Jennifer J. Hennessy
Partner
Jennifer Hennessy is a data privacy and cybersecurity attorney, advising clients ranging from multinational corporations to startups on all aspects of compliance with international, federal, and state data privacy and security laws. She is a partner in the firm鈥檚 Technology Transactions, Cybersecurity, and Privacy Practice, a member of the Telemedicine & Digital Health Industry Team, the Health Care & Life Sciences Sector, and Innovative Technology Sector.
Jennifer has been recognized by the coveted Band 1 Ranking in Chambers USA (2025):
“Jennifer is extremely knowledgeable in healthcare-related privacy matters and has been an invaluable resource for our organization.鈥
鈥淛ennifer is phenomenal. She’s such a subject matter expert who gives great guidance and practical solutions.鈥
鈥淛ennifer is highly responsive and thorough in her legal response to our questions. She is knowledgeable, responsive and collaborative.”
鈥 Chambers and Partners USA
Jennifer assists covered entities and business associates in complying with Health Insurance Portability and Accountability Act (HIPAA) and advises organizations on compliance with federal law 42 C.F.R. Part 2 (Confidentiality of Substance Use Disorder Treatment Records), the EU鈥檚 General Data Protection Regulation (GDPR), and state data privacy laws, including the California Consumer Privacy Act (CCPA).
She works with a broad array of clients in the telemedicine and digital health industry, most notably high-growth emerging companies and entrepreneurial technology groups. Her work focuses on health care privacy and security in digital health and multistate footprints. She also advises cash and self-pay telemedicine companies on privacy and security considerations.
Jennifer frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and government regulators, as well as through any resulting enforcement actions or regulatory investigations. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath.
Representative Experience
Selected representative matters include:
- HIPAA: Developed a HIPAA compliance program for a digital health provider, including drafting privacy policies and conducting HIPAA training for employees, negotiated hundreds of business associate agreements on behalf of covered entities and business associates, and advised providers, health plans, and business associates on their regulatory obligations.
- Substance Use Disorder Information: Advised a multistate substance abuse treatment facility on navigating compliance with HIPAA, 42 C.F.R. Part 2, and state medical record confidentiality laws.
- General Data Protection Regulation (GDPR): Consulted with a U.S. health system on the applicability of GDPR, advised a clinical trial sponsor conducting trials in the EU on developing a GDPR compliance program, and negotiated a substantial number of data processing agreements as part of a client鈥檚 GDPR compliance initiative.
- California Consumer Privacy Act (CCPA): Advised a large health system on CCPA鈥檚 applicability, and counseled a manufacturer and sports management company on CCPA compliance, including drafting privacy notices, revising contracts, and developing protocols for responding to consumer rights requests.
- Data breaches: Guided a health care organization through breach notification as a result of use of online tracking technologies, assisted a physician practice with an investigation into a phishing incident, and advised a large health care system on the implications of an application security flaw resulting in unauthorized access to patient data.
- Regulatory investigations: Counseled a digital health provider in responding to a federal government inquiry regarding the provider鈥檚 data sharing practices, and represented a manufacturer in responding to an investigation by the federal Office for Civil Rights (OCR) and other regulatory authorities subsequent to a data breach affecting employee health plan data.
- Data de-identification: Advised a health system on de-identification of patient data and the licensing of such de-identified data in accordance with HIPAA and other applicable law, including negotiation of the licensing agreement.
- Health information exchanges: Assisted a health information exchange on navigating compliance with HIPAA, 42 C.F.R. Part 2, and state medical record confidentiality laws, including advising on the necessity of an opt-in versus opt-out consent model.
- Security policies: Drafted and revised security policies and procedures for clients including a digital health company, a health information exchange, and a sports management company.
Awards and Recognition
- Women in the Law, Wisconsin Law Journal (2025)
- Recognized in聽Chambers USA: America鈥檚 Leading Lawyers for Business in the practice area of Healthcare (2025)
Affiliations
- Member, Certified Information Privacy Professional 鈥 United States (CIPP/US)
- Member, Certified Information Privacy Professional 鈥 Europe (CIPP/E)
- Member, International Association of Privacy Professionals (IAPP)
- Member, American Telemedicine Association (ATA)
Presentations and Publications
For a full list of publications and presentations, please click here.
- Co-author, 鈥淗IPAA Compliance for AI in Digital Health: What Privacy Officers Need to Know,鈥 Health Care Law Today (May 8, 2025)
- Co-presenter, 鈥淒ata Privacy Considerations for Your Digital Strategy,鈥 American Telemedicine Association Annual Conference (May 3, 2025)
- Co-author, “Key Takeaways: 7th Annual 鈥淟et鈥檚 Talk Compliance,鈥 Health Care Law Today (March 4, 2025)
- Co-author, 鈥淣ew York鈥檚 Proposed Health Information Privacy Act Takes Aim at Digital Health Companies,鈥 Health Care Law Today (January 23, 2025)
- Co-author, 鈥淗HS Proposes Changes to Strengthen HIPAA Security Rule,鈥 Health Care Law Today (January 6, 2025)
- Co-author, “HIPAA Reproductive Health Care Amendments: Compliance in an Uncertain Enforcement Landscape,” Health Care Law Today (December 19, 2024)
- Co-author, “OCR Says HIPAA Audits Will Resume: OIG Makes Recommendations for Enhancement,” Health Care Law Today (December 9, 2024)
- Co-author, 鈥淗IPAA: Amendments to Protect Reproductive Health Care Information Can Now be Implemented with OCR鈥檚 Final Rule,鈥 Health Care Law Today (July 2, 2024)
- Co-presenter, 鈥淐utting Edge of Digital Health Privacy Law,鈥 American Telemedicine Association Annual Conference (May 5, 2024)
- Co-author, 鈥淗HS Updates Pixels and Trackers Guidance for HIPAA Regulated Entities,鈥澛 Health Care Law Today聽(March 19, 2024)
- Co-author, 鈥’Let鈥檚 Talk Compliance’: Health Care Privacy and Cybersecurity,鈥澛 Health Care Law Today (February 21, 2024)
- Co-author, 鈥淣IST Publishes Final ‘Cybersecurity Resource Guide’ on Implementing the HIPAA Security Rule,鈥澛 Health Care Law Today (February 21, 2024)
- Co-author, “HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know,” Health Care Law Today (February 12, 2024)
- Co-presenter, 鈥淧roviding Clarity About the Information Blocking Rules,鈥 American Telemedicine Association (November 13, 2023)
- Co-presenter, 鈥淭elehealth Landscape: Licensing, Practice Standards, and Online Tracking Technology Trends,鈥 California Telehealth Resource Center Summit (June 14, 2023)
- Quoted, 鈥淗ealth Industry Pressed to Protect Data as Cyberattacks Spread,鈥澛Bloomberg Law News聽(March 17, 2023)
- Co-presenter, 鈥淗HS Bulletin: Requirements under HIPAA for Online Tracking Technologies,鈥 Massachusetts Health & Hospital Association (January 31, 2023)
- Co-presenter, 鈥淐hallenges of Interoperability and the Information Blocking Rule,鈥 番茄社区; PYA Let’s Talk Compliance Webinar (January 19, 2023)
- Presenter, 鈥淚mpact of the EU General Data Protection Regulation (GDPR) and Recently Adopted Standard Contractual Clauses (SCCs) on Clinical Trial Agreements,鈥 Clinical Trial Agreements Conference (September 16, 2021)
- Quoted, 鈥淓xceptions to Breach Reporting Law Take Effect in California,鈥 Report on Medicare Compliance (July 26, 2021)
- Co-presenter, 鈥淗IPAA Update: Right of Access Initiative, Summary of Proposed Rules, Pandemic Enforcement Discretion, and Recent Breach Settlements,鈥 Association of Corporate Counsel (ACC) (April 6, 2021)
- Quoted, “Amid Pandemic, Health Apps Face Privacy Law Patchwork,” Law360 (September 21, 2020)
- Quoted, 鈥淐all an (Online) Regulatory Expert: Telemedicine Faces Complicated Data Compliance,鈥 Law.com Legaltech News (December 11, 2019)
- Co-presenter, 鈥淗IPAA 鈥 It鈥檚 Not Only About the Regulations: Lessons Learned from Recent OCR Guidance and Enforcement Actions,鈥 Association of Corporate Counsel (ACC) (September 26, 2018)
American Telemedicine Association Nexus 2026
/Passle/67196104ea6deed3d1072b7a/SearchServiceImages/2026-01-21-14-51-14-843-6970e7e21849535487940b6d.jpg)
AI, Privacy, and Cybersecurity in Digital Health: A CEO Playbook for Reducing Risk While Scaling Fast
8th Annual Let's Talk Compliance Conference
Aaron Maguregui and Jennifer Hennessy Assess HIPAA Risks of AI Scribes
/Passle/67196104ea6deed3d1072b7a/MediaLibrary/Images/2025-05-15-14-32-24-265-6825faf86e173c9cc1d8c7e6.jpg)
AI-Powered Text Messaging by Digital Health Companies: Supreme Court Raises the Stakes
