Erin F. Dunlap

Email Erin |  314-255-5988
*Affiliated with Coppersmith Brockelman PLC on designated matters; admitted in Missouri and Illinois

Erin advises clients working in the health care industry on regulatory and compliance matters, focusing primarily on data privacy and security issues arising under:

  • The Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH);
  • The Federal Regulations Governing the Confidentiality of Substance Use Disorder Patient Records (42 CFRPart 2); and
  • State privacy and breach notification laws.

As a former litigator who successfully represented clients in federal and state courts and before arbitrators, federal and state agencies and state licensing boards, Erin is particularly well-equipped to lead clients through privacy and security-related investigations.  She regularly works with the Department of Health and Human Services, Office for Civil Rights (OCR), state Attorneys General and state agencies in resolving privacy and security-related investigations (without penalty or payment) following data breaches, patient complaints and whistleblower claims.

Erin also has extensive experience developing privacy and security policies and template forms, negotiating business associate agreements, assisting clients through privacy and security audits, analyzing impermissible uses and disclosures, preparing written risk assessments and breach notification letters, working with de-identification experts, responding to subpoenas and other types of requests for health information, drafting notices of privacy practices, reviewing/revising website privacy policies, working with and drafting proposed legislation for health information exchanges, and performing data privacy and security due diligence in connection with small and large health care transactions.

Erin also advises clients on communicating with patients/consumers and marketing campaigns under state and federal laws, including HIPAA, the Telephone Consumer Protection Act (TCPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) and Section 5 of the Federal Trade Commission Act (FTC Act).

Representative Matters

  • Worked with health information exchange (HIE) to expand data sharing/analytics arrangements to draft propose draft legislation
  • Convinced OCR to close investigations against non-covered entities based on lack of jurisdiction
  • Advised private university on HIPAA compliance, including developing HIPAA policies and other documents for the university-sponsored group health plan
  • Helped to close several OCR investigations (without penalty or payment) against large health system
  • Advised physician office on responding to ransomware attack, including hiring/working with forensic analyst
  • Served as lead counsel in responding to (and successfully closing without penalty or payment) OCR investigation involving stolen desktop computer affecting thousands of individuals
  • Advised national health care client on privacy/security aspects of re-marketing and geo-fencing campaigns
  • Assisted academic medical center in responding to OCR investigation triggered by lost laptop; the investigation was closed without penalty or payment
  • Assisted home care/hospice client in responding to phishing attacks affecting thousands of patients, including remediation/mitigation, notification obligations and subsequent OCR investigation
  • Worked closely with statistician in preparing expert determination of de-identification to allow national health care client to report data to drug/device manufacturers
  • Served as lead counsel in responding to an OCR investigation into a national provider who experienced a coding error exposing patient data; the investigation was closed without penalty or payment
  • Advised numerous client on the use of automated telephone/texting services for appointment reminders and other care coordination activities
  • Convinced the California Department of Public Health to withdraw penalty notice and close investigation into national health care provider following theft of patient information
  • Successfully resolved investigation by state Attorney General (without penalty/payment) following the improper disposal of patient information

Publications & Presentations

  • Co-presenter (with Melissa Soliz), “Access to Health Care Records for Workers Compensation Purposes,” State Bar of Arizona (Sept. 2019)
  • Co-panelist (with Jill Chasson, Ryan Flannagan and Samir Mehta, M.D.), “How to Use Social Media and Not Get into Trouble,” Orthopaedic Trauma Association webinar (Feb. 2019)
  • Co-presenter (with Scott Bennett, Melissa Soliz, and Dave Kinsey), “Health Care Data for Lawyers,” State Bar of Arizona (Sept. 2018)
  • Co-panelist (with Melissa Soliz & Chase Millea), “Substance Use Treatment: Revised Part 2 Regulations Compliance,” Strafford Publications webinar (Oct. 2017)
  • Co-author, “The Power of a Transparent and Broad Privacy Policy,” Polsinelli on Privacy, Privacy and Data Security Blog (May 2017)
  • Co-presenter, “How to Navigate and Survive a Mega Breach,” HCCA’s 21st Annual Compliance Institute (National Harbor, MD, Mar. 2017)
  • Co-presenter, “Cybersecurity and HIPAA Compliance,” LockPath Ready Summit (Oct. 2016)
  • Co-presenter, “HIPAA Audits are Here to Stay-Key Preparation Strategies,” Polsinelli PC 2016 Health Care Webinar Series (Aug. 2016)
  • Co-author, “Recent Enforcement Action: Business Associates Not Off the Hook for HIPAA Violations,” Polsinelli PC, Health Care E-Alert (Jul. 2016)
  • Comment, “Disclosure Management in a Risky World,” For the Record Magazine, Vol. 28, No. 4, P. 22 (Apr. 2016)
  • Co-presenter, “Navigating a Breach Incident at the Business Associate Level: Reporting, Investigation and Mitigation Strategies,” American Health Lawyers Association, 2016 Webinar Series (Feb. 2016)
  • Co-author, “Data Privacy and Security Update, 2016 Health Law and Compliance Update,” Wolters Kluwer (2016)
  • Co-presenter, “Preparing for a Data Breach and the Need for Cyber Liability Insurance,” Polsinelli PC 2015 Health Care Webinar Series (Aug. 2015)
  • Co-author, “Don’t Fumble Your HIPAA Obligations: Ensure Your HIPAA Playbook Implements Appropriate Protections for Patients,” Polsinelli PC, Health Care E-Alert (Jul. 2015)

Activities & Memberships

  • Member, American Health Lawyers Association (AHLA) (2011 – present)
  • Member, Health Care Information and Technology Practice Group, AHLA
  • Member, Privacy and Security Compliance and Enforcement Affinity Group, AHLA


  • Geraldine Soat Brown, U.S. District Court for the Northern District of Illinois

Education & Admissions

  • J.D., Northwestern University School of Law, 2001
  • B,A., University of Notre Dame, 1997
  • Admitted in Illinois (2001)
  • Admitted in Missouri (2007)