Erin F. Dunlap

*Admitted in Missouri and Illinois

Email Erin |  314-255-5988 | V-Card

Erin regularly advises clients working in the health care industry on data privacy and security matters and compliance with HIPAA, 42 CFR Part 2, patient access laws, the ONC’s Information Blocking Rule; and state consumer privacy and breach notification laws.

As a former litigator who successfully represented clients in federal and state courts and before arbitrators, government agencies and licensing boards, Erin is particularly well-equipped to lead clients through privacy and security-related investigations. She regularly works with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), state Attorneys General and state agencies in resolving privacy and security-related investigations (without penalty or payment) following data breaches, patient complaints and whistleblower claims.

Erin also has extensive experience developing data privacy and security policies and forms, negotiating business associate agreements and analyzing uses and disclosures of health information (including in connection with on-line tracking technologies). She regularly counsels clients through all aspects of breach investigations, including notification, risk assessments and mitigation. Erin also advises clients on de-identifying data (including through de-identification experts), responding to subpoenas and other types of requests for health information, reviewing/revising notices of privacy practices and website privacy policies, and performing data privacy and security due diligence in connection with small and large health care transactions.

Erin also works with clients in the health care industry on patient access requirements, communicating with patients/consumers and marketing campaigns including HIPAA, the Telephone Consumer Protection Act (TCPA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) and Section 5 of the Federal Trade Commission Act (FTC Act).

Representative Matters

  • Working with HIEs and health care providers on compliance with the ONC’s Information Blocking Rule and the CMS Interoperability and Patient Access Rule
  • Advised HIE on expanded data sharing arrangements and proposed draft legislation aimed at increasing HIE participation
  • Convinced OCR to close investigations against non-covered entities based on lack of jurisdiction
  • Advised private university on HIPAA compliance, including developing HIPAA policies and other documents for the university-sponsored group health plan
  • Helped to close several OCR investigations (without penalty or payment) against large health system
  • Advised physician office on responding to ransomware attack, including hiring/working with forensic analyst
  • Served as lead counsel in responding to (and successfully closing without penalty or payment) OCR investigation involving stolen desktop computer affecting thousands of individuals
  • Advised national health care client on privacy/security aspects of re-marketing and geo-fencing campaigns
  • Assisted academic medical center in responding to OCR investigation triggered by lost laptop; the investigation was closed without penalty or payment
  • Assisted home care/hospice client in responding to phishing attacks affecting thousands of patients, including remediation/mitigation, notification obligations and subsequent OCR investigation
  • Worked closely with statistician in preparing expert determination of de-identification to allow national health care client to report data to drug/device manufacturers
  • Served as lead counsel in responding to an OCR investigation into a national provider who experienced a coding error exposing patient data; the investigation was closed without penalty or payment
  • Advised numerous client on the use of automated telephone/texting services for appointment reminders and other care coordination activities
  • Convinced the California Department of Public Health to withdraw penalty notice and close investigation into national health care provider following theft of patient information
  • Successfully resolved investigation by state Attorney General (without penalty/payment) following the improper disposal of patient information

Awards & Recognitions

  • Chambers USA: Healthcare, Arizona (2023, 2024) 

Publications & Presentations

  • Co-author (with Kristen Rosati), “OCR “Clarifies” its Guidance on Online Tracking. Not Quite,” Coppersmith Briefs (Apr. 2, 2024)
  • Author, “Data Privacy: Change Is Coming,” InBusiness Magazine (Feb. 2023)
  • Commenter, “What the American Data Privacy and Protection Act means for Arizona Businesses,” AZ Big Media (Sep. 14, 2022)
  • Commenter, “HIPAA Safe Harbor Offers Limited But Important Protection,” Healthcare Risk Management (Mar. 1, 2022)
  • Commenter, “HIPAA Changes Coming in 2022 Might Require Policy Revisions,” Healthcare Risk Management (Dec. 1, 2021)
  • Commenter, “Lessons Learned from Overturned $4.3 Million HIPAA Penalty,” Healthcare Risk Management (Mar. 1, 2021)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Proposed Changes to the HIPAA Privacy Rule: The Good, The Bad and The Ugly — an Operational Perspective,” Coppersmith Briefs (Jan. 26, 2021)
  • Co-author (with Melissa Soliz), “COVID-19 TCPA Emergency Exception for Robocalls and Texts from Health Care Providers and Government Officials,” Coppersmith Briefs (Apr. 16, 2020)
  • Co-author (with Melissa Soliz), “OCR Waives HIPAA BAA Requirements to Participate in Public Health and Health Oversight Activities,” Coppersmith Briefs (Apr. 2, 2020)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Communicating with First Responders about Patient COVID-19 Status,” Coppersmith Briefs (Mar. 31, 2020)
  • Co-author (with Kristen Rosati and Melissa Soliz), “Communicating with Health Care Employees about Patient COVID-19 Status,” Coppersmith Briefs (Mar. 30, 2020)
  • Commenter, “Ongoing Noncompliance Leads to Serious Settlement for Small Clinic,” Hospital Access Management (Dec. 1, 2020) 
  • Co-presenter, “Tips for Social Media Use by Health Care Workers,” Orthopaedic Trauma Association Webinar (Feb. 2019) 
  • Co-presenter, “HIPAA Basics; Privacy and Data Breach Reporting Laws,” State Bar of Arizona Continuing Legal Education (CLE) Seminar (Sep. 2018) 
  • Co-presenter, “Substance Use Treatment: Revised Part 2 Regulations Compliance,” Strafford Webinar (Oct. 24, 2017) 
  • Co-author, “The Power of a Transparent and Broad Privacy Policy,” Polsinelli on Privacy, Privacy and Data Security Blog (May 2017)
  • Co-author, “Recent Enforcement Action: Business Associates Not Off the Hook for HIPAA Violations,” Polsinelli PC, Health Care E-Alert (Jul. 2016)
  • Commenter, “Disclosure Management in a Risky World,” For the Record Magazine, Vol. 28, No. 4, P. 22 (Apr. 2016)
  • Co-author, “Data Privacy and Security Update, 2016 Health Law and Compliance Update,” Wolters Kluwer (2016)
  • Co-author, “Don’t Fumble Your HIPAA Obligations: Ensure Your HIPAA Playbook Implements Appropriate Protections for Patients,” Polsinelli PC, Health Care E-Alert (Jul. 2015)

Activities & Memberships

  • Member, American Health Lawyers Association (AHLA) (2011 – present)
  • Member, Health Care Information and Technology Practice Group, AHLA
  • Member, Privacy and Security Compliance and Enforcement Affinity Group, AHLA


  • Geraldine Soat Brown, U.S. District Court for the Northern District of Illinois

Education & Admissions

  • J.D., Northwestern University School of Law, 2001
  • B.A., University of Notre Dame, 1997
  • Admitted in Illinois (2001)
  • Admitted in Missouri (2007)