Erin F. Dunlap

*Admitted in Missouri and Illinois

Email Erin |  314-255-5988

Erin regularly advises clients working in the health care industry on compliance with data privacy, security and patient access laws, including HIPAA, 42 CFR Part 2, the ONC’s Information Blocking Rule and CMS’ Interoperability and Patient Access Rule; and state privacy and breach notification laws.

As a former litigator who successfully represented clients in federal and state courts and before arbitrators, government agencies and licensing boards, Erin is particularly well-equipped to lead clients through privacy and security-related investigations.  She regularly works with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), state Attorneys General and state agencies in resolving privacy and security-related investigations (without penalty or payment) following data breaches, patient complaints and whistleblower claims.

Erin also has extensive experience developing privacy and security policies and forms, negotiating business associate agreements, analyzing uses and disclosures of health information, preparing risk assessments, advising clients through all aspects of breach notification, advising on how to de-identify data and working with de-identification experts, responding to subpoenas and other types of requests for health information, drafting notices of privacy practices, reviewing/revising website privacy policies, advising health information exchanges (HIEs), and performing data privacy and security due diligence in connection with small and large health care transactions.

Erin also advises clients working in the health care industry on communicating with patients/consumers and marketing campaigns under state and federal laws, including HIPAA, the Telephone Consumer Protection Act (TCPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) and Section 5 of the Federal Trade Commission Act (FTC Act).

Representative Matters

  • Working with HIEs and health care providers on compliance with the ONC’s Information Blocking Rule and the CMS Interoperability and Patient Access Rule
  • Advised HIE on expanded data sharing arrangements and proposed draft legislation aimed at increasing HIE participation
  • Convinced OCR to close investigations against non-covered entities based on lack of jurisdiction
  • Advised private university on HIPAA compliance, including developing HIPAA policies and other documents for the university-sponsored group health plan
  • Helped to close several OCR investigations (without penalty or payment) against large health system
  • Advised physician office on responding to ransomware attack, including hiring/working with forensic analyst
  • Served as lead counsel in responding to (and successfully closing without penalty or payment) OCR investigation involving stolen desktop computer affecting thousands of individuals
  • Advised national health care client on privacy/security aspects of re-marketing and geo-fencing campaigns
  • Assisted academic medical center in responding to OCR investigation triggered by lost laptop; the investigation was closed without penalty or payment
  • Assisted home care/hospice client in responding to phishing attacks affecting thousands of patients, including remediation/mitigation, notification obligations and subsequent OCR investigation
  • Worked closely with statistician in preparing expert determination of de-identification to allow national health care client to report data to drug/device manufacturers
  • Served as lead counsel in responding to an OCR investigation into a national provider who experienced a coding error exposing patient data; the investigation was closed without penalty or payment
  • Advised numerous client on the use of automated telephone/texting services for appointment reminders and other care coordination activities
  • Convinced the California Department of Public Health to withdraw penalty notice and close investigation into national health care provider following theft of patient information
  • Successfully resolved investigation by state Attorney General (without penalty/payment) following the improper disposal of patient information

Publications & Presentations

  • Contributor, Year in Review Developments, American Health Law Association, AHLA Physicians and Hospital Law Institute Feb. 2021; AHLA Annual Meeting June 2021
  • Co-presenter (with Melissa Soliz), “Breaking it Down: Information Blocking and CMS CoP Alerts for Hospitals,” Webinar Co-hosted by LACIE, MHC, Tiger Institute (Aug. 2020)
  • Co-presenter (with Melissa Soliz), “Access to Health Care Records for Workers Compensation Purposes,” State Bar of Arizona (Sept. 2019)
  • Co-panelist (with Jill Chasson, Ryan Flannagan and Samir Mehta, M.D.), “How to Use Social Media and Not Get into Trouble,” Orthopaedic Trauma Association webinar (Feb. 2019)
  • Co-presenter (with Scott Bennett, Melissa Soliz, and Dave Kinsey), “Health Care Data for Lawyers,” State Bar of Arizona (Sept. 2018)
  • Co-panelist (with Melissa Soliz & Chase Millea), “Substance Use Treatment: Revised Part 2 Regulations Compliance,” Strafford Publications webinar (Oct. 2017)
  • Co-author, “The Power of a Transparent and Broad Privacy Policy,” Polsinelli on Privacy, Privacy and Data Security Blog (May 2017)
  • Co-presenter, “How to Navigate and Survive a Mega Breach,” HCCA’s 21st Annual Compliance Institute (National Harbor, MD, Mar. 2017)
  • Co-presenter, “Cybersecurity and HIPAA Compliance,” LockPath Ready Summit (Oct. 2016)
  • Co-presenter, “HIPAA Audits are Here to Stay-Key Preparation Strategies,” Polsinelli PC 2016 Health Care Webinar Series (Aug. 2016)
  • Co-author, “Recent Enforcement Action: Business Associates Not Off the Hook for HIPAA Violations,” Polsinelli PC, Health Care E-Alert (Jul. 2016)
  • Comment, “Disclosure Management in a Risky World,” For the Record Magazine, Vol. 28, No. 4, P. 22 (Apr. 2016)
  • Co-presenter, “Navigating a Breach Incident at the Business Associate Level: Reporting, Investigation and Mitigation Strategies,” American Health Lawyers Association, 2016 Webinar Series (Feb. 2016)
  • Co-author, “Data Privacy and Security Update, 2016 Health Law and Compliance Update,” Wolters Kluwer (2016)
  • Co-presenter, “Preparing for a Data Breach and the Need for Cyber Liability Insurance,” Polsinelli PC 2015 Health Care Webinar Series (Aug. 2015)
  • Co-author, “Don’t Fumble Your HIPAA Obligations: Ensure Your HIPAA Playbook Implements Appropriate Protections for Patients,” Polsinelli PC, Health Care E-Alert (Jul. 2015)

Activities & Memberships

  • Member, American Health Lawyers Association (AHLA) (2011 – present)
  • Member, Health Care Information and Technology Practice Group, AHLA
  • Member, Privacy and Security Compliance and Enforcement Affinity Group, AHLA


  • Geraldine Soat Brown, U.S. District Court for the Northern District of Illinois

Education & Admissions

  • J.D., Northwestern University School of Law, 2001
  • B.A., University of Notre Dame, 1997
  • Admitted in Illinois (2001)
  • Admitted in Missouri (2007)