Skip to Main Content

Health law is an incredibly diverse area of practice which does not focus on a singular type of legal work. Attorneys in this field focus on the health industry in general, but the types of work available vary widely. Some lawyers counsel health care entities on a range of transactional and regulatory matters, including mergers and acquisitions and joint ventures. Others handle any litigation-related matters that arise for their health care industry clients. Some lawyers focus on compliance issues, ensuring clients are adhering to regulations and laws and conducting internal investigations for clients, while others work on the government side, enforcing regulations. This area is an exciting one because it is constantly evolving and changing, especially when it comes to digital health. Lawyers focusing on digital health may work on IP-related matters, privacy and data security, regulatory issues, policy research, and more. On the nonprofit side, lawyers may work for an organization that promotes public health, access to health care, advocacy for a specific health issue, etc. Clients in the health law arena range from hospitals and medical centers to insurance companies and pharmaceutical entities to laboratories and private equity funds—plus many more.

Featured Q&A's
Get an insider's view on working in Health Law from real lawyers in the practice area.
Heather M. O’Shea, Partner
Jones Day

Describe your practice area and what it entails.

I defend health care and life sciences clients in investigations and litigation arising under the federal False Claims Act and various state analogs. My practice includes defending clients in government investigations, conducting internal investigations, and providing proactive regulatory and compliance advice.

What types of clients do you represent?

We represent clients throughout the health care industry, from academic medical centers and health systems to drug and device manufacturers, community hospitals and suppliers, and post-acute providers. One of the things I enjoy so much about my practice is being exposed to so many different aspects of the health care delivery system.

What types of cases/deals do you work on?

Much of my work is on civil cases involving allegations of fraud: Someone—either the government or a whistleblower—has accused a health care entity of committing Medicare or Medicaid fraud. Because there are so many statutes and regulations governing the provision of health care services, any number of potential issues can come up.

The accusations may relate to the delivery of services, the act of billing, relationships between parties, vendor relationships, or a whole host of other possible situations. Health care is complex. Not all mistakes are fraudulent, and it is our job to try to demonstrate that to the government.

On the flip side, I have the opportunity to advise clients on practices and procedures that promote compliance with the various rules to help our clients avoid an investigation or litigation.

How did you choose this practice area?

One of the first projects I was staffed on when I joined Jones Day was a government investigation of a nationwide post-acute provider. The case provided an opportunity to have direct contact with the client. It focused on complex regulatory and compliance issues, and it involved an investigative piece, trying to determine what happened at the client level. It also involved advocacy, working to show the government why the client’s actions were not in violation of the False Claims Act. I was hooked.

What is a typical day like and/or what are some common tasks you perform?

My schedule is really dependent upon the cases I am working on and the stage they are in. If we are still in the investigative stage, my day may be filled with fact finding, including conducting witness interviews, reviewing company documents, and corresponding with the government. If we are in active litigation, we may be involved in motions practice, discovery efforts, depositions, or work with experts.

And because my practice also includes regulatory and compliance advice, I may be analyzing an arrangement, the relevant statutes, regulations, agency guidance, and case law, in addition to conferring with clients on our advice.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

Many law schools now offer classes relating to health law that can provide a good introduction to the complex health care industry, including outlining key programs, such as Medicare.

Another class I wish I had taken was administrative law. There are any number of agencies at the federal and state levels that develop and enact laws affecting the health care industry. Understanding the procedures that are required to enact laws has come in very handy in a number of cases.

Finally, as in the practice of law generally, legal writing is critical. Any classes, seminars, or training exercises students or young lawyers can take to further develop their writing will serve them well.

What is the most challenging aspect of practicing in this area?

The sheer volume of laws, regulations, guidance, and rules affecting participants in the health care industry—particularly those in a federal health care program like Medicare or Medicaid—can be overwhelming. Health care also seems to have its own language at times. So the learning curve can seem somewhat challenging when you are starting out. However, it is a fascinating area and one that I found very rewarding.

What do you like best about your practice area?

Health care is an incredibly complex industry, but one that has a profound impact on all of our lives. I find it rewarding to learn not just about the legal aspects, but also operational, strategic, clinical, and scientific components of the delivery of care. Another really rewarding part of my practice is the clients. Not only do they have incredibly talented in-house teams, but generally they are just really great people to work with and have a level of dedication that is admirable.

What is unique about your practice area at your firm?

At Jones Day, we speak frequently about the collaborative nature of how we practice. We are able to draw upon different lawyers in different practices, depending on specific issues that come up in a matter, all with the goal of providing the best outcome for our client.

My practice is a perfect example of how that collaboration benefits the client. If the investigation came about because of a disgruntled employee, I can call on my colleagues in the Labor & Employment practice. If the matter has a potential criminal component to the investigation—and sometimes it does—I consult with our internal White Collar Defense team.

Another resource that makes our firm and my practice stand out is the interaction we have with our Issues & Appeals practice. We have a dedicated group of appellate lawyers whom we frequently work with when our cases are in active litigation. They assist not just with the briefing, but also in thinking about novel legal arguments to make in favor of our client’s positions and how to appropriately preserve the record should an appeal ever become necessary.

What are some typical tasks that a junior lawyer would perform in this practice area?

This area affords a variety of opportunities. Of course, there is managing discovery and document review, but because so many of our cases begin with a subpoena, junior attorneys assist in the investigation—witness interviews, fact finding, research, and analysis of what happened or did not happen.

As a case develops, if the matter turns into active litigation, there are opportunities for drafting motions, participating in deposition preparation, and possibly taking depositions as well.

Our case teams, like our practices in general, are collaborative in nature. Lawyers at all levels are encouraged to share ideas, all with the goal of providing the best possible outcome for our clients.

Heather M. O’Shea, Partner—Health Care & Life Sciences

Heather O’Shea handles civil litigation and regulatory and compliance matters involving the health care industry. She has represented health care providers, pharmaceutical and device manufacturers, and other health care entities for more than 20 years. Her matters involve fraud and abuse enforcement pertaining to the False Claims Act, the Anti-Kickback Statute, Stark Law, and Medicare and Medicaid reimbursement. Heather represents clients on regulatory and compliance matters involving Medicare and Medicaid, fraud and abuse laws, reimbursement regulations, the Physician Payments Sunshine Act (Open Payments), clinical research compliance, and FDA regulations. She has significant experience conducting internal investigations, representing clients in voluntary disclosures, and counseling clients on refunds to Medicare. Heather also has extensive experience advising clients on compliance program development and implementation, as well as conducting assessments of existing compliance programs.

Heather earned her undergraduate degree from Texas Christian University, her LL.M. in Health Law from Loyola University Chicago, and her law degree from Loyola University New Orleans.

Jiayan Chen, Partner • Deepali Doddi, Associate
McDermott Will & Emery

Describe your practice area and what it entails.

Jiayan: I represent a range of stakeholders in the health care and technology industries on matters that arise when they seek to use data or biospecimens for their clinical, operational, or research endeavors. While a major aspect of my practice entails advising on regulatory and compliance matters, I am also a transactional attorney and guide clients through deals and collaborations involving data or bioassets. I advise clients as they develop initiatives, products, or even businesses, so I have an opportunity to help them think strategically about how to tackle their business objectives in the evolving regulatory landscape and keep pace with the digitization of health care.

Deepali: My practice focuses on privacy and cybersecurity matters, with an emphasis on health information privacy and security. I work with clients to help them comply with the Health Insurance Portability and Accountability Act (“HIPAA”), which regulates how certain health care providers, health technology companies, and other health industry actors use, share, and secure protected health information. I also advise clients on other U.S. and international privacy laws, such as the California Consumer Privacy Act and the EU General Data Protection Regulation. My work includes helping clients with establishing their data privacy compliance programs, responding to security incidents, negotiating contracts, and formulating creative strategies to achieve their business objectives without running afoul of privacy laws. In addition, I perform privacy and data security due diligence for health care mergers, acquisitions, and investments.

What types of clients do you represent?

We work with a diverse set of clients that are developing innovative health care delivery solutions, products, and models. For example, we counsel startups and well-established companies that are launching digital health solutions that enable virtual care. We assist life sciences companies, health care providers, clinical research organizations, and health information technology companies with designing “Big Data” strategies to identify ways to improve the quality and accessibility of health care or develop new products. We also work with companies that offer genetic testing services, which raises interesting privacy issues. In addition, we help private equity firms that are contemplating investing in, for instance, companies that offer cutting-edge telehealth technologies with assessing any legal risks.

What types of cases/deals do you work on?

Jiayan: I work on a range of deals and collaborations in the health care and health IT sectors, including data licensing arrangements, research collaborations, health IT licensing arrangements, and mergers and acquisitions. I also advise private equity clients in assessing risks arising from privacy and research compliance as they explore investing in health care organizations and digital health companies.

Deepali: I help clients address day-to-day issues as they implement their privacy compliance programs, such as by reviewing a HIPAA business associate contract or assisting with responses to EU consumers’ requests for data access or deletion under the EU General Data Protection Regulation. In terms of deals, I provide privacy support in hospital and health system transactions as well as private equity investments in health technology companies.

How did you choose this practice area?

Jiayan: I am fascinated by privacy as a social and legal construct. I do not litigate Fourteenth Amendment cases, but there are other ways to nurture that interest by working on health privacy matters as a regulatory attorney. I also had a longstanding interest in bioethics. McDermott gave me latitude in choosing the direction of my career, so I gravitated toward projects that involved data, research, or health IT. As the digital health industry exploded, I found myself enjoying working on matters that involved integrating two sets of stakeholders that are historically quite different—traditional health care organizations, like providers and payors, and technology companies.

Deepali: I began my privacy career as an investigator with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”)—the federal agency that enforces HIPAA. I applied for a legal internship with OCR because I was interested in the agency’s enforcement of anti-discrimination laws against health care providers. When OCR handed me a stack of HIPAA complaints and breaches, I became immersed in the world of health privacy and began to appreciate the importance of privacy and security protections to health care delivery and patients’ motivation to seek treatment. After working in OCR’s Chicago office for almost six years, I joined private practice and welcomed the opportunity to advise clients on both HIPAA and other privacy laws.

What is a typical day like and/or what are some common tasks you perform?

Jiayan: I am often on the phone advising clients on strategy and regulatory risks, helping clients design new partnerships or offerings, and negotiating deals. When I am not on the phone, I am often revising or drafting agreements, legal analyses, or research protocols being prepared for submission to institutional review boards. On other days, I am speaking at conferences or conducting in-person training for clients or potential clients.

Deepali: I enjoy the variety of the work I get to do. One day, I may be knee-deep in security-incident-response work, while the next day, I may be drafting privacy policies and procedures for a client. Other days, I am drafting due diligence reports and marking up purchase agreements in connection with transactions.

What training, classes, experience, or skills development would you recommend to someone who wishes to enter your practice area?

In addition to building substantive knowledge in the areas of health law and data privacy by taking the many law school classes on these subjects, there are professional associations to join as a student or a young attorney. The American Health Lawyers Association (“AHLA”) provides educational content through its website, conferences, and webinars and has a Health Information Technology practice group with affinity groups that include one focusing on Digital Health. The International Association of Privacy Professionals is also a staple for anyone interested in practicing privacy law. The IAPP hosts local chapter meetings and global summits and offers professional certifications in several privacy-related subspecialties, such as U.S. privacy law and European data protection law. An IAPP certification is a great credential because it demonstrates strong interest in privacy law.

What is the most challenging aspect of practicing in this area?

The digital health landscape is dynamic, and it can be challenging to help clients keep up with the rapid pace of new developments. In privacy, for example, some clients that were required to comply with the EU General Data Protection Regulation in 2018 have needed to reevaluate their privacy and data security programs in light of the recently enacted California Consumer Privacy Act. Both federal and state lawmakers have proposed additional privacy legislation that could expand consumers’ data privacy rights and cause organizations to further modify their data strategies. We help clients that are subject to multiple privacy regimes with establishing a harmonized approach to compliance, and it can be challenging to do so when there might be new laws that could potentially affect the approach. 

What is unique about your practice area at your firm?

McDermott’s Digital Health team sits within a stellar Health Industry Advisory practice with talented, collegial attorneys. What sets McDermott’s Digital Health practice apart is the breadth and depth of experience and expertise of our attorneys. Our team includes subject-matter experts in every aspect of health law and the emerging issues that shape the digital health industry, and our clients appreciate that we are well equipped to address any problem that comes their way. Our health attorneys frequently collaborate with other practice groups—such as Global Privacy and Cybersecurity, Technology, Outsourcing, Intellectual Property, and Corporate—to ensure that we are effectively servicing our clients.

How do you see this practice area evolving in the future?

We see the areas of health care privacy and Big Data as becoming increasingly more important and top of mind as technology evolves, data is collected through new kinds of technologies and for innovative purposes, and consumers place greater value on their privacy rights. Emerging technologies such as blockchain and artificial intelligence will pose unique challenges to how we navigate health care privacy and data issues. We also expect to see additional legislation at the state or federal level that could regulate certain consumer-health-generated data not currently subject to HIPAA. It is an exciting time to practice in this space.

How has the digital health market affected your practice?

Jiayan: The explosion of digital health has given us an opportunity to work with more startup or young companies. It is critical that we are agile, appreciate the business drivers and pressures that frame the legal advice requested of us, and are familiar with the newest technologies and solutions that are transforming health care. Many at these companies also come from tech backgrounds and do not always have deep knowledge of the health care industry or regulatory landscape, so we make sure that we properly contextualize our advice to help them understand the dynamics of operating in a highly regulated space with traditional health care partners and customers accustomed to certain ways of doing things.

Jiayan Chen, Partner — Health Industry Advisory, and Deepali Doddi, Associate — Global Privacy & Cybersecurity

Jiayan Chen counsels clients on a range of regulatory, transactional, and strategic issues that arise in the context of efforts to leverage data, bioassets, and technology to drive innovation and quality in health care. Jiayan has particular experience with complex, cutting-edge “Big Data” transactions and initiatives designed to advance precision medicine and the use of real-world data. Jiayan counsels a broad array of clients, including health care technology companies, data companies, health systems, academic medical centers, professional associations, and life sciences companies.

Deepali Doddi concentrates her practice on data privacy and cybersecurity matters. She regularly advises clients across a broad spectrum of industries on issues arising under domestic data security and privacy laws and regulations, including COPPA, CAN-SPAM, TCPA, GLBA, the FTC Act, CalOPPA, DFARS cybersecurity requirements, and breach notification laws. Additionally, she helps clients navigate international data privacy matters, such as certifying to the EU-U.S. Privacy Shield Framework, selecting appropriate cross-border data transfer mechanisms, and complying with the EU General Data Protection Regulation (GDPR).

Related Vault Guides
Check out some of Vault's guides that are related to this field.
Top Ranked Firms
Check out the top-ranked law firms in Health Law.