The Kaleidoscope of Personal Data: Protected Health Data & Best Practices

09 Jun, 2026 |

2:00 PM EST

60mins

Virtual event

1.0 Credits

The regulatory environment for health-related data has grown increasingly fragmented. HIPAA remains the foundation, but state laws like Washington's My Health My Data Act are expanding obligations well beyond traditional covered entities. Tech companies, digital marketplaces, advertising platforms, and others that may not have previously considered themselves subject to health data regulation are now under the microscope.

This Continuing Legal Education (CLE) will share a practical framework for in-house counsel to gauge their organization’s data flows and determine which regulatory regimes apply.

We discuss the distinctions between personal data, health data, PHI, and how compliance obligations differ amongst different types of companies (not just for HIPAA-covered entities). We’ll also address major contractual obligations at these companies like BAAs and DPAs, data subject access requests, records retention and deletion, and more. The CLE wraps with a list of best practices for enterprise-wide data governance and a public Q&A.

With many states expanding their definitions of “health data”, organizations are discovering new compliance obligations they didn’t even know they had. Register to learn about the expanded scope and find where your organization falls on the spectrum.

This CLE is eligible for credit in all 50 states and free to register.

See Summary & State Accreditation Details

Register

Dont miss this opportunity to gain valuable insights and strategies from leading experts in the field. Register now to secure your spot.

Looking for top legal talent?

Explore Axiom’s trusted network of lawyers and legal professionals available on demand to support your team.

Start Browsing

Data Security CLE Agenda

Types of Personal Data & Relevance to your Organization

- What types of Personal Data does your organization have, use, access, control, handle, etc.?
- What is Personal Data?
- What is Sensitive Personal Data?
- What is Health Data?
- What is Protected Health Information (PHI)?
- Selection of Applicable Laws
  - - HIPAA and Washington My Health My Data Act (MHMD)
    - Prominent state health laws
    - Prominent state data privacy laws

Data Flows & Relevance to your Organization

- Consider all your organization’s data flows
- What services do you provide?
- Does your organization fall within purview of HIPAA?
  - - Categories of organizations
    - Key requirements
    - Assessments
    - Contracts – BAAs
    - DSARs
    - Record keeping & destruction
    - Regulatory scrutiny
    - Regulatory fines / Enforcement actions
Does your organization fall within the purview of state data protection laws?
- Categories of organizations:
  - Technology and software companies (e.g., SaaS providers)
  - Digital healthcare companies
  - Life sciences/pharmaceutical/biomedical companies
  - Advertising and marketing companies
- Key requirements?
- Contracts – DPAs/BAAs if a Business Associate
- DSARs
- Record keeping & destruction
- Regulatory scrutiny
- Regulatory fines / Enforcement actions
Is your organization a hybrid – HIPAA covered and subject to state data protection laws?
- Categories of organizations:
  - Digital healthcare companies
  - Life sciences/pharmaceutical/biomedical companies
- Key requirements?
- Contracts – DPAs/BAAs
- DSARs
- Record keeping & destruction
- Regulatory scrutiny
- Regulatory fines / Enforcement actions
Is your organization a data broker?
- What is a data broker?
- Key requirements
- Assessments
- Contracts - DLAs
- DSARs
- Record keeping & destruction
- Regulatory scrutiny
- Regulatory fines / Enforcement actions
Does your organization provide global services?
- Key requirements
- Assessments
- Contracts DPAs/BAAs
- DSARs
- Record keeping & destruction
- Regulatory scrutiny
- Regulatory fines / Enforcement actions
Best Practices & Tips
- Implement a strategic framework of policies, procedures, and technologies that are designed to manage and protect data during its lifecycle.
- Consider core components:
  - Data governance
  - Document retention and destruction
  - Education and training

Speakers

Nicole Martin

Privacy Counsel

Axiom

Nicole Martin is a seasoned legal and compliance leader with more than 20 years of experience advising organizations in highly regulated industries. She brings deep expertise in data privacy, healthcare compliance, contract strategy, risk management, policy development, and executive counseling, along with a strong track record of building practical training programs and translating complex regulatory requirements into business-ready solutions.

Ava Crayton

Privacy Counsel

Axiom

Ava Crayton is a seasoned privacy attorney with over 25 years of experience. She has been with Axiom for the last 7 years, supporting global financial services companies, SaaS providers, med device and pharmaceutical companies, tech companies including start-ups, large retailers, and the music industry. When Ava is not working, she enjoys traveling and reading. Committed to fitness and holistic health, Ava now lives in CT with her husband and rescue pup Strummer.

Supplement your team with our flexible solutions:

Learn More

Meet Our Legal Talent

The Kaleidoscope of Personal Data: Protected Health Data & Best Practices

Register

Data Security CLE Agenda

Speakers