Thora Johnson

Partner

Washington, D.C.

Thora Johnson is the co-chair of Orrick’s Life Sciences & HealthTech Group. A trusted cyber, privacy and healthtech regulatory advisor, Thora focuses on guiding clients through the full lifecycle of health data, from collecting and managing data to designing compliance programs and responding to privacy and security incidents.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Engagements
Confidentiality of Health Information
- Structures HIPAA compliance and incident response programs
- Guidance on the intersection of HIPAA, Part 2 and state consumer privacy and health laws governing the confidentiality of health data
- Represented companies in negotiating and implementing HIPAA Resolution Agreements and Corrective Action Plans with the U.S. Department of Heath and Human Services’ Office for Civil Rights (OCR)
- Represented covered entities and business associates in HIPAA desk audits
- Regularly represents covered entities and business associates in resolving complaints with the regional offices of OCR
- Advises companies using adtech in the healthcare space
- Counsel clients on leveraging AI and the use of health data
- Works with clients establishing medical registries and running research studies
Health and Welfare Plan Compliance
- Advises employers on how ACA legislation affects their health plans, including how to provide ACA-compliant health coverage to avoid penalties
- Provides day-to-day advice on health and welfare compliance to employers, including drafting plan documents, summary plan descriptions, and summaries of benefits and coverages; and negotiating administrative service agreements
- Counsels employers on alternative means of providing healthcare, including onsite medical clinics
- Serves as counsel in lawsuits brought against health plans and health insurers by out-of-network providers under ERISA
- Provides guidance on third-party vendor privacy and security incidents
Other Healthcare Regulatory Compliance
- Advises on Section 1557 nondiscrimination requirements applicable to certain healthcare providers, health insurers and group health plans
- Provides counsel on interoperability and care quality improvement initiatives
- Represents multiple clients regarding their compliance obligations as First Tier, Downstream, and Related Entities (FDRs) to Medicare Advantage and Medicare prescription drug plans
- Counsels wellness companies on a wide variety of complex regulatory and corporate issues, including HIPAA, the ACA, regulations on wellness programs issued under the ADA, Medicare and Medicaid compliance and other miscellaneous federal and state regulatory matters, such as cost transparency laws

Insights

Events

News

Address:

2100 Pennsylvania Avenue NW
Washington, D.C. 20037
United States

vCard

Practices

Admitted In
- Maryland
- District of Columbia
Education
- University of Maryland Francis King Carey School of Law, J.D., Honors
- Middlebury College, M.A.
- Brown University, B.A., magna cum laude
Honors
- The Legal 500 U.S., Media, Technology and Telecoms – Cyber Law, Data Privacy and Data Protection
- The Legal 500 U.S., Healthcare – Life Sciences
- The Legal 500 U.S., Labor and Employment – Employee Benefits, Executive Compensation and Retirement Plans: Transactional
- Chambers USA Band 1 Privacy & Data Security Litigation practice
- 5-time Employment Practice Group of the Year (Law360)
Memberships
- Member, American Health Lawyers Association
- Member, Healthcare Compliance Association
- Member, Advisory Board of Directors, Health Care for the Homeless and Co-Chair of the Compliance and Risk Committee
- Member, Board of Directors, The Robert Garrett Fund at Johns Hopkins University – an organization supporting the pediatric surgical program at Johns Hopkins

Thora Johnson

Engagements

Insights

Data Privacy in Sports: Key Takeaways

How Data and AI Are Democratizing Consumer Health

Events

Orrick at the International Association of Privacy Professionals (IAPP) Global Privacy Summit

Women in AI and Healthcare Panel

News

Aldaron and True Wind Complete Acquisition of DCM Services

Carlyle and SK Capital to Acquire bluebird bio