Overview
Tech-savvy and solutions oriented, attorney Alaap Shah deftly guides clients through complex and ever-evolving privacy, cybersecurity, medical device, artificial intelligence (AI), interoperability, digital health, telehealth, fraud and abuse, and other laws and regulations.
He helps clients build trust among stakeholders so that clients can robustly collect, share, analyze, and protect data and information technology assets. Alaap also can translate “IT speak” for legal, compliance, and business people.
Clients appreciate that Alaap takes a strategic and pragmatic approach to risk management that bridges the gap among legal, compliance, IT, and business teams so that they can succeed in developing and marketing innovative and cutting-edge solutions. In the area of data and interoperability, Alaap seeks ways to maximize data value. In the area of AI, Alaap navigates issues at the intersection of law, technology, and data in the health care and life sciences space.
Alaap’s clients include all types of health care, life sciences, data analytics, and technology companies at various stages of development. He also represents startup companies in the United States and abroad that are developing digital health applications, medical devices, telehealth solutions, AI, and data analytics platforms. In addition, he works with mid-size to large companies seeking to expand and mature legal, compliance and risk management functions to support expansion and growth.
Alaap is a certified CSF Practitioner, by the Health Information Trust Alliance (HITRUST); a Certified Professional in Healthcare Information and Management Systems (CPHIMS), by the Healthcare Information and Management Systems Society (HIMSS); and a Certified Information Privacy Professional in the United States, by the International Association of Privacy Professionals (IAPP).
During law school, Alaap worked with the U.S. Department of Health and Human Services (HHS), Office of General Counsel, where he provided legal counsel and support to all agencies and programs under the Public Health Division of HHS. He began his legal career at Epstein Becker Green and later served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society, where he strengthened enterprise-wide privacy and security, helped launch a Big Data company focused on improving quality of care by harnessing real world cancer patient medical information, and built data sharing trust networks among the oncology community, before rejoining the firm in October 2017.
His personal interests include playing guitar and writing music. He is also a wine enthusiast.
Read less
Focus Areas
Services
- Artificial Intelligence
- Cybersecurity Risk Assessment
- Data Asset Management
- Data Breach and Incident Response
- Data Breach/Cybersecurity Investigations & Litigation
- Data Protection
- Digital Health
- Health Care and Life Sciences Investigations and Enforcement
- Internet of Things (IoT)
- Interoperability
- Privacy Compliance Strategies
- Privacy, Cybersecurity & Data Asset Management
- Ransomware
- State Privacy Law Compliance
Experience
- Assisted a U.S.-based technology company proving point-of-care decision support related to laboratory test selection and management to obtain HITRUST certifications and to conduct HIPAA-compliant risk analyses and management planning. Alaap helped manage security risks and build the client’s customer base through third-party validation of the client’s mature security model.
- Developed a compliance model for a U.S.-based data analytics company offering point-of-care coordination tools and supporting downstream research activities to boost innovation in the health care and life sciences sectors. Alaap supported compliant contract development and negotiation with customers and vendors, developed external-facing communications, and advised on the development of the data analytics architecture along with use cases for data.
- Assisted a U.S.-based health information technology, interoperability, data analytics, and AI platform company in performing initial and ongoing in-depth 50-state research across consent and authorization laws. Alaap helped the client leverage the research to build revenue-generating automated tools to empower patients to access and share their data in line with interoperability policies, while also being privacy protective in accordance with varying state laws.
- Served as virtual General Counsel and Privacy Officer for a California-based provider group to support a wide range of legal and regulatory compliance efforts as well as contracting and M&A transactions. Alaap helped the client more effectively manage risk, structure arrangements in a compliant fashion, defend itself in disputes, and grow its business in a more sustainable manner, including hiring and acquiring new practices and facilities.
- Assisted a U.S.-based health insurance company with mobilizing a response team including internal and external teams (as well as a cybersecurity forensics vendor) to investigate a security event, contain the threat, remediate the issue, and support determinations about legal and regulatory notification requirements to state and federal authorities.
Recognition
- OneTrust DataGuidance, “DataGuidance Expert” for Washington, DC
Credentials
Education
- University of Maryland School of Law (J.D., cum laude)
- Notes & Comments Editor, Journal of Health Care Law & Policy
- Columbia University (M.P.H.)
- Health Policy & Management
- Union College (B.S.)
- Biochemistry
Bar Admissions
- District of Columbia
- New York
Professional & Community Involvement
- 4medica® Advisory Board, Member
- North Asian Pacific American Bar Association
- South Asian Bar Association
- American Health Lawyers Association, Member, AI Program Planning Committee
Media
Events
Past Events
- June 17 and 21, 2024
- June 10-12, 2024
- November 9-12, 2023
Insights
Insights
- Publications
Chapter 24, “Telehealth,” in Representing Hospitals and Health Systems Handbook (Second Edition), AHLA
3 minute read - PublicationsUSA: Health Data Laws - Navigating State Regulations2 minute read
- BlogsOCR Withdraws Appeal of District Court Order Declaring Unlawful and Vacating the “Proscribed Combination” Portion of ...4 minute read
- BlogsAs the Window for Comments Closes on ONC/ASTP’s HTI-2 Proposed Rule: What’s in HTI-2 and What Does It Mean for You ...12 minute read
- PublicationsUSA: Health Data Laws - Update and Impact on Organizations2 minute read
- BlogsUpcoming Consumer Privacy Laws: What Organizations Must Know for 2024 and 20257 minute read
- BlogsConsumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and ...7 minute read
- BlogsColorado SB 24-205: Addressing AI Risk with Sweeping Consumer Protection Law15 minute read
- BlogsColorado’s Historic SB 24-205 Concerning Consumer Protections in Interactions with AI Signed Into Law, After Passing ...10 minute read
- PublicationsUSA: Children's Privacy Updates2 minute read
- Firm AnnouncementsSeven Epstein Becker Green Attorneys to Serve in AHLA Leadership Positions2 minute read
- BlogsRevised OCR Guidance Provides New Examples, but Raises More Questions, Regarding Use of Online Tracking Technologies by ...8 minute read
- Blogs2024 Update: Regulators Use “Carrots and Sticks” to Incentivize Healthcare Sector Cybersecurity Compliance7 minute read
- Media CoverageAlaap Shah Quoted in “Don’t Worry, You (Probably) Won’t Have to Deal with ONC: Algorithm Transparency Rule May Have ...2 minute read
- Media CoverageAlaap Shah Quoted in “2024 Outlook: The Cybersecurity Trends Health System Leaders Need to Know”3 minute read
- PublicationsUSA: Future of Cybersecurity Law and Regulation2 minute read
- BlogsNew York Aims to Bolster Hospital Cybersecurity with Imminent Release of Proposed Regulations3 minute read
- Media CoverageAlaap Shah Featured in “You Gotta Get the Data Right! Talking EMPI”2 minute read
- BlogsNevada Joins Washington and Connecticut to Protect Consumer Health Data Privacy6 minute read
- BlogsFlorida Expands Privacy Protections Including a Ban on Offshoring of Certain Patient Data9 minute read
- BlogsBeyond HIPAA: FTC’s Data Protection Authority Results in Settlement with Genetic Testing Company4 minute read
- Blogs
HHS Proposes Amendments to HIPAA That Protect Reproductive Health Care Information in Wake of Dobbs
8 minute read - Media CoverageAlaap Shah Quoted in "New Health App Rule Would Better Protect Users – and So Can You"2 minute read
- BlogsHealth Apps and Consumer Privacy Update: Federal Trade Commission Proposes Amendments to the Health Breach Notification ...5 minute read
- BlogsPatchwork of State Data Privacy Laws Adds Three New Patches7 minute read
- Media CoverageAlaap Shah Featured in AHLA Podcast, “Health Care Data Governance: How to Build a Culture of Compliance”2 minute read
- BlogsWhen Innovation Outpaces Regulation: FTC Chair Calls for Regulating AI5 minute read
- Media CoverageAlaap Shah Quoted in “AI & Machine Learning Are Here. Will They Come for Lawyers?”3 minute read
- BlogsFull HIPAA Enforcement to Resume as the COVID-19 Public Health Emergency Ends3 minute read
- BlogsFTC Signals Increased Scrutiny of Technology Sector Through Establishing the Office of Technology4 minute read
- Media CoverageAlaap Shah Quoted in “ChatGPT's Real Estate Potential Is Big, but Attys Urge Caution”2 minute read
- Blogs2023 New Year’s Resolution: Effectively Comply with New Comprehensive State Privacy Laws5 minute read
- Publications
Top Ten Issues in Health Law 2023—Reproductive Health Rights in a Post-Roe Era
3 minute read - BlogsHHS Warns HIPAA Covered Entities and Business Associates That Use of Website Cookies, Pixels, and Other Tracking Technology ...6 minute read
- PublicationsNewborn Screening Blood Spot Retention and Reuse: A Clash of Public Health and Privacy Interests3 minute read
- Media CoverageAlaap Shah Quoted in “3 Months After Court Ruling, Uncertainty Persists Over Abortion Legal Status”3 minute read
- Publications
Disorder in the Post-Roe World? . . . “It Is So Ordered” by the Dobbs Court
2 minute read - Blogs
Biden Administration Seeks to Clarify Patient Privacy Protections Post-Dobbs, Though Questions Remain
11 minute read - Blogs
The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe
13 minute read - Media Coverage
Alaap Shah Featured in AHLA Connections Magazine: Member Spotlight
3 minute read - BlogsA Recently-Released “Discussion Draft” of the “American Data Privacy and Protection Act” Provides Insight into ...6 minute read
- Media CoverageAlaap Shah Featured in AHLA Podcast, “Career Journeys in Health Law: Insights from Three South Asian Attorneys” ...2 minute read
- BlogsHacking Healthcare: Cyberattack Contingency Planning and Response7 minute read
- BlogsWhere Is the Tipping Point – Comprehensive State Privacy Law Update7 minute read
- BlogsFTC Enforcement Highlights the Importance of Preserving Privacy in AI Development: How to Avoid AI Model Destruction ...6 minute read
- BlogsHIPAA Enforcers Seek Public Input on Recognized Security Practices and Sharing Enforcement Recoveries with Affected ...6 minute read
- Media CoverageAlaap Shah Quoted in "Source: FDA Guidance Takes More Nuanced Approach to Cybersecurity"1 minute read
- PublicationsUSA: Security Considerations for VPNs2 minute read
- Media CoverageAlaap Shah Quoted in “HHS Guidance Addresses HIPAA and Emergency Protective Orders”3 minute read
- PublicationsUSA: Privacy and Cybersecurity Considerations for Contactless Payment Solutions4 minute read