The following is an excerpt from Practice Perspectives: Vault's Guide to Legal Practice Areas.
Jiayan Chen, Partner — Health Industry Advisory, and Deepali Doddi, Associate — Global Privacy & Cybersecurity
Jiayan Chen counsels clients on a range of regulatory, transactional, and strategic issues that arise in the context of efforts to leverage data, bioassets, and technology to drive innovation and quality in health care. Jiayan has particular experience with complex, cutting-edge “Big Data” transactions and initiatives designed to advance precision medicine and the use of real-world data. Jiayan counsels a broad array of clients, including health care technology companies, data companies, health systems, academic medical centers, professional associations, and life sciences companies.
Deepali Doddi concentrates her practice on data privacy and cybersecurity matters. She regularly advises clients across a broad spectrum of industries on issues arising under domestic data security and privacy laws and regulations, including COPPA, CAN-SPAM, TCPA, GLBA, the FTC Act, CalOPPA, DFARS cybersecurity requirements, and breach notification laws. Additionally, she helps clients navigate international data privacy matters, such as certifying to the EU-U.S. Privacy Shield Framework, selecting appropriate cross-border data transfer mechanisms, and complying with the EU General Data Protection Regulation (GDPR).
Describe your practice area and what it entails.
Jiayan: I represent a range of stakeholders in the health care and technology industries on matters that arise when they seek to use data or biospecimens for their clinical, operational, or research endeavors. While a major aspect of my practice entails advising on regulatory and compliance matters, I am also a transactional attorney and guide clients through deals and collaborations involving data or bioassets. I advise clients as they develop initiatives, products, or even businesses, so I have an opportunity to help them think strategically about how to tackle their business objectives in the evolving regulatory landscape and keep pace with the digitization of health care.
Deepali: My practice focuses on privacy and cybersecurity matters, with an emphasis on health information privacy and security. I work with clients to help them comply with the Health Insurance Portability and Accountability Act (“HIPAA”), which regulates how certain health care providers, health technology companies, and other health industry actors use, share, and secure protected health information. I also advise clients on other U.S. and international privacy laws, such as the California Consumer Privacy Act and the EU General Data Protection Regulation. My work includes helping clients with establishing their data privacy compliance programs, responding to security incidents, negotiating contracts, and formulating creative strategies to achieve their business objectives without running afoul of privacy laws. In addition, I perform privacy and data security due diligence for health care mergers, acquisitions, and investments.
What types of clients do you represent?
We work with a diverse set of clients that are developing innovative health care delivery solutions, products, and models. For example, we counsel startups and well-established companies that are launching digital health solutions that enable virtual care. We assist life sciences companies, health care providers, clinical research organizations, and health information technology companies with designing “Big Data” strategies to identify ways to improve the quality and accessibility of health care or develop new products. We also work with companies that offer genetic testing services, which raises interesting privacy issues. In addition, we help private equity firms that are contemplating investing in, for instance, companies that offer cutting-edge telehealth technologies with assessing any legal risks.
What types of cases/deals do you work on?
Jiayan: I work on a range of deals and collaborations in the health care and health IT sectors, including data licensing arrangements, research collaborations, health IT licensing arrangements, and mergers and acquisitions. I also advise private equity clients in assessing risks arising from privacy and research compliance as they explore investing in health care organizations and digital health companies.
Deepali: I help clients address day-to-day issues as they implement their privacy compliance programs, such as by reviewing a HIPAA business associate contract or assisting with responses to EU consumers’ requests for data access or deletion under the EU General Data Protection Regulation. In terms of deals, I provide privacy support in hospital and health system transactions as well as private equity investments in health technology companies.
How did you choose this practice area?
Jiayan: I am fascinated by privacy as a social and legal construct. I do not litigate Fourteenth Amendment cases, but there are other ways to nurture that interest by working on health privacy matters as a regulatory attorney. I also had a longstanding interest in bioethics. McDermott gave me latitude in choosing the direction of my career, so I gravitated toward projects that involved data, research, or health IT. As the digital health industry exploded, I found myself enjoying working on matters that involved integrating two sets of stakeholders that are historically quite different—traditional health care organizations, like providers and payors, and technology companies.
Deepali: I began my privacy career as an investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”)—the federal agency that enforces HIPAA. I applied for a legal internship with OCR because I was interested in the agency’s enforcement of anti-discrimination laws against health care providers. When OCR handed me a stack of HIPAA complaints and breaches, I became immersed in the world of health privacy and began to appreciate the importance of privacy and security protections to health care delivery and patients’ motivation to seek treatment. After working in OCR’s Chicago office for almost six years, I joined private practice and welcomed the opportunity to advise clients on both HIPAA and other privacy laws.
What is a typical day like and/or what are some common tasks you perform?
Jiayan: I am often on the phone advising clients on strategy and regulatory risks, helping clients design new partnerships or offerings, and negotiating deals. When I am not on the phone, I am often revising or drafting agreements, legal analyses, or research protocols being prepared for submission to institutional review boards. On other days, I am speaking at conferences or conducting in-person training for clients or potential clients.
Deepali: I enjoy the variety of the work I get to do. One day, I may be knee-deep in security-incident-response work, while the next day, I may be drafting privacy policies and procedures for a client. Other days, I am drafting due diligence reports and marking up purchase agreements in connection with transactions.
What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?
In addition to building substantive knowledge in the areas of health law and data privacy by taking the many law school classes on these subjects, there are professional associations to join as a student or a young attorney. The American Health Lawyers Association (“AHLA”) provides educational content through its website, conferences, and webinars and has a Health Information Technology practice group with affinity groups that include one focusing on Digital Health. The International Association of Privacy Professionals is also a staple for anyone interested in practicing privacy law. The IAPP hosts local chapter meetings and global summits and offers professional certifications in several privacy-related subspecialties, such as U.S. privacy law and European data protection law. An IAPP certification is a great credential because it demonstrates strong interest in privacy law.
What is the most challenging aspect of practicing in this area?
The digital health landscape is dynamic, and it can be challenging to help clients keep up with the rapid pace of new developments. In privacy, for example, some clients that were required to comply with the EU General Data Protection Regulation in 2018 have needed to reevaluate their privacy and data security programs in light of the recently enacted California Consumer Privacy Act. Both federal and state lawmakers have proposed additional privacy legislation that could expand consumers’ data privacy rights and cause organizations to further modify their data strategies. We help clients that are subject to multiple privacy regimes with establishing a harmonized approach to compliance, and it can be challenging to do so when there might be new laws that could potentially affect the approach.
What is unique about your practice area at your firm?
McDermott’s Digital Health team sits within a stellar Health Industry Advisory practice with talented, collegial attorneys. What sets McDermott’s Digital Health practice apart is the breadth and depth of experience and expertise of our attorneys. Our team includes subject-matter experts in every aspect of health law and the emerging issues that shape the digital health industry, and our clients appreciate that we are well equipped to address any problem that comes their way. Our health attorneys frequently collaborate with other practice groups—such as Global Privacy and Cybersecurity, Technology, Outsourcing, Intellectual Property, and Corporate—to ensure that we are effectively servicing our clients.
How do you see this practice area evolving in the future?
We see the areas of health care privacy and Big Data as becoming increasingly more important and top of mind as technology evolves, data is collected through new kinds of technologies and for innovative purposes, and consumers place greater value on their privacy rights. Emerging technologies such as blockchain and artificial intelligence will pose unique challenges to how we navigate health care privacy and data issues. We also expect to see additional legislation at the state or federal level that could regulate certain consumer-health-generated data not currently subject to HIPAA. It is an exciting time to practice in this space.
How has the digital health market affected your practice?
Jiayan: The explosion of digital health has given us an opportunity to work with more startup or young companies. It is critical that we are agile, appreciate the business drivers and pressures that frame the legal advice requested of us, and are familiar with the newest technologies and solutions that are transforming health care. Many at these companies also come from tech backgrounds and do not always have deep knowledge of the health care industry or regulatory landscape, so we make sure that we properly contextualize our advice to help them understand the dynamics of operating in a highly regulated space with traditional health care partners and customers accustomed to certain ways of doing things.