HIPAA and Beyond: Legal Risks, Regulatory Gaps, and Emerging Health Data Privacy Standards

Suzanne Berstein | Electronic Privacy Information Center, EPIC

Suzanne Bernstein is EPIC Counsel, focusing on consumer privacy and data protection. She is a graduate of Temple University Beasley School of Law, where she was a Law & Public Policy Scholar and a member of the Moot Court Competition Team. While in law school, she interned in the Office of Policy Analysis and Development at NTIA and the Future of Privacy Forum. She holds a B.A. in English from University of Pennsylvania and is a member of the Pennsylvania and District of Columbia Bars.

Stefan Boedeker | StoneTurn Group LLP

Stefan is a Partner at StoneTurn where he focuses on the application of economic, statistical, and financial models to a variety of areas such as solutions to business issues, complex litigation cases, and economic impact studies. He has extensive experience applying economic and statistical theories and methodologies to a wide variety of cases where But-for-scenarios must be developed based on probabilistic methods and where statistical predictive modeling must be applied to assess liability and damages.

Stefan has applied these techniques in business disputes, single- plaintiff cases, multi-plaintiff cases, and class action proceedings in the areas of class certification, liability assessment, developing damages scenarios, and post settlement or judgment distributions.

With more than thirty years of experience in the healthcare industry, Mr. Boedeker provides statistical and economic consulting to a variety of clients including but not limited to providers, payors, and federal, state and local Government agencies. Mr. Boedeker has extensive experience in assisting healthcare organizations when facing disputes where complex economic issues must be assessed and where complex statistical methods are necessary to answer questions of liability, over-/underpayments and/or damages. He has extensive experience in negotiating and presenting statistical methodology with Government agencies such as OIG, CMS (formerly HCFA), and DOJ when assessing the appropriateness of claims submission and payment practices based on statistical samples. During his tenure at various Big Accounting firms Mr. Boedeker coordinated statistical sampling methodology on numerous healthcare audits. In addition, he served as the statistical expert with the IRO for healthcare organizations, including hospitals and DME companies in response to Corporate Integrity Agreements.

Valerie Breslin Montague | Nixon Peabody

Valerie assists healthcare providers and business associates of all types to comply with the requirements of HIPAA and the HITECH Act, from the development of policies and workforce training to analysis and notification of breaches to guidance through Office for Civil Rights (OCR) investigations. She also advises vendors initiating arrangements with healthcare entities on whether their business triggers HIPAA.

Beyond HIPAA, counsels’ healthcare providers on compliance with other federal and state health information confidentiality requirements, as well as cybersecurity best practices.

Valerie advises hospital systems, skilled nursing facilities, physician practices and other healthcare providers on compliance with the Stark Law and the Anti-Kickback Statute, as well as state laws prohibiting self-referrals and fraud and abuse. In Illinois, Valerie works with facilities to navigate Certificate of Need (CON), corporate practice of medicine, telehealth and licensure requirements.

Valerie works with tax-exempt entities in all industries to obtain and maintain federal income tax-exempt status, including group exemptions and reinstatement of tax-exempt status. She advises tax-exempt entities on structure and governance issues as they expand their service lines, create new entities and enter transactions with third parties, including joint ventures and the creation of for-profit subsidiaries. Valerie also assists tax-exempt hospitals with compliance with Internal Revenue Service (IRS) and state law requirements governing financial assistance and community benefit activities.

Jéna M. Grady | Nixon Peabody

Jéna M. Grady is a partner in Nixon Peabody’s Healthcare practice group, focusing on healthcare transactions and regulatory compliance. Jéna leverages her previous public health experience to advise healthcare providers, companies and investment and management firms on complex regulatory and legal issues, particularly in behavioral health, digital health, dermatology, ophthalmology, and dental. Jéna also advises clients on the legal and regulatory implications of integrating artificial intelligence (AI) into clinical and healthcare operations.

Jéna as healthcare regulatory counsel for both buyers and sellers in the healthcare space, including healthcare providers, emerging companies, healthcare management services organizations (MSOs), and private equity investors. Jéna advises on regulatory matters for platform investments, add-on acquisitions, exit transactions, joint ventures, and strategic affiliations across a variety of healthcare sectors, including behavioral health, digital health, dental, and dermatology. During transactions, Jéna provides guidance on corporate practice of medicine prohibitions, compliant PC/MSO models, licensure requirements, fraud and abuse laws (including Anti-Kickback Statute and Stark Law), and other regulatory issues.

Jéna’s background includes significant experience with the Arizona Department of Health Services, where Jéna played a key role in one of the nation’s largest public behavioral health systems. This experience informs my comprehensive legal counsel to a wide range of behavioral health clients, including private equity investors, platform companies, psychiatric hospitals, substance use disorder and eating disorder treatment providers, community mental health centers, digital and telehealth providers, and ABA organizations.

Jéna addresses a broad spectrum of regulatory and compliance issues unique to behavioral health, such as 42 CFR Part 2, state mental health privacy laws, the use of mental health chatbots, consent requirements, controlled substance prescribing, duty to warn obligations, the IMD (institutions for mental disease) exclusion, and licensure requirements for mental health professionals and facilities. Jéna routinely advises clients on launching and expanding behavioral health businesses, structuring behavioral health transactions, developing compliance programs, and navigating payor-provider contracting, audits, and disputes.

Through active participation in industry conferences and ongoing monitoring of regulatory developments, Jéna helps clients adapt to the evolving behavioral health landscape. Her work supports efforts to advance access to care, quality outcomes, and promote value-based care.

Jéna works with healthcare providers, technology companies, and digital health vendors to address HIPAA compliance, state privacy laws, and the use of health data in digital health platforms, including telehealth and AI-supported care delivery, in implementing new technologies. Additionally, Jéna helps clients navigate evolving state requirements related to the selection and use of AI tools for both clinical and back-office operations, including providing guidance on managing patient and client consent requirements and data governance. Her goal is to support innovation in healthcare while ensuring legal compliance at every step.

Session I – Health Data Privacy in Transition: Legal Risks, Gaps in HIPAA, and Emerging U.S. Laws | 1:00pm – 2:00pm

• HIPAA enforcement trends and gaps
  • Scope and limitations of HIPAA
  • Recent enforcement actions
  • Risk quantification and compliance methodologies (e.g., de-identification, tokenization)
• Health privacy litigation and damages
  • Legal trends in health data misuse
  • Challenges in modeling and quantifying damage
  • Statistical disclosure analysis and compliance under HIPAA
• Beyond HIPAA: Emerging regulatory trends
  • Legislative activity at the federal level (e.g., My Body My Data Act, recent court rulings)
  • State-level privacy laws and bills, including comprehensive laws and Washington State’s Health My Data Act
• Risk management in a fragmented legal environment
  • Strategies for organizations handling consumer health data
  • Developing real-time, adaptable privacy and compliance programs
  • Future-proofing data practices beyond HIPAA coverage

Break | 2:00pm – 2:10pm

Session II – Health Data Privacy in the Trenches: Legal Considerations Beyond the Surface | 2:10pm – 3:10pm

• Protecting privacy while ensuring individuals’ rights
  • HIPAA right of access
  • State data rights (CCPA/CPRA, etc.)
• Deeper than PHI: Confidentiality protections for sensitive health data
  • Part 2/substance use disorder
  • Biometric
  • Mental health
  • Other
• Regulated health data and AI
• Vendor compliance: Ensuring downstream privacy protections
  • HIPAA enforcement involving vendor breaches
  • Contracting best practices