Erin Fleming Dunlap

*Admitted in Missouri and Illinois

Email Erin |  314-255-5988 | V-Card

Erin regularly advises clients working in the health care industry on data privacy and security matters and compliance with HIPAA, 42 CFR Part 2, patient access laws, the ONC’s Information Blocking Rule; and state consumer data privacy and breach notification laws.

As a former litigator who successfully represented clients in federal and state courts and before arbitrators, government agencies and licensing boards, Erin is particularly well-equipped to lead clients through privacy and security-related investigations. She regularly works with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), state Attorneys General and state agencies in resolving privacy and security-related investigations (without penalty or payment) following data breaches, patient complaints and whistleblower claims.

Erin also has extensive experience developing data privacy and security policies and forms, negotiating business associate agreements and analyzing uses and disclosures of health information (including in connection with online tracking technologies). She counsels clients through all aspects of breach investigations, including forensic analysis, compromised data evaluation, risk assessments, notification and mitigation. Erin also advises clients on security risk analysis, de-identifying data (including through de-identification experts), responding to access requests, subpoenas and other types of requests for health information, reviewing/revising notices of privacy practices and website privacy policies, and performing data privacy and security due diligence in connection with small and large health care transactions.

Erin works with clients in the health care industry on communication and marketing campaigns under HIPAA, the Telephone Consumer Protection Act (TCPA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) and Section 5 of the Federal Trade Commission Act (FTC Act).

Representative Matters

  • Advised national occupational health/primary care provider on compliance with state consumer data privacy laws
  • Helped large health system on revisions to policies and procedures under amendments to 42 CFR Part 2
  • Worked with various health care clients on reproductive health care privacy matters
  • Negotiate non-disclosure and business associate agreements for software/artificial intelligence (AI) companies working in the health care industry
  • Hired consultants to perform risk analyses for clients under attorney-client privilege and advised clients on preparing corresponding risk management plans
  • Served as lead counsel on complicated OCR investigation against large health system relating to disposal of records, obtaining closure without payment or corrective action plan
  • Convinced OCR to close investigations against entities not subject to HIPAA based on lack of jurisdiction
  • Advised private university on HIPAA compliance, including developing HIPAA policies and other documents for the university-sponsored group health plan
  • Advised physician office on responding to ransomware attack, including hiring/working with forensic analyst
  • Served as lead counsel in responding to (and successfully closing without penalty or payment) OCR investigation involving stolen desktop computer affecting thousands of individuals
  • Advised national health care client on privacy/security aspects of re-marketing and geo-fencing campaigns
  • Assisted academic medical center in responding to OCR investigation triggered by lost laptop; the investigation was closed without penalty or payment
  • Assisted home care/hospice client in responding to phishing attacks affecting thousands of patients, including remediation/mitigation, notification obligations and subsequent OCR investigation
  • Worked closely with statistician in preparing expert determination of de-identification to allow national health care client to report data to drug/device manufacturers
  • Served as lead counsel in responding to an OCR investigation into a national provider who experienced a coding error exposing patient data; the investigation was closed without penalty or payment
  • Advised numerous clients on the use of automated telephone/texting services for appointment reminders and other care coordination activities
  • Convinced the California Department of Public Health to withdraw penalty notice and close investigation into national health care provider following theft of patient information
  • Successfully resolved investigation by state Attorney General (without penalty/payment) following the improper disposal of patient information

Awards & Recognitions

  • Chambers USA: Healthcare, Arizona (2023 – present)
  • The Best Lawyers in America©: Administrative / Regulatory Law (2026)

Publications & Presentations

  • Co-commenter (with Kristen Rosati), “OCR’s Update on Online Tracking Guidance Still Tricky,” Healthcare Risk Management (June 1, 2024)
  • Co-commenter (with Kristen Rosati), “Steps to Take in Response to OCR Guidance on Online Tracking,” Healthcare Risk Management (June 1, 2024)
  • Co-author (with Kristen Rosati), “OCR “Clarifies” its Guidance on Online Tracking. Not Quite,” Coppersmith Briefs (Apr. 2, 2024)
  • Commenter, “First HIPAA Settlement for Ransomware, Fine for Phishing,” Healthcare Risk Management (March 1, 2024)
  • Author, “Data Privacy: Change Is Coming,” InBusiness Magazine (Feb. 2023)
  • Commenter, “What the American Data Privacy and Protection Act means for Arizona Businesses,” AZ Big Media (Sep. 14, 2022)
  • Commenter, “HIPAA Safe Harbor Offers Limited But Important Protection,” Healthcare Risk Management (Mar. 1, 2022)
  • Commenter, “HIPAA Changes Coming in 2022 Might Require Policy Revisions,” Healthcare Risk Management (Dec. 1, 2021)
  • Commenter, “Lessons Learned from Overturned $4.3 Million HIPAA Penalty,” Healthcare Risk Management (Mar. 1, 2021)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Proposed Changes to the HIPAA Privacy Rule: The Good, The Bad and The Ugly — an Operational Perspective,” Coppersmith Briefs (Jan. 26, 2021)
  • Co-author (with Melissa Soliz), “COVID-19 TCPA Emergency Exception for Robocalls and Texts from Health Care Providers and Government Officials,” Coppersmith Briefs (Apr. 16, 2020)
  • Co-author (with Melissa Soliz), “OCR Waives HIPAA BAA Requirements to Participate in Public Health and Health Oversight Activities,” Coppersmith Briefs (Apr. 2, 2020)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Communicating with First Responders about Patient COVID-19 Status,” Coppersmith Briefs (Mar. 31, 2020)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Communicating with Health Care Employees about Patient COVID-19 Status,” Coppersmith Briefs (Mar. 30, 2020)
  • Commenter, “Ongoing Noncompliance Leads to Serious Settlement for Small Clinic,” Hospital Access Management (Dec. 1, 2020) 
  • Co-presenter, “Tips for Social Media Use by Health Care Workers,” Orthopaedic Trauma Association Webinar (Feb. 2019) 
  • Co-presenter, “HIPAA Basics; Privacy and Data Breach Reporting Laws,” State Bar of Arizona Continuing Legal Education (CLE) Seminar (Sep. 2018) 
  • Co-presenter, “Substance Use Treatment: Revised Part 2 Regulations Compliance,” Strafford Webinar (Oct. 24, 2017) 
  • Co-author, “The Power of a Transparent and Broad Privacy Policy,” Polsinelli on Privacy, Privacy and Data Security Blog (May 2017)
  • Co-author, “Recent Enforcement Action: Business Associates Not Off the Hook for HIPAA Violations,” Polsinelli PC, Health Care E-Alert (Jul. 2016)
  • Commenter, “Disclosure Management in a Risky World,” For the Record Magazine, Vol. 28, No. 4, P. 22 (Apr. 2016)
  • Co-author, “Data Privacy and Security Update, 2016 Health Law and Compliance Update,” Wolters Kluwer (2016)
  • Co-author, “Don’t Fumble Your HIPAA Obligations: Ensure Your HIPAA Playbook Implements Appropriate Protections for Patients,” Polsinelli PC, Health Care E-Alert (Jul. 2015)

Activities & Memberships

  • Board Member, The Fleming Family Foundation (2025)
  • Member, American Health Lawyers Association (AHLA) (2011 – present)
  • Member, Health Care Information and Technology Practice Group, AHLA
  • Member, Privacy and Security Compliance and Enforcement Affinity Group, AHLA

Clerkships

  • Geraldine Soat Brown, U.S. District Court for the Northern District of Illinois

Education & Admissions

  • J.D., Northwestern University School of Law, 2001
  • B.A., University of Notre Dame, 1997
  • Admitted in Illinois (2001)
  • Admitted in Missouri (2007)
Dunlap, Erin

Logo Footer

About Coppersmith Brockelman

At Coppersmith Brockelman, we believe that law firms have too many rules. Here are ours: Work at the highest level of our profession. Think creatively and find practical solutions. Do the right thing. Maintain our sense of humor. Build community – with clients, with other lawyers, and with each other. And if anyone forgets these few rules, remind them. As it turns out, you can build and maintain a terrific law firm like this.

Stay in the Know


Best Places to Work 2025

Contact Us

LinkedIn
Facebook
Twitter

2800 N. Central Ave.
Ste. 1900
Phoenix, Arizona 85004

P: (602) 224-0999 | F: (602) 224-6020
©2026 Coppersmith Brockelman All Rights Reserved
Privacy Policy | Disclaimer | Legal Notices