Abby Bonjean specializes in data privacy and cybersecurity matters. Abby’s practice covers a wide range of laws and regulations, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Substance Use Disorder Patient Records); and state laws and guidance governing privacy, security and breach notification. Abby partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies and preparing and testing incident response plans.
Abby also assists clients as they investigate and respond to a wide range of data incidents including phishing, ransomware, network intrusions, malicious employees, theft and other potential or actual security incidents. As part of those efforts, Abby advises clients through all aspects of incident response, including remediation, vendor selection, forensic investigations, and communications such as individual notification, media statements and regulatory notification. As a former investigator for the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), Abby understands the steps that covered entities and business associates should take to be in the best possible position to respond to a regulatory investigation, and has successfully resolved numerous investigations by both state and federal regulators.
Abby regularly assists our M&A and transactions teams with diligence, transactional documentation and considerations, transition services agreements, and post-closing compliance considerations. Her experience is deep across the spectrum of types of health care providers, which includes hospitals. These efforts include:
- Reviewed HIPAA privacy and security diligence and interviewed target’s subject matter experts to assess HIPAA compliance and quantify risk associated with any non-compliance.
- Coordinated with representations and warranties insurers to evaluate risk related to privacy and security compliance issues.
- In at least one instance, successfully negotiated terms of a purchase agreement related to indemnification after target’s non-compliance with HIPAA almost prevented transaction from closing.
- Assist clients with implementing HIPAA compliance programs post-closing.