Jennifer Hennessy is a data privacy and cybersecurity attorney. She advises clients, ranging from multinational corporations to startups, on all aspects of compliance with international, federal, and state data privacy and security laws. This includes assisting covered entities and business associates in complying with Health Insurance Portability and Accountability Act (HIPAA) and advising organizations on compliance with federal law 42 C.F.R. Part 2 (Confidentiality of Alcohol and Drug Abuse Treatment Records), the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), the Family Educational Rights and Privacy Act (FERPA), and the Gramm–Leach–Bliley Act (GLBA).
Jennifer frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation, to the notification of affected individuals and government regulators, and through any resulting enforcement actions or regulatory investigations. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath.
Jennifer started her career as a health law attorney, giving her particular insight into the data privacy and security issues that impact organizations in the health care space.
Selected representative matters include:
- HIPAA: Developed a HIPAA compliance program for a telehealth provider, including drafting privacy policies and conducting HIPAA training for employees, negotiated hundreds of business associate agreements on behalf of covered entities and business associates, and advised providers, health plans, and business associates on their regulatory obligations
- Substance Use Disorder Information: Advised a multistate substance abuse treatment facility on navigating compliance with HIPAA, 42 C.F.R. Part 2, and state medical record confidentiality laws
- General Data Protection Regulation (GDPR): Consulted with a U.S. health system on the applicability of GDPR, advised a clinical trial sponsor conducting trials in the European Union on developing a GDPR compliance program, and negotiated a substantial number of data processing agreements as part of a client’s GDPR compliance initiative
- California Consumer Privacy Act (CCPA): Counseled a manufacturer and sports management company on CCPA compliance, including drafting privacy notices, revising contracts, and developing protocols for responding to consumer rights requests
- Data Breaches: Guided an oil and gas company through the aftermath of a ransomware attack, assisted a physician practice with an investigation into a phishing incident, and advised a large health care system on the implications of an application security flaw resulting in unauthorized access to patient data
- Regulatory Investigations: Represented a manufacturer in responding to an investigation by the federal Office for Civil Rights (OCR) and other regulatory authorities subsequent to a data breach affecting employee health plan data
- Data De-Identification: Advised a health system on de-identification of patient data and the licensing of such de-identified data in accordance with HIPAA and other applicable law, including negotiation of the licensing agreement
- Health Information Exchanges: Assisted a health information exchange on navigating compliance with HIPAA, 42 C.F.R. Part 2, and state medical record confidentiality laws, including advising on the necessity of an opt-in versus opt-out consent mode
- M&A: Reviewed and advised on the overall state of data privacy and security compliance during the due diligence process for targets that have consisted of health systems, physician practices, technology companies, insurance companies and others
- Security Policies: Drafted and revised security policies and procedures for clients including a health information exchange and a sports management company
- Covered Defense Information (CDI): Conducted an in-depth training for in-house legal counsel on the confidentiality and security requirements for CDI under the DFARS and NIST SP 800-171
For a full list of Publications and Presentations, please click here.
Quoted, “Three States Launch New Data Breach Notification Requirements,” Bloomberg Law News (December 31, 2019)
- Co-presenter, “The California Consumer Privacy Act – Compliance Tips for Wisconsin Businesses,” Foley & Lardner LLP Madison Office CLE Days (December 19, 2019)
- Quoted, “Call an (Online) Regulatory Expert: Telemedicine Faces Complicated Data Compliance,” Law.com Legaltech News (December 11, 2019)
- Co-presenter, “Ringing in the New Year…and the California Consumer Privacy Act,” Foley & Lardner LLP Annual CLE Week (December 11, 2019)
- Co-presenter, “Compliance with NIST SP 800-171 Security Framework: DoD Contractors and Beyond,” Midwest Cybersecurity Alliance (March 19, 2019)
- Co-presenter, “The Ins and Outs of a HIPAA Investigation,” Health Management Academy (November 8, 2018)
- Co-presenter, “HIPAA – It’s Not Only About the Regulations: Lessons Learned from Recent OCR Guidance and Enforcement Actions,” Association of Corporate Counsel (ACC) (September 26, 2018)
- Member, Certified Information Privacy Professional – United States (CIPP/US)
- Member, International Association of Privacy Professionals (IAPP)
- Member, American Health Lawyers Association (AHLA)
- University of Iowa College of Law (J.D., with distinction, 2011)
- Senior Note & Comment Editor, Iowa Law Review
- University of Iowa Henry B. Tippie College of Business (MBA, 2011)
- University of Iowa (B.S., highest distinction, 2007)