More than 20 years of experience counseling clients on complex privacy and data security matters.
Broad-based knowledge, including special emphasis on the health sector.

Jo-Ellyn is a leading practitioner on privacy & data protection matters. She was recognized by The Legal 500 US in the cyber law (including privacy & data protection) category from 2019 through 2023. She has focused on privacy & data protection law for more than 20 years, with an emphasis on health information.

Jo-Ellyn devotes a substantial portion of her practice to assisting clients with issues arising under state and federal privacy, security and data breach notification laws and regulations. She assists clients with matters concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), Section 5 of the Federal Trade Commission Act and myriad state privacy, security and breach notification laws, as well as adjacent regulatory regimes such as the ONC Information Blocking rule. She advises clients on navigating the intersection between federal privacy and data protection laws and state regimes such as the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA).

Jo-Ellyn has examined privacy and data protection issues arising in settings ranging from hospitals to professional sports, to the medical device industry to the technology sector. She assists clients with compliance activities, data breach preparedness and response efforts, complex agreements and litigation. She regularly assists clients in efforts to comply, in a harmonized manner, with an array of applicable privacy and information security laws and contractual obligations.

Jo-Ellyn is a Certified Information Privacy Professional/United States (CIPP/US, International Association of Privacy Professionals).

Representative Work

Represented clients in HIPAA investigations undertaken by governmental authorities. Secured formal complaint closure letters from the U.S. Department of Health and Human Services (HHS), Office for Civil Rights, in investigations initiated against a medical device company and medical center clients.
Guided digital health clients in developing unique solutions to address challenges presented by a range of privacy and information security laws. Led the team responsible for addressing privacy issues relating to the first digital pill product approved by the Food and Drug Administration (FDA).
Helped clients—such as academic medical centers, medical device companies, health plans and investment firms—prepare for and respond to data breaches. This included developing data breach response plans, evaluating whether breach notification requirements under state and federal law have been triggered, preparing breach notices for affected individuals and preparing breach notices and reports for regulatory authorities.
Led privacy and cybersecurity diligence efforts in major transactions and has advised on privacy and cybersecurity terms in deal documents.
Drafted and negotiated complex agreements that address privacy and data security issues, including services agreements, confidentiality agreements, personal information security agreements, and HIPAA business associate and data use agreements.

Assisted clients in managing privacy and cybersecurity issues arising in the course of bankruptcy proceedings and related sales.
Assisted clients facing allegations raised by individuals in HIPAA complaints filed with federal regulators.
Developed privacy and information security compliance tools for clients ranging from health care providers to medical device companies to health plans, including privacy policies and procedures, employee training programs, vendor contracting forms, authorization forms, privacy notices and other materials.
Assisted clients, including those that are not mainstream health industry participants, in determining the extent to which they must comply with HIPAA and HITECH.

Education
J.D., Georgetown University Law Center, 1998
A.B., Duke University, 1994
Certificate, Duke University, 1994

Bar Admissions
District of Columbia
Virginia

Recognitions

The Legal 500 US, cyber law (including data privacy and data protection), 2019 to 2023.

Affiliations and Public Service

CIPP/US, International Association of Privacy Professionals, 2014.

Speeches and Publications

“HIPAA and Beyond: Health Information Privacy Updates,” Strafford webinar (May 16, 2023).
“HIPAA’s Right of Access: Compliance Challenges, OCR Enforcement and Best Practices,” Strafford webinar (June 22, 2022).
"HIPAA Privacy Rule Proposed Changes: Hot Topics,” Strafford webinar (February 28, 2022).
Data Privacy Regulations and Trends,” National Society of Compliance Professionals National Conference, Washington, D.C. (November 8, 2021).
“Complying with HIPAA, Privacy Laws and Exceptions During a Pandemic Health Crisis,” Strafford webinar (November 24, 2020).
“Interoperability & Information Blocking: What Providers Need to Know,” Akin Gump webinar (October 1, 2020).
“Buying a Breach: HIPAA Best Practices in M&A,” 2nd Annual HIPAA Privacy and Security Summit hosted by Delaware Law School and First Healthcare Compliance (November 14, 2019).
“The Telephone Consumer Protection Act (TCPA),” Akin Gump webinar (May 29, 2019).
“Incident Response and Crisis Management” and “State & International Compliance Overview,” Akin Gump’s Cybersecurity Bootcamp (New York, NY, December 5, 2018).
Akin Gump’s Spring Cybersecurity Boot Camp, panelist (Dallas, TX, March 2, 2018).
“Hot Topics in U.S. Privacy and Data Security,” ACC NCR Legal Brief (Washington, D.C., September 19, 2017).
“HIPAA’s Global Impact,” Federal Publications Seminars webinar (November 5, 2015).
“Cybersecurity: Risks and Best Practices for Medical Device Makers,” Medical Device Manufacturers Association (MDMA) Executive Forum (Palo Alto, CA, September 25, 2015).
“Avoiding HIPAA Traps – What Contractors Need to Know,” Federal Publications Seminars webinar (August 27, 2015).
“The Cybersecurity Pandemic,” Akin Gump seminar (Houston, TX, April 29, 2015).
“Cybersecurity: Risks and Best Practices for Medical Device Makers,” MDMA webcast (March 25, 2015).
“The Cybersecurity Pandemic,” panelist, Akin Gump seminar (February 19, 2015).
“Responding to a Cybersecurity Breach,” The Akin Gump Cybersecurity Pandemic Program (November 5, 2014).
“Business Associates Under the Final Rule: Definitions, Contracts, Obligations and Liabilities,” American Conference Institute’s 3rd Annual Health Care Privacy and Security Forum (New York, NY, May 22, 2013).
“Business Associates Under HIPAA and HITECH: Present and Anticipated Definitions, Contracts, Obligations and Liabilities,” American Conference Institute’s 2nd Annual Health Care Privacy and Security Forum (Philadelphia, PA, December 6, 2012).
“Privacy and Data Protection Requirements: What You Need to Know,” Akin Gump Fort Worth CLE Program (Fort Worth, TX, April 26, 2012).
“(Re)Insurance Industry Outlook 2012: Data Privacy, Cyber Policies and Regulatory Confidentiality,” HB Litigation Conferences (March 28, 2012).
“Privacy and Data Protection Legislation: the Risks and What Corporate Counsel Need to Know,” Akin Gump CLE Program (Washington, D.C., October 5, 2011).
“From the FTC to HHS: Making Sense of Recent Enforcement Activity,” International Association of Privacy Professionals KnowledgeNet (Washington, D.C., September 27, 2011).
“Critical Developments in Social Media Law,” Northern Virginia Technology Institute webinar (May 26, 2011).
“Comprehensive Federal Privacy Legislation: Implications and Concerns for Business and Institutions,” West LegalEdcenter webcast (July 22, 2010).
“HIPAA in a HITECH World/Keys to Compliance in the New Era,” National Constitution Conferences CLE webcast (October 6, 2010).
“Facebook and Twitter: Legal Liabilities and HIPAA Compliance in Healthcare,” Progressive webinar (February 23, 2011, and March 25, 2010).
“From HIPAA to ARRA and Beyond: Making Sense of Health Information Privacy and Security Requirements for Community Health Centers,” Texas Association of Community Health Centers’ 26th Annual Conference (Dallas, TX, November 2, 2009).
“Social Networking and Healthcare Providers: Understanding the Risks,” Strafford Publications webinar (October 22, 2009).
“New Red Flags Rules for Healthcare Providers: Are You Ready?” Strafford Publications webinar (June 24, 2009, and October 7, 2009).
“FTC Red Flags Rule/Compliance Tips for Healthcare Providers,” Strafford Publications webinar (October 7, 2009).