Expert Details
Privacy and Security Compliance: HIPAA, GDPR, PIPEDA, SOC 2, CCPA/CPRA, ISO, PCI, and State Privacy Laws
ID: 739275
Oregon, USA
In her work as a consultant, Expert partners with client legal departments to help them accurately guide their clients through complex legal issues relating to implementing tech laws in business environments. She is a Central Table member of the Oregon DOJ's Consumer Privacy Task Force since 2020, where she works with the DOJ's policy team to develop consumer data protection laws like CCPA and regularly testifies to the legislature as a technology expert. She has successfully guided clients through OCR HIPAA investigations and audits.
Expert's subject matter expertise includes HIPAA, GDPR, PIPEDA, SOC 2, CCPA/CPRA, ISO, and PCI. She is a public speaker who has been requested to speak locally and nationally by the American Bar Association (ABA), Lewis and Clarke Law School, the International Association of Privacy Professionals (IAAP), and many more organizations.
Education
| Year | Degree | Subject | Institution |
|---|---|---|---|
| Year: 2011 | Degree: B.S, B.A | Subject: Human Development, Psychology | Institution: University of California |
| Year: 2011 | Degree: Technical Certification | Subject: EMT-B | Institution: Sierra College |
Work History
| Years | Employer | Title | Department |
|---|---|---|---|
| Years: 2015 to Present | Employer: Undisclosed | Title: Owner/Principal Consultant | Department: |
Responsibilities:Small business owner and HIPAA compliance consultant working with local and international organizations to develop and maintain comprehensive compliance management programs.- Communicating with executives, decisions makers, and compliance officers to customize compliance activities, and balance varied and complex regulatory requirements with the business’ needs, limitations, and compliance objectives - Conducting thorough information system and compliance scoping discovery exercises involving analyzing applicable regulatory requirements, interviewing stakeholders and technical teams, and reviewing and producing documentation to guide compliance activities and business decisions - Implementing compliance controls such as policies, procedures, and training - Conducting internal risk assessments, developing third party risk reports, guiding risk management activities, and preparing clients for CPA audits - Supporting clients through incident response, breach notification, and OCR audits |
|||
| Years | Employer | Title | Department |
| Years: 2011 to 2015 | Employer: Cambria Solutions, Inc. | Title: IS Analyst and HIPAA Compliance Officer | Department: |
Responsibilities:Led evolution of a small IT department to a mobile, managed, and scalable information system through periods of firm-wide hyper-growth. Developed and executed HIPAA compliance program that achieved compliance within 6 months and allowed Cambria to enter into the HHS industry as healthcare technology consultants.As Information Systems Analyst: - Migrated data, designed new organizational structure, implemented, and trained staff on SharePoint 2010 • Lead or managed 8 firm wide information technology projects that prepared for or addressed growth needs • Wrote, implemented and enforced IT policies and procedures - Created custom information management solutions for internal teams - Developed, configured, maintained, automated, and upgraded internal information systems As HIPAA Compliance Officer: - Understood and ensured compliance with HIPAA & HITECH regulations and contractual obligations - Developed, implemented, and enforced HIPAA policies and procedures - Developed and delivered role based training programs on HIPAA policies and compliance - Implemented required safeguards, performed risk analyses, and created compliance documentation |
|||
| Years | Employer | Title | Department |
| Years: 2011 to 2012 | Employer: Spatial Informatics Group | Title: Operations Coordinator | Department: |
Responsibilities:Employed technology and business infrastructure strategies to facilitate the communication of employees of a virtual office.- Designed, developed, and administered SharePoint 2010 - Developed operational methodologies, policies and procedures, and materials for user enrollment and training - Analyzed business processes and implemented optimizations for a virtual environment |
|||
Government Experience
| Years | Agency | Role | Description |
|---|---|---|---|
| Years: 2020 to Present | Agency: Oregon DOJ's Consumer Privacy Task Force | Role: Central Table Member | Description: Contributed to the development of consumer privacy laws in the state of Oregon. Collaborated with DOJ team members and community stakeholders including the ACLU, EFF, University of Oregon, and Consumer Reports. |
Career Accomplishments
| Associations / Societies |
|---|
| - OR Attorney General's Consumer Privacy Task Force, Central Table Member (current) - International Association of Privacy Professionals (IAPP), Member and presenter for CE credits (current) - Technology Association of Oregon (TAO), Member and presenter (current) -Oregon Bioscience Incubator (OBI), BioMentor (current) |
| Licenses / Certifications |
|---|
| Technical Certification, EMT-B (2011) Sierra College |
| Professional Appointments |
|---|
| - Information System Discovery, Lead Consultant Hired by CPA partner to conduct a compliance discovery for a software conglomerate that had undergone many mergers and acquisitions, and to define the scope of their information systems and regulatory obligations under SOC 2, HITRUST, and HIPAA. This involved detailed interviews with product owners, department leads, legal, GRC, engineers, and operational leads, and the creation and validation of detailed data flow maps. - GDPR and HIPAA Discovery, Lead Consultant Engaged by a major global messaging platform to conduct a comprehensive information system and regulatory scoping exercise for HIPAA and GDPR. Reviewed information system documentation and interviewed product owners and engineers to identify sources, uses, and disclosures of in-scope data sets and the information systems that store, transmit, or provide access to them. - HIPAA and GDPR Implementation, Lead Consultant Client is a software service provider to many major global brands and engaged Gazelle to implement compliance with GDPR and HIPAA in a system that already maintained compliance with ISO standards. This work involved detailed regulatory scoping exercises for in-scope data and systems that interact with GDPR regulated data and processing activities. - GDPR Scoping & Implementation, Lead Consultant Client is an online retailer utilizing major e-commerce platforms and software engineered in house to manage millions of transactions per day, ship and receive orders anywhere in the world, and conduct targeted marketing activities. Her work involved detailed regulatory scoping exercises for in-scope data and systems that interact with GDPR regulated data and processing activities. - HIPAA Compliance IT Systems Assessment Project, Lead Consultant Client is an orthotics shoe retailer that licenses HIPAA compliant foot scanners and associated software to their clients nationwide. Gazelle Consulting performed a HIPAA security analysis of their technology product and their operational HIPAA compliance program. |
| Publications and Patents Summary |
|---|
| Numerous articles written from 2015 to 2022. |
Additional Experience
| Expert Witness Experience |
|---|
| She is a Central Table member of the Oregon DOJ's Consumer Privacy Task Force since 2020, where she works with the DOJ's policy team to develop consumer data protection laws like CCPA and regularly testifies to the legislature as a technology and regulatory expert. She has successfully guided clients through OCR HIPAA investigations and audits. |
| Training / Seminars |
|---|
| Fifteen invited presentations or panels in the last two years regarding data privacy, cyber issues, disaster recovery, insurance against cybersecurity breaches, data ethics, tech workplace issues, data protection, data privacy as related to health and healthcare, antitrust issue, post-Dobbs, global privacy transitions, policy innovation, and information security. |
| Other Relevant Experience |
|---|
| Litigation History - Supported a client through an OCR investigation and audit Expert Research Studies 2022 - The World Privacy Forum: Provided expert opinion to world government research studies on upcoming privacy laws - University of Oregon, School of Journalism and Communication: Participant in expert research study regarding wide-ranging data privacy policies. |