of clients on how to manage behavioral health information in compliance with 42 C.F.R. Part 2 (the federal Confidentiality of Substance Use Disorder Patient Record regulations) and state behavioral health privacy laws, including:

  • Mapping Part 2 data flows;
  • Drafting policies and procedures;
  • Negotiating vendor and data sharing contracts;
  • Responding to requests/demands for records, such as law enforcement and administrative requests, subpoenas, and court orders;
  • Integrating behavioral health information into electronic medical records, data exchanges, and care coordination platforms; and
  • Advising on limitations and requirements for the use and disclosure of behavioral health information.

Research (Clinical & Health Services)

We routinely work with clients on issues related to privacy and security in clinical and health-services research, including:

  • HIPAA compliance in research arrangements;
  • De-identification of health information for research, including working with statisticians to obtain statistical certification of de-identification for research data sets;
  • Genomic/genetic privacy under federal and state law, and how to integrate consent for sharing genomic information for research; and
  • Creation and use of data repositories and biobanks for research.

Data Breaches

We assist clients in preventing, assessing, and responding to security incidents and data breaches, some involving millions of individuals. Our lawyers have dealt with an incredibly wide range of incidents, from sophisticated hacking incidents to lost laptop computers to misdirected emails to the improper disposal of protected information. We regularly:

  • Oversee security risk analyses and the development of security policies;
  • Develop privacy policies and procedures to help safeguard personal information;
  • Work with forensic experts and other IT consultants to investigate and remediate breaches;
  • Assess whether disclosures of information and other security incidents are reportable breaches under HIPAA, the GDPR, and state breach-reporting laws;
  • Assist clients in complying with breach-reporting obligations, such as notifying patients or other individuals, government agencies, and the media;
  • Respond to investigations by the Office for Civil Rights (OCR), state Attorneys General, as well as other federal and state agencies; and
  • Work with clients to mitigate harm and improve their practices to prevent future breaches.

Health Information Exchanges & Networks

We work with many health information organizations (HIOs), health systems, health plans, and health care providers to create and manage health information exchanges (HIEs) and health information networks (HINs), including:

  • Drafting legislation to support health information exchanges. We helped create Arizona’s HIO, including drafting the original legislation and subsequent amendments to the HIO statute to improve health information exchange in Arizona;
  • Structuring regional and national data sharing collaborations, advising on data governance, and drafting and negotiating data regional and national data sharing agreements;
  • Advising on the integration of behavioral and physical health information;
  • Advising on the creation of patient portals and individual authentication mechanisms;
  • Advising and commenting on the development of the Trusted Exchange Framework and Common Agreement (TEFCA); and
  • Working on compliance with the information blocking rule, as it applies to HIEs and HINs.

State Privacy Law Compliance

We help clients comply with the ever-expanding number of state privacy laws. That includes breach-reporting laws, laws protecting sensitive data, and comprehensive privacy laws like the California Consumer Privacy Act (CCPA). Our work in this area includes:

  • Developing privacy policies and notices, including website privacy policies, information-collection notices, opt-out notices, and notices of financial incentives;
  • Assisting clients in responding to individual requests under state privacy laws, such as requests for access, requests for disclosure, and requests for deletion; and
  • Assessing whether disclosures of information and other security incidents are reportable breaches under state breach-reporting laws and assisting clients in meeting their breach-reporting obligations.

Artificial Intelligence

We advise on the data privacy and security issues involved in artificial intelligence (AI) deals, including the structure of AI development deals as research/R&D projects, data governance over who has access to what data during the development and implementation of AI in clinical environments, recommended data safeguards, and contractual restrictions on data use and downstream data disclosure.

Digital Health

We advise health IT companies developing digital health products, including mobile apps, and health systems and academic medical centers on the following issues:

  • Data strategy, including ensuring broad data use for company product development and potential commercialization of data as a revenue source;
  • Negotiating collaboration and others to support the development of AI and other digital health tools;
  • Negotiating license agreements for secondary use of data, including from product, research, and other registries and third-party databases;
  • Compliance with HIPAA business associate requirements, including policy development, HIPAA security risk assessments, and readiness for Office for Civil Rights audits and investigations;
  • Contracting with the users of digital health products, including HIPAA business associate agreements;
  • Advising on GDPR and state-specific privacy requirements for digital health;
  • Advising on TCPA compliance and handling TCPA litigation; and
  • Providing advice on privacy policies and website terms of use.

European Union General Data Protection Regulation (GDPR)

We advise clients in the United States about when the GDPR applies to their organizations, and guide clients through necessary compliance activities, including:

  • Working with consultants to chart personal data flows and processing arrangements;
  • Supervising GDPR readiness assessments;
  • Developing GDPR-compliant policies;
  • Negotiating data processing agreements to support data exchange with European data sources;
  • Advising on GDPR research requirements, including de-identification of personal data and implementing of the GDPR research rules and exceptions; and
  • Advising on individuals’ rights under the GDPR.


We assist with telemedicine program development and implementation, including providing guidance regarding physician licensure issues, remote prescribing, privacy and security, fraud and abuse in the context of telemedicine arrangements, and navigating complex reimbursement rules for telemedicine encounters. We also have expertise with the unique state law issues that arise with a multi-state telemedicine practice.

Family Educational Rights & Privacy Act (FERPA)

FERPA protects certain educational records. We advise our clients on how to use and disclose educational records in compliance with FERPA for public service projects and big data arrangements. We also advise on how FERPA interacts with other state and federal privacy laws, like HIPAA and 42 C.F.R. Part 2.

Telephone Consumer Protection Act (TCPA)

We work with our health care clients on determining whether the TCPA applies to their activities, how to structure these activities in compliance with the TCPA and Federal Communications Commission (FCC) regulatory guidance, including the exemption for health care communications. Our litigation group also has extensive experience defending health care clients against TCPA claims.


Erin Dunlap
Email Erin | 314-255-5988

Katherine Hyde
Email Katherine | 602-381-5471

Kristen Rosati
Email Kristen | 602-381-5464

Melissa Soliz
Email Melissa | 602-381-5484

Marki Stewart
Email Marki | 602-381-5496

Ben Yeager
Email Ben | 602-381-5489