HIPAA’s New Security Rule: Why Your Clients’ Risk Assessments and BAAs No Longer Comply

Jennifer C. Everett, Partner | ALSTON & BIRD LLP

Jennifer C. Everett is a partner at Alston & Bird in Washington, D.C., where she focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. As a trusted adviser with over 15 years of experience, she skillfully manages data privacy, cybersecurity, and technology issues both in the U.S. and globally. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations, including the EU General Data Protection Regulation (GDPR), state-specific privacy laws, biometric regulations, children’s privacy, workplace privacy, the Federal Trade Commission Act, and other U.S. consumer privacy statutes. She oversees all aspects of U.S. and international data breach investigation and response, providing guidance on forensic investigations, notifications, and related regulatory inquiries. With extensive knowledge of health privacy law, Jennifer provides guidance on a variety of intricate health data matters, including those governed by HIPAA and other regulations, and she actively assists clients in creating privacy programs and mitigating risks related to technologies in digital health and AI-driven platforms. Her consumer protection practice includes counseling clients on marketing and promotional issues, including interest-based ads; automatic renewal and subscriptions; SMS text messaging and telemarketing; and other state and federal consumer protection laws.

• Education & Credentials

Jennifer earned her J.D. from the University of Virginia in 2008 and her B.A. from Northwestern University in 2003. She is admitted to practice in the District of Columbia and Virginia, and she speaks Japanese.

• Recognition & Leadership

Jennifer’s work has earned significant recognition, including being named to the Washington Business Journal’s “40 Under 40” and selected by Virginia Lawyers Weekly as a Go To Lawyer for Cybersecurity/Privacy (2025). She was recognized by Lawdragon as a “Leading Cyber Lawyer” (2024–2025) and by Law360 as a Rising Star in Cybersecurity (2020). She also serves on the advisory board of Corporate Counsel Women of Color Next Gen (2025).

• Professional Involvement

Jennifer is a member of the International Association of Privacy Professionals, the American Bar Association, and the National Bar Association. She also serves on the board of directors of the Washington Legal Clinic for the Homeless. She is an active author and speaker, with publications including “Flurry of Federal Trade Commission Activity Shows Enforcement Emphasis on Youth Protection” (Pratt’s Privacy & Cybersecurity Law Report, January 2026), “What Businesses Need to Know About California’s AI Safety Law” (Bloomberg Law, December 2025), “Strategies for Addressing Cybersecurity Threats to a Prime Critical Infrastructure Target – Data Centers” (Cybersecurity Law Report, September 2025), “Protecting Data and Avoiding Pitfalls with AI Assets During M&A” (Bloomberg Law, April 2025), and “Federal Trade Commission’s Updated Health Breach Notification Rule Is Now in Effect” (Employee Benefit Plan Review, November 2024). Her presentations include “Unlocking Value: Optimizing Efficiency and Minimizing Risk through Defensible Data Retention Program” at the Association of Corporate Counsel’s 2024 General Counsel Toolkit and “The Brussels Effect (Again): Compliance Strategies for the EU’s New Digital and Cyber Laws” at the Privacy + Security Forum Spring Academy in May 2024.

• Experience

Jennifer has defended clients in regulatory inquiries regarding data security practices, including investigations by the FTC, the U.S. Department of Health and Human Services, state attorneys general, and international regulators following data security incidents, and she frequently conducts training sessions for senior leadership and corporate boards focused on mitigating privacy and cyber risks. In her regulatory advisory and compliance work, she has advised numerous companies on proactive compliance with emerging U.S. state comprehensive privacy laws, including the CCPA, VCDPA, CTDPA, and Consumer Privacy Act, as well as topical state privacy laws relating to health and biometric data; advised companies on website design and deployment of adtech and other third-party technologies; conducted privacy and security assessments for international SaaS platform providers and data analytics companies; advised smart camera companies on the deployment of smart technologies, including facial recognition; and counseled online services companies on emerging laws related to teen and child users, age verification, and parental consent. On the regulatory and enforcement side, she has resolved U.S. state and multistate attorney general investigations following data breaches, resolved an FTC investigation involving a consumer goods company, represented an online financial consumer company in a state attorney general investigation following a security incident, and represented hospitals and health care companies in investigations by the Office of Civil Rights following data breaches. In incident response matters, she advised an online consumer goods company on a global incident involving a breach of more than 20 million records and counseled health care companies, hospitals, and pharmaceutical companies on all aspects of incident response, including forensic investigations and notification obligations under various state and federal laws, including HIPAA.

Alaap B. Shah, Co-leader | Epstein Becker & Green, P.C.

Alaap B. Shah is a Member of the Firm at Epstein Becker & Green, P.C., based in the firm’s Washington, DC office. Tech-savvy and solutions-oriented, Alaap deftly guides clients through complex and ever-evolving privacy, cybersecurity, medical device, artificial intelligence (AI), interoperability, digital health, telehealth, fraud and abuse, and other laws and regulations. As a co-leader of Epstein Becker Green’s AI Cross-Practice Working Group, he helps clients compliantly develop and deploy these cutting-edge technologies, enabling them to build trust among stakeholders so they can robustly collect, share, analyze, and protect data and information technology assets. Alaap’s clients include all types of health care, life sciences, data analytics, and technology
companies at various stages of development, ranging from startup companies in the United States and abroad developing digital health applications, medical devices, telehealth solutions, AI, and data analytics platforms, to mid-size and large companies seeking to expand and mature legal, compliance, and risk management functions. Clients appreciate his strategic and pragmatic approach to risk management that bridges the gap among legal, compliance, IT, and business teams, and his ability to translate “IT speak” for legal, compliance, and business people.

• Education & Credentials

Alaap earned his J.D., cum laude, from the University of Maryland School of Law, where he served as Notes & Comments Editor of the Journal of Health Care Law & Policy. He holds a Master of Public Health (M.P.H.) in Health Policy & Management from Columbia University and a Bachelor of Science (B.S.) in Biochemistry from Union College. He is admitted to practice in the District of Columbia and New York. Alaap also holds several globally recognized technology and information assurance credentials, including the Artificial Intelligence Governance Professional (AIGP) and Certified Information Privacy Professional in the United States (CIPP/US) certifications from the International Association of Privacy Professionals (IAPP), the Certified Professional in Healthcare Information and Management Systems (CPHIMS) certification from the Healthcare Information and Management Systems Society, and the Certified Common Security Framework Practitioner (CCSFP) certification from the Health Information Trust Alliance (HITRUST).

• Recognition & Leadership

Alaap has been recognized by OneTrust DataGuidance as a “DataGuidance Expert” for Washington, DC. Within Epstein Becker Green, he serves as Vice Chair of the firm’s Diversity and Professional Development Committee, a Board-level committee that includes the firm’s Pro Bono Program and Hiring Committee, and as a co-leader of the firm’s AI Cross-Practice Working Group.

• Professional Involvement

Alaap is an active contributor to several professional organizations and advisory bodies. He serves as a Member of the 4medica® Advisory Board and as a Member of the American Health Lawyers Association’s AI Program Planning Committee. He is also affiliated with the North Asian Pacific American Bar Association and the South Asian Bar Association.

• Experience

Alaap began his legal career at Epstein Becker Green and later served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society, where he strengthened enterprise-wide privacy and security, helped launch a Big Data company focused on improving quality of care by harnessing real world cancer patient medical information, and built data sharing trust networks among the oncology community, before rejoining the firm in October 2017. During law school, he worked with the U.S. Department of Health and Human Services (HHS), Office of General Counsel, providing legal counsel and support to all agencies and programs under the Public Health Division of HHS. His representative experience includes assisting a U.S.-based technology company providing point-of-care decision support related to laboratory test selection and management to obtain HITRUST certifications and conduct HIPAA-compliant risk analyses and management planning; developing a compliance model for a U.S.-based data analytics company offering point-of-care coordination tools and supporting downstream research activities; assisting a U.S.-based health information technology, interoperability, data analytics, and AI platform company in performing initial and ongoing in-depth 50-state research across consent and authorization laws; serving as virtual General Counsel and Privacy Officer for a California-based provider group to support a wide range of legal and regulatory compliance efforts as well as contracting and M&A transactions; and assisting a U.S.-based health insurance company with mobilizing a response team to investigate a security event, contain the threat, remediate the issue, and support determinations about legal and regulatory notification requirements to state and federal authorities.

SESSION 1 – Navigating the Security Rule in Flux Amid Accelerating OCR Enforcement | 1:00pm – 2:00pm

This session examines the January 2025 HIPAA Security Rule NPRM and OCR’s accelerating enforcement against business associates and subcontractors, addressing elimination of the required versus addressable distinction, annual verification obligations, cascading vendor liability, and concrete compliance actions attorneys should prioritize while rulemaking remains unresolved.

BREAK | 2:00pm – 2:10pm

SESSION 2 -– Prescriptive Technical Safeguards and the AI Threat Landscape | 2:10pm – 3:10pm

This session examines the technical safeguards mandatory under the HIPAA Security Rule NPRM—MFA, encryption, network segmentation, least-privilege access, and penetration testing—while addressing ransomware and AI-enabled threats, connecting each mandate to risk assessments, BAA amendments, incident response, and practice development.