Thora Johnson
Partner
Washington, D.C.
Thora Johnson is the co-leader of Orrick’s Life Sciences & HealthTech Working Group. A trusted cyber, privacy and healthtech regulatory advisor, Thora practices at the intersection of health data privacy and artificial intelligence (AI). She focuses on guiding clients through the full lifecycle of health data, from collecting and managing data to designing compliance programs and responding to privacy and security incidents.
Thora works with medical device, pharmaceutical, biotech and healthtech companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.
Her breadth and depth of experience enable Thora to assist clients in harnessing the power of AI and executing data-sharing arrangements, all while protecting health data. Thora is known for her practical approach to navigating evolving regulatory frameworks and for helping clients anticipate and address emerging privacy and security challenges. As a result, she spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.
Thora has extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:
- Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
- Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
- Part 2 confidentiality requirements applicable to substance abuse records
- State health information privacy laws
- State consumer privacy laws with special controls for health data
- Mental Health Parity and Addiction Equity Act (MHPAEA)
- Genetic Information Nondiscrimination Act (GINA)
- Affordable Care Act (ACA) compliance
- Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and state AG, among others.
-
Confidentiality of Health Information
- Structures HIPAA compliance and incident response programs
- Counsels clients on leveraging AI and the use of health data, including developing and reviewing appropriate disclosures and consents for internal, patient and consumer-facing applications
- Guidance on the intersection of HIPAA, Part 2 and state consumer privacy and health laws governing the confidentiality of health data
- Represented companies in negotiating and implementing HIPAA Resolution Agreements and Corrective Action Plans with the U.S. Department of Heath and Human Services’ Office for Civil Rights (OCR)
- Represented covered entities and business associates in HIPAA desk audits
- Regularly represents covered entities and business associates in resolving complaints with the regional offices of OCR
- Advises companies using adtech in the healthcare space
- Works with clients establishing medical registries and running research studies
Health and Welfare Plan Compliance
- Advises employers on how ACA legislation affects their health plans, including how to provide ACA-compliant health coverage to avoid penalties
- Provides day-to-day advice on health and welfare compliance to employers, including drafting plan documents, summary plan descriptions, and summaries of benefits and coverages; and negotiating administrative service agreements
- Counsels employers on alternative means of providing healthcare, including onsite medical clinics
- Serves as counsel in lawsuits brought against health plans and health insurers by out-of-network providers under ERISA
- Provides guidance on third-party vendor privacy and security incidents
Other Healthcare Regulatory Compliance
- Advises on Section 1557 nondiscrimination requirements applicable to certain healthcare providers, health insurers and group health plans
- Provides counsel on interoperability and care quality improvement initiatives
- Represents multiple clients regarding their compliance obligations as First Tier, Downstream, and Related Entities (FDRs) to Medicare Advantage and Medicare prescription drug plans
- Counsels wellness companies on a wide variety of complex regulatory and corporate issues, including HIPAA, the ACA, regulations on wellness programs issued under the ADA, Medicare and Medicaid compliance and other miscellaneous federal and state regulatory matters, such as cost transparency laws
Insights
Dispatches from the Cain Brothers MedTech, Life Sciences and Pharma Services CEO Conference | Life Sciences Snapshot Q2 2026
24 minute read | April.28.2026
Events
IAPP KnowledgeNet: Healthcare, AI and Privacy Perspectives for 2026
February.10.2026
2026 SFMOMA JPM Healthcare Reception
January.13.2026
News
SimpliFed Raises $10M Series A to Accelerate Growth of Maternal Health Platform
1 minute read | April.08.2026
