Understand Your Rights. Solve Your Legal Problems
As healthcare becomes increasingly digital, the protection of sensitive medical data has never been more critical. From electronic health records and mobile apps to AI-driven analytics, the line between innovation and privacy grows thinner by the year. Few understand this evolving landscape better than Helen Oscislawski, a leading attorney and founder of Attorneys at Oscislawski LLC, who has spent more than two decades advising healthcare organizations on HIPAA, data sharing, and patient privacy compliance.
In this exclusive interview, Helen shares insights from her remarkable 23-year legal career, offering a rare look into how U.S. healthcare privacy law has evolved—and what lies ahead in an age dominated by open APIs, mobile health apps, and artificial intelligence.
Helen, thank you for speaking with us. For readers unfamiliar with your background, could you tell us about your journey into healthcare law?
It is hard for me to believe that I have been practicing law for over 23 years! Growing up, pursuing a career in law was not even on my radar. I was raised as an only child by two working parents who came to the United States as Ukrainian refugees shortly after World War II. Much of my early childhood was spent with my grandmother, who didn’t speak English—so Ukrainian was my first language. Not exactly the ideal start for someone whose career would eventually depend on strong English communication skills.
I graduated from Rutgers University with a degree in Psychology, Summa Cum Laude, and was named “Most Outstanding Student in Psychology.” My plan was to earn a PhD and become a clinical psychologist. But after relocating to Michigan for my husband’s emergency medicine residency, I put those plans on hold and began working as a social worker in a skilled nursing facility. Soon after, my husband encouraged me to try law school—and the rest, as they say, is history.
I graduated from Rutgers School of Law at the top of my class and was admitted to the New Jersey Bar in 1999. My early legal work exposed me to a new and rapidly emerging area—health data privacy law—which would ultimately define my career.
When I joined a large firm in Princeton, the federal HIPAA law had just been enacted. For two years straight, I worked almost exclusively on HIPAA-related matters, interpreting the law’s brand-new privacy and security regulations. I quickly became my firm’s “go-to” attorney for anything involving health information privacy.
Around 2005, the digital transformation of healthcare began in earnest. The push to move from paper to electronic health records, and later to connect providers and patients through online networks, placed me squarely at the forefront of this evolution.
In 2008, I was appointed by Governor Jon Corzine to the New Jersey Health Information Technology Commission, representing the legal community as an expert in health privacy. I was reappointed by Governor Chris Christie in 2010 and went on to chair the Commission’s Privacy Subcommittee.
That same year, I left my firm to establish Attorneys at Oscislawski LLC, a boutique healthcare law practice advising clients nationwide on privacy, compliance, and emerging health technologies. Since then, I’ve had the privilege of working with general counsels, CEOs, CIOs, privacy officers, and regulators on some of the most complex issues at the intersection of technology and healthcare.
Drawing on your expertise, can you give us a brief overview of healthcare privacy regulation in the United States?
Federal protection of health information began in the 1970s with the law known as “Part 2”, which safeguarded the confidentiality of records from substance use disorder treatment programs. But it wasn’t until 1996, with the passage of the Health Insurance Portability and Accountability Act (HIPAA), that the U.S. saw its first comprehensive healthcare privacy law.
The HIPAA Privacy Rule came into effect in 2003, followed by the Security Rule and Breach Notification Rule, forming the legal backbone for how health information must be protected. Together, HIPAA and Part 2 established the foundation of U.S. healthcare privacy law.
However, as technology evolved, these frameworks began to show their age. The 21st Century Cures Act introduced the Information Blocking Rule, designed to prevent electronic health record vendors from hoarding or restricting access to patient data. This fundamentally shifted the conversation—from how to protect information to how to make it accessible without compromising privacy.
What rights do individuals have under HIPAA and related privacy laws?
There are several, but three stand out:
Protection against unauthorized use or disclosure of Protected Health Information (PHI): Healthcare entities must obtain signed authorization before sharing PHI unless an exception applies (e.g., treatment, payment, or public health).
The right of access: Individuals have the right to view, download, and transmit their PHI electronically, often through patient portals or mobile apps.
Breach notification: Patients must be informed if their data has been compromised, allowing them to take protective steps against identity theft or fraud.
These rights, combined with the Information Blocking Rule, have given patients more control than ever—but also more responsibility.
How has the rise of health information technology affected patient privacy?
When records were on paper, privacy was simpler to manage. Today, electronic data can travel anywhere with a click. Health information is often stored on cloud servers, and interoperability—once a barrier—is now the goal. The trade-off is that data becomes inherently more vulnerable.
Data breaches are now the most common threat. These can result from cyberattacks, vendor errors, or even misconfigured technology upgrades. The push for open APIs and app-based connectivity means patients themselves must now vet the apps they use—many of which aren’t covered by HIPAA.
The Federal Trade Commission (FTC) has recently stepped in, targeting mobile health app vendors for “unfair or deceptive practices.” Meanwhile, lawsuits against hospitals accused of sharing data through online tracking tools like pixels and cookies underscore the new privacy risks of the digital era.
What happens when healthcare information is compromised?
For healthcare organizations, consequences can include major civil penalties, class-action lawsuits, and severe reputational damage. For individuals, compromised data can lead to identity theft, embarrassment, or even employment loss.
HIPAA itself doesn’t grant individuals a private right of action, meaning patients can’t directly sue under the statute. However, they may pursue claims under state laws such as invasion of privacy or breach of contract. Patients can also file complaints with the Office for Civil Rights (OCR) at the Department of Health and Human Services, though not all complaints trigger investigations.
What do you foresee for the future of health information privacy?
The next major frontier is the explosion of mobile health apps and the integration of AI technologies like ChatGPT into healthcare systems. These tools can empower patients but also raise unprecedented privacy challenges. The key will be balancing innovation with accountability—ensuring patients know where their data goes and how it’s used.
As technology continues to outpace regulation, my role as a privacy attorney is to help clients navigate that uncertainty while maintaining trust in a healthcare system built increasingly on digital transparency.
Helen Oscislawski, Esq. is the founder of Attorneys at Oscislawski LLC, a boutique healthcare law firm based in Princeton, New Jersey. A recognized authority in healthcare privacy, she was named Best Lawyers® 2022 “Lawyer of the Year” in Healthcare Law for Princeton and has been listed among Super Lawyers® for healthcare law since 2020. She is admitted to practice in New Jersey and Arizona and advises clients nationwide on HIPAA, data privacy, information blocking, and regulatory compliance.
📍 Attorneys at Oscislawski LLC
782 Alexander Road, 2nd Floor, Princeton, NJ 08540, USA
📞 Tel/Fax: +1 609-385-0833
📧 Email: helen@oscislaw.com
