Careers

Diversity

With 18 offices, from New York to Los Angeles and Seattle to Orlando, we live and work in communities all over the U.S., collaborating across locations, disciplines and even borders. Our experienced, highly ranked lawyers serve businesses wherever they are and wherever they want to go.

Offices

About Us

Pages

Professionals

Thought leadership: blogs, podcasts, videos, publications, events and news

Insights

Services

Pro Bono

Am Law 100 firm with practices in Business, Digital Assets and Data Management, Intellectual Property, Labor & Employment, Litigation and Tax.

Home | BakerHostetler

Justice Department’s New Policy on Prosecutions to Focus on Bad Actors, Not the Digital Asset Industry (The Journal of Robotics, Artificial Intelligence & Law)

Rev Up!

Rev Up! What to Know BEFORE You Use that AI Tool

Jonathan Forster Presents at Ameritas Pinnacle Group Meeting

Blockchain Monitor

Blockchain Monitor - Planet earth in outer space with network connection and sunlight.

Weekly Blockchain Blog – June 30, 2025

Incident Response and Regulatory Defense

Kimi is a trusted strategist, partnering with clients to understand their operational needs, reputational concerns and regulatory risk. She was cybersecurity counsel for two of the largest healthcare cyberattacks in recent years, leading crisis management, forensic analysis, patient notification and regulatory defense.

Proactive Counseling

Kimi helps clients transform their cybersecurity programs, improve regulatory compliance and foster incident response readiness. Whether advising retail pharmacies on cybersecurity risk management or energy companies on their privacy obligations, Kimi works with stakeholders to perform technical testing, policy review and employee training. For Native American and Alaska Native clients, she provides guidance on the applicability of federal and state privacy laws and has prepared privacy-related legislation for some of the largest tribes in the United States.

Kimi is the firm’s Houston Digital Assets and Data Management Leader. Prior to joining BakerHostetler, she was a federal law clerk in the Southern District of Texas, giving her critical insight into the litigation risk that so often follows a data breach. A healthcare ethicist by training, her work on patient consent is published in the Yale Journal of Health Policy, Law, and Ethics, and she is a frequent speaker on privacy-related matters.

core/freeform

M.A., Health Policy & Clinical Ethics, The University of Texas Medical Branch, 2012

J.D., University of Houston Law Center, 2010, 

B.S., Texas A&M University, 2007, 

<ul>
<li>Law360: Native American Editorial Advisory Board (2024 to 2025)</li>
<li>Chambers USA: Native American Law
<ul>
<li>Band 3 (2025)</li>
</ul>
</li>
<li>Chambers USA: Healthcare in Texas
<ul>
<li>Up and Coming (2024 to 2025)</li>
</ul>
</li>
</ul>

Houston

Seattle

2025 DSIR Report Deeper Dive

2025 DSIR Deeper Dive: Deeper Dive into the Data

Chambers USA Guide 2025 Recognizes 171 BakerHostetler Attorneys and 73 Practice Areas

A Year of Privacy and Cybersecurity: A Look Back, A Look Around and A Look Ahead (The Houston Lawyer)

Lynn Sessions, Kimberly Gordy Speak on Panels at HCCA 29th Annual Compliance Institute

Kimberly Gordy Explains Health Fitness Corporation HIPAA Case Under New OCR Initiative in Cosmos Article

Eleven BakerHostetler Attorneys Named to 2025 Law360 Editorial Boards

Kimberly Gordy Discusses Guarding Sovereignty at RES 2025

Kimberly Gordy Speaks at TribalHub 5th Annual Cybersecurity Summit

Matthew Caligur, Kimberly Gordy Present at 2025 ATCC Conference

Kimberly Gordy Comments on Federal Rules Affecting Tribal Governments

Webinar: New Year, New Rule: OCR’s Proposed Overhaul of the HIPAA Security Rule and Requirements for Covered Entities and Business Associates

Data Counsel

A New Budgetary Line Item for 2025 – New York-based Hospitals Should Plan Now for the Fiscal and Operational Costs Associated with Compliance with the State’s New Cybersecurity Regulations

Kimberly Gordy Contributes Cybersecurity Article to TribalHub Magazine

It’s Officially Enforcement Season: OCR Announces First Penalty Under New Risk Analysis Initiative

Kimberly Gordy Serves on Panel at GHSHRM Fall Forum 2024

Kimberly Gordy Speaks at 25th Annual TribalNet Conference and Tradeshow

Looking in the Mirror: HHS OIG Audit Demonstrates HHS Agency’s Own Need for Focus on Cloud Security

Kimberly Gordy Presents at 2024 Native American Risk Management Conference

Kimberly Gordy Shares Info on Cyber Incident Reporting Requirements with Tribal-ISAC

Chambers USA Guide 2024 Recognizes 155 BakerHostetler Attorneys and ­66 Practice Areas

Eight BakerHostetler Attorneys Named to 2024 Law360 Editorial Advisory Boards

The Long-Awaited Part 2 Modifications Are Finalized with New Obligations for Part 2 Providers and Less Friction for Sharing Patient Information

HHS Publishes ‘Voluntary’ Healthcare Cybersecurity Performance Goals in Record Time but Leaves Questions Unanswered

Kimberly Gordy Comments on New Cybersecurity Compliance Goals for Health Care Facilities

Review of the Executive Order on Reforming Federal Funding and Support for Tribal Nations to Better Embrace Our Trust Responsibilities and Promote the Next Era of Tribal Self-Determination

HHS ‘Concept Paper’ Forecasts Stormy Cybersecurity Compliance Weather: New Cybersecurity Requirements and Increased Enforcement to Come in 2024

Partner Kimberly Gordy to speak at TribalNet Conference & Tradeshow

DSIR Deeper Dive: Tribal Privacy Codes: Establishing Self-Governance in the Post-Internet Age

Kimberly Gordy Speaks About Risk Reduction Through Data Governance

Privacy ‘Deep in the Heart of Texas’: An Overview of the Texas Data Privacy and Security Act

Kimberly Gordy Explains How to Develop and Manage a Privacy Program

Kimberly Gordy Guest Lectures on Healthcare Bioethics at Cornell

Kimberly Gordy Discusses Cyber Insurance at TribalHub Cybersecurity Summit

Kimberly Gordy Quoted in CDC Gaming Reports About Rise in Cybersecurity Attacks

Kimberly Gordy Addresses Healthcare Cyber Risk at Summit

OCR releases YouTube Video Addressing “Recognized Security Practices” in HIPAA Enforcement Context

Kimberly Gordy Informs TribalHub Podcast Listeners on Hybrid Workforce Issues

Kimberly Gordy Speaks at Two Sessions of TribalNet Conference and Trade Show

‘Unboxing’ the New NIST Guidance: NIST Publishes Significant Update to Healthcare Cybersecurity Guide

Dobbs on Demand

Dobbs on Demand: Healthcare Privacy on the Line in a New Legal Setting

Dobbs on Demand

HHS OCR Guidance to 60,000 Retail Pharmacies: Refusal to Fill Rx Based on Potential Pregnancy Termination Concerns Is a Civil Rights Violation, Will Be Investigated

The Room Where It Happens: The Autonomy of the Hospital Ethics Committees Post-Dobbs

Kimberly Gordy Discusses Data Protection and Governance at Tribal Cybersecurity Summit

Kimberly Gordy and James Morrison Take Part in Health Law Primer

Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

Kimberly Gordy Takes Part in TribalHub Monthly Meeting

BakerHostetler Elevates 28 Attorneys to Firm Partnership

Kimberly Gordy Addresses Issues Related to Mental Health and Aging

Kimberly Gordy a Presenter at Direct Supply Conference

Kimberly Gordy Speaks at Memory Care Summit

Kimberly Gordy Speaks on Malpractice at University of Texas Medical Branch

Kimberly Gordy a Contributor to Health Systems Law Handbook

Kimberly Gordy Speaks to Alzheimer’s Association in Houston

Kimberly Gordy a Presenter on Topic of Research Misconduct

Kimberly Gordy a Speaker at ABA Health Law Section Conference

Digital Assets and Data Management

Healthcare Privacy and Compliance

Digital Risk Advisory and Cybersecurity

Employee Privacy

Telehealth

Industries

Healthcare

Healthcare Technology

Health and Welfare Benefit Plans

Strategic Health Plans

Strategic Healthcare Initiatives

Privacy Governance and Technology Transactions

Privacy/Cybersecurity
<ul>
<li>Led a regional medical center’s cybersecurity transformation project following a serious ransomware incident. Secured dismissal without penalty from an Office for Civil Rights (OCR) compliance investigation.</li>
<li>Assisted a Fortune 100 company with strengthening its healthcare cybersecurity and privacy compliance posture.</li>
<li>Advised a health system on business continuity and disaster recovery planning and business impact analysis for essential business functions.</li>
<li>Conducted HIPAA security risk analyses for covered entities, including health plans, medical centers and pharmacies; engaged technical experts where appropriate.</li>
<li>Managed multimillion-person patient notifications for high-profile healthcare entities.</li>
<li>Advised publicly traded healthcare industry clients on SEC requirements related to cybersecurity incidents and preparedness.</li>
<li>Advised clients on privacy and cybersecurity-related HHS and state Attorney General investigations and enforcement actions.</li>
<li>Worked with emerging companies and tech start-ups on HIPAA applicability, the role of a business associate and mobile technology-related issues.</li>
</ul>
Native American and Alaska Native Organizations and Governments
<ul>
<li>Counseled Native American governments and healthcare organizations on incident response, compliance with anti-money laundering regulations and the applicability of federal and state privacy laws.</li>
<li>Engaged by one of the largest tribal organizations to draft its health privacy code, which now governs the healthcare data privacy and security of its health services authority.</li>
<li>Currently representing a tribe in OCR investigation asserting that, due to its status as a sovereign nation, the OCR lacks the jurisdictional authority to enforce or otherwise investigate in connection with its healthcare programs.</li>
<li>Advised tribal nations on approach to the processing of personal information of tribal members, employees and consumers of for-profit ventures, such as casinos and government contracting business. This includes providing counsel on implementation of de-identification standards and protection against unauthorized use and disclosure of personal information.</li>
<li>Led security risk analysis and privileged technical testing for a casino and resort.</li>
<li>Advised Alaska Native Regional Corporation clients and their subsidiaries on incident response and federal and state law privacy compliance.</li>
</ul>

Kimberly C. Gordy

Kimberly C. Gordy

Experience

Recognitions and Memberships

Insights and News

Prior Positions

Credentials

Community and Pro Bono

Areas of Focus

Industries

Services

Featured Insights