Tech-savvy and solutions oriented, attorney Alaap Shah deftly guides clients through complex and ever-evolving privacy, cybersecurity, medical device, artificial intelligence (AI), interoperability, digital health, telehealth, fraud and abuse, and other laws and regulations.

He helps clients build trust among stakeholders so that clients can robustly collect, share, analyze, and protect data and information technology assets. Alaap also can translate “IT speak” for legal, compliance, and business people.

Clients appreciate that Alaap takes a strategic and pragmatic approach to risk management that bridges the gap among legal, compliance, IT, and business teams so that they can succeed in developing and marketing innovative and cutting-edge solutions. In the area of data and interoperability, Alaap seeks ways to maximize data value. In the area of AI, Alaap navigates issues at the intersection of law, technology, and data in the health care and life sciences space.

Read more

Alaap’s clients include all types of health care, life sciences, data analytics, and technology companies at various stages of development. He also represents startup companies in the United States and abroad that are developing digital health applications, medical devices, telehealth solutions, AI, and data analytics platforms. In addition, he works with mid-size to large companies seeking to expand and mature legal, compliance and risk management functions to support expansion and growth.

Alaap is a certified CSF Practitioner, by the Health Information Trust Alliance (HITRUST); a Certified Professional in Healthcare Information and Management Systems (CPHIMS), by the Healthcare Information and Management Systems Society (HIMSS); and a Certified Information Privacy Professional in the United States, by the International Association of Privacy Professionals (IAPP).

During law school, Alaap worked with the U.S. Department of Health and Human Services (HHS), Office of General Counsel, where he provided legal counsel and support to all agencies and programs under the Public Health Division of HHS. He began his legal career at Epstein Becker Green and later served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society, where he strengthened enterprise-wide privacy and security, helped launch a Big Data company focused on improving quality of care by harnessing real world cancer patient medical information, and built data sharing trust networks among the oncology community, before rejoining the firm in October 2017.

His personal interests include playing guitar and writing music. He is also a wine enthusiast.

Read less

Focus Areas


  • Assisted a U.S.-based technology company proving point-of-care decision support related to laboratory test selection and management to obtain HITRUST certifications and to conduct HIPAA-compliant risk analyses and management planning. Alaap helped manage security risks and build the client’s customer base through third-party validation of the client’s mature security model.
  • Developed a compliance model for a U.S.-based data analytics company offering point-of-care coordination tools and supporting downstream research activities to boost innovation in the health care and life sciences sectors. Alaap supported compliant contract development and negotiation with customers and vendors, developed external-facing communications, and advised on the development of the data analytics architecture along with use cases for data.
  • Assisted a U.S.-based health information technology, interoperability, data analytics, and AI platform company in performing initial and ongoing in-depth 50-state research across consent and authorization laws. Alaap helped the client leverage the research to build revenue-generating automated tools to empower patients to access and share their data in line with interoperability policies, while also being privacy protective in accordance with varying state laws.
  • Served as virtual General Counsel and Privacy Officer for a California-based provider group to support a wide range of legal and regulatory compliance efforts as well as contracting and M&A transactions. Alaap helped the client more effectively manage risk, structure arrangements in a compliant fashion, defend itself in disputes, and grow its business in a more sustainable manner, including hiring and acquiring new practices and facilities.
  • Assisted a U.S.-based health insurance company with mobilizing a response team including internal and external teams (as well as a cybersecurity forensics vendor) to investigate a security event, contain the threat, remediate the issue, and support determinations about legal and regulatory notification requirements to state and federal authorities.



  • University of Maryland School of Law (J.D., cum laude)
    • Notes & Comments Editor, Journal of Health Care Law & Policy
  • Columbia University (M.P.H.)
    • Health Policy & Management
  • Union College (B.S.)
    • Biochemistry

Bar Admissions

Professional & Community Involvement

  • 4medica® Advisory Board, Member
  • North Asian Pacific American Bar Association
  • South Asian Bar Association
  • American Health Lawyers Association, Member, AI Program Planning Committee





Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.