Lynn Sessions

She | Her | Hers

Partner

Houston
T +1.713.646.1352
F +1.713.751.1717

“Clients value Lynn Sessions’ ‘understanding of healthcare organizations and hospitals’. She is recommended as an expert in HIPAA compliance and data breach response, bringing to bear her experience as in-house counsel with Texas Children’s Hospital.”

— Chambers Global (USA) 2021

Overview

With more than 27 years of working with healthcare industry clients, Lynn Sessions leads the Healthcare Privacy and Compliance team and serves as the Texas Digital Assets and Data Management Leader. She focuses her practice on healthcare privacy and data security, breach response, regulatory defense, and Health Insurance Portability and Accountability Act (HIPAA) compliance. Having previously served as in-house counsel and director of several departments at Texas Children’s Hospital, Lynn collaborates closely with healthcare clients and approaches her legal representation from a client’s perspective.

Lynn is a frequent speaker on a range of topics affecting health industry clients, including HIPAA compliance, data breach response, Office for Civil Rights investigations, cyberliability, and enterprise risk management. She is also the co-leader of the firm's Healthcare industry team and is a regular contributor to the firm’s Data Counsel blog, as well as the Health Law Update.

Select Experience

Privacy and Data Security 
  • Has handled more than 700 healthcare data breaches, including several of the largest breaches reported to date. In her representation, provides counsel to healthcare providers and other covered entities on breach analysis; breach response; crisis management with patients, media and employees; and regulatory notification obligations to the Office for Civil Rights (OCR) and state attorneys general.
  • Has responded to more than 350 post-breach investigations from the OCR and state attorneys general arising from large and small data breaches reported by covered entities and has successfully defended healthcare organizations in these investigations.
  • Advises clients on HIPAA compliance, including preparation of policies and procedures, notice of privacy practices, business associate agreements, and incident response plans. Works with healthcare organizations post-data breach to strengthen safeguards under HIPAA and implement corrective action plans.
More »

Experience

Privacy and Data Security 
  • Has handled more than 700 healthcare data breaches, including several of the largest breaches reported to date. In her representation, provides counsel to healthcare providers and other covered entities on breach analysis; breach response; crisis management with patients, media and employees; and regulatory notification obligations to the Office for Civil Rights (OCR) and state attorneys general.
  • Has responded to more than 350 post-breach investigations from the OCR and state attorneys general arising from large and small data breaches reported by covered entities and has successfully defended healthcare organizations in these investigations.
  • Advises clients on HIPAA compliance, including preparation of policies and procedures, notice of privacy practices, business associate agreements, and incident response plans. Works with healthcare organizations post-data breach to strengthen safeguards under HIPAA and implement corrective action plans.
  • Advises with large non-healthcare employers on HIPAA issues for their self-insured health plans and with on-site provider clinics on HIPAA compliance, including policies and procedures, business associate arrangements, and sharing of employee information.

Recognitions and Memberships

Recognitions

  • Chambers Global
    • Privacy & Data Security: Healthcare (USA) (2020, 2021) – Band 2; (2018, 2019) – Band 3
  • Chambers USA
    • Nationwide Privacy & Data Security: Healthcare – Band 2 (2019 to 2021); Band 3 (2017 to 2018)
    • Texas: Healthcare: Band 2 (2020-2021); Band 3 (2014 to 2019) 
  • The Legal 500 United States (2019 to 2021)
    • Recommended in Cyber Law (including data privacy and data protection) (2021)
    • Recommended in Industry Focus - Healthcare: service providers (2019 to 2021)
  • Cybersecurity Docket "Incident Response 40" (2021)
  • National Diversity Council, Healthcare Diversity Council: Top 25 Women in Healthcare, Houston (2019)
  • National Law Journal ”Cybersecurity Trailblazer” (2016)
  • Burton Award: Distinguished Writing Award for “Anatomy of Healthcare Data Breach” (2013)
  • American Leadership Forum: Senior Fellow
  • Texas Super Lawyers
    • Super Lawyer (2021
    • “Rising Star” (2005)
  • Rice University, Jesse H. Jones School of Management Executive Education: Executive Education in Medical and Healthcare Management Certification
  • Texas Children’s Hospital: Advanced Quality Improvement and Patient Safety Certification
  • Development Dimensions International: Strategic Leadership

Memberships

  • American Health Lawyers Association
  • AHLA Enterprise Risk Management Task Force: Vice Chair
  • Risk and Insurance Management Society
  • American Bar Association
  • Houston Bar Association

News

News

Press Releases

Community

  • Texas Center for Missing: Board of Directors (2019 to present)
  • Children at Risk: Board of Directors (2009 to 2018)
  • Immunization Partnership: Board of Directors (2013 to 2018)
  • Greater Houston HealthConnect: Board of Directors (2017 to 2019)

Prior Positions

  • Texas Children's Hospital: Director and In-House Counsel (2004 to 2011)

Admissions

  • U.S. District Court, Southern District of Texas
  • U.S. District Court, Northern District of Texas
  • U.S. District Court, Eastern District of Texas
  • Texas

Education

  • J.D., Baylor Law School, 1993, Order of Barristers
  • B.A., Texas A&M University, 1989

Blog

In The Blogs

Previous Next
Data Counsel
California Privacy Protection Agency Board Chair Discusses CPRA Rulemaking Process and Agency Authority
October 15, 2021
Justin T. Yedor and Jeewon Serrato On October 5, 2021, Jennifer Urban, who serves as Chair of the Board the California Privacy Protection Agency (the CPPA) spoke with members of the California Lawyer’s Association about the Board’s work to...
Read More ->
Data Counsel
Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?
By Jessica Captain Novick, Sara M. Goldstein, Lynn Sessions
January 27, 2021
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare...
Read More ->
Data Counsel
DSIR Deeper Dive: Regulatory Investigation Landscape
By Kimberly C. Gordy, Patrick H. Haggerty, Lynn Sessions
May 26, 2020
HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued...
Read More ->
Data Counsel
FERPA Disclosures in Response to COVID-19
By Lynn Sessions
March 16, 2020
The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with...
Read More ->
Data Counsel
Powerful Protection: The Healthcare Privacy and Compliance Team
By Lynn Sessions
February 13, 2020
The following story is one in a six-part series devoted to the pioneering teams that comprise the firm’s new Digital Asset and Data Management Practice Group. A prime example of BakerHostetler’s preeminence in the legal industry is on...
Read More ->