For more than 15 years, Jo-Ellyn Sakowitz Klein has focused on cybersecurity, privacy and data security matters for clients. She leads the firm’s interdisciplinary cybersecurity, privacy and data protection initiative. She handles privacy, data security, data breach preparedness and data breach response matters for clients across many industries, with a special emphasis on the health sector.
Practice & Background
Ms. Klein devotes a substantial portion of her practice to assisting clients from across the spectrum with issues arising under state and federal privacy, data security and data breach notification laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA); the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH); the Gramm-Leach-Bliley Act (GLB); and a multitude of state privacy, data security and data breach notification laws.
Ms. Klein has examined cybersecurity, privacy and data security issues arising in settings ranging from hospitals to clinical research to professional sports to investment firms. She regularly assists clients in their efforts to comply with applicable cybersecurity, privacy and data security laws, especially in the health sector. She has handled data breach responses for clients including academic medical centers, health plans and investment firms. Ms. Klein has assisted clients from start-up ventures to institutional clients in structuring relationships and drafting contracts that address cybersecurity, privacy and data security issues. She has led the privacy team working on major transactions involving the transfer of customer or patient data.
Ms. Klein’s experience includes:
- drafting and negotiating agreements that address cybersecurity, privacy and data security issues, including services agreements, confidentiality agreements, personal information security agreements, and HIPAA business associate and data use agreements
- helping clients prepare for, and respond to, data breaches, including developing data breach response plans, evaluating whether breach notification requirements under state and federal law have been triggered, preparing breach notices for affected individuals and preparing breach notices and reports for regulatory authorities
- assisting clients facing allegations raised by individuals in HIPAA complaints filed with federal regulators
- developing HIPAA and HITECH compliance tools for clients ranging from health care providers to health software vendors to health plans, including privacy policies and procedures, employee training programs, vendor contracting forms, authorization forms, privacy notices and other materials
- assisting clients, including those that are not mainstream health industry participants, in determining the extent to which they must comply with HIPAA and HITECH
- assisting clients with regulatory compliance questions arising in the course of their day-to-day operations under federal regulations, such as HIPAA and HITECH, as well as under state privacy and data security regimes (including the California Confidentiality of Medical Information Act (CMIA) and Massachusetts Standards for the Protection of Personal Information)
- advising clients on health information privacy issues relating to innovations in technology and payment models, such as mobile health (mHealth) solutions and movement toward Accountable Care Organizations (ACOs) under health reform
- working with clients within the health sector and beyond to identify risks relating to potential Federal Trade Commission (FTC) enforcement activity, including evaluating whether an entity needs to comply with the FTC’s Red Flags Rule and addressing issues relating to personal health records (PHRs), as well as assisting with issues arising under Section 5 of the FTC Act
- conducting cybersecurity, privacy and data protection due diligence in connection with merger and acquisition transactions and drafting terms for deal documents that address cybersecurity, privacy and data security concerns.
Awards & Accolades
- Certified Information Privacy Professional/United States (CIPP/US), International Association of Privacy Professionals, 2014
- “Cybersecurity: Risks and Best Practices for Medical Device Makers,” MDMA Webcast (March 25, 2015)
- “The Cybersecurity Pandemic,” a panel discussion involving a comprehensive look at navigating enterprise risk management, data breach response and multi-regulatory compliance (February 19, 2015)
- “Responding to a Cybersecurity Breach” at Akin Gump’s The Cybersecurity Pandemic program (November 5, 2014)
- “Business Associates Under the Final Rule: Definitions, Contracts, Obligations and Liabilities,” American Conference Institute’s 3rd Annual Health Care Privacy and Security Forum (May 22, 2013)
- “Business Associates Under HIPAA and HITECH: Present and Anticipated Definitions, Contracts, Obligations and Liabilities,” American Conference Institute’s 2nd Annual Health Care Privacy and Security Forum (December 6, 2012)
- “Privacy and Data Protection Requirements: What You Need to Know,” Akin Gump Fort Worth CLE Program (April 26, 2012)
- “(Re)Insurance Industry Outlook 2012: Data Privacy, Cyber Policies and Regulatory Confidentiality,” HB Litigation Conferences (March 28, 2012)
- “Privacy and Data Protection Legislation: the Risks and What Corporate Counsel Need to Know,” Akin Gump CLE Program (October 5, 2011)
- “From the FTC to HHS: Making Sense of Recent Enforcement Activity,” International Association of Privacy Professionals KnowledgeNet (September 27, 2011)
- “Critical Developments in Social Media Law,” Northern Virginia Technology Institute (May 26, 2011)
- “Comprehensive Federal Privacy Legislation: Implications and Concerns for Business and Institutions,” West LegalEdcenter webcast (July 22, 2010)
- “HIPAA in a HITECH World/Keys to Compliance in the New Era,” National Constitution Conferences CLE webcast (October 6, 2010)
- “Facebook and Twitter: Legal Liabilities and HIPAA Compliance in Healthcare,” Progressive (February 23, 2011 and March 25, 2010)
- “From HIPAA to ARRA and Beyond: Making Sense of Health Information Privacy and Security Requirements for Community Health Centers,” Texas Association of Community Health Centers’ 26th Annual Conference, Dallas (November 2, 2009)
- “Social Networking and Healthcare Providers: Understanding the Risks,” Strafford Publications (October 22, 2009)
- “New Red Flags Rules for Healthcare Providers: Are You Ready?” Strafford Publications (June 24, 2009 and October 7, 2009)
- “FTC Red Flags Rule/Compliance Tips for Healthcare Providers,” Strafford Publications (October 7, 2009).