Thora Johnson

Partner

Washington, D.C.

Thora Johnson is the co-chair of Orrick’s Life Sciences & HealthTech Group. A trusted cyber, privacy and healthtech regulatory advisor, Thora focuses on guiding clients through the full lifecycle of health data, from collecting and managing data to designing compliance programs and responding to privacy and security incidents.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

  • Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
  • Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
  • Part 2 confidentiality requirements applicable to substance abuse records
  • State health information privacy laws
  • State consumer privacy laws with special controls for health data
  • Medicare/Medicaid compliance
  • Mental Health Parity and Addiction Equity Act (MHPAEA)
  • Genetic Information Nondiscrimination Act (GINA)
  • Affordable Care Act (ACA) compliance
  • Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

  • Confidentiality of Health Information

    • Structures HIPAA compliance and incident response programs
    • Guidance on the intersection of HIPAA, Part 2 and state consumer privacy and health laws governing the confidentiality of health data
    • Represented companies in negotiating and implementing HIPAA Resolution Agreements and Corrective Action Plans with the U.S. Department of Heath and Human Services’ Office for Civil Rights (OCR)
    • Represented covered entities and business associates in HIPAA desk audits
    • Regularly represents covered entities and business associates in resolving complaints with the regional offices of OCR
    • Advises companies using adtech in the healthcare space
    • Counsel clients on leveraging AI and the use of health data
    • Works with clients establishing medical registries and running research studies

    Health and Welfare Plan Compliance

    • Advises employers on how ACA legislation affects their health plans, including how to provide ACA-compliant health coverage to avoid penalties
    • Provides day-to-day advice on health and welfare compliance to employers, including drafting plan documents, summary plan descriptions, and summaries of benefits and coverages; and negotiating administrative service agreements
    • Counsels employers on alternative means of providing healthcare, including onsite medical clinics
    • Serves as counsel in lawsuits brought against health plans and health insurers by out-of-network providers under ERISA
    • Provides guidance on third-party vendor privacy and security incidents

    Other Healthcare Regulatory Compliance

    • Advises on Section 1557 nondiscrimination requirements applicable to certain healthcare providers, health insurers and group health plans
    • Provides counsel on interoperability and care quality improvement initiatives
    • Represents multiple clients regarding their compliance obligations as First Tier, Downstream, and Related Entities (FDRs) to Medicare Advantage and Medicare prescription drug plans
    • Counsels wellness companies on a wide variety of complex regulatory and corporate issues, including HIPAA, the ACA, regulations on wellness programs issued under the ADA, Medicare and Medicaid compliance and other miscellaneous federal and state regulatory matters, such as cost transparency laws