Member

Sarah Cronan Spurlock

Louisville, KY

sspurlock@stites.com

Sarah Cronan Spurlock is a member of the firm’s Health Care Service Group and is Co-Chair of the firm’s Privacy & Data Security Group. Sarah regularly advises clients on a wide range of health care issues, including fraud and abuse laws, compliance guidance, physician self-referral, physician employment agreements, physician and hospital contracting, technology and general contracting, HIPAA privacy and security, and data breach prevention and response. Her practice includes regulatory and transactional matters and health care litigation. Sarah is a Certified Information Privacy Professional (CIPP/US) and serves as the firm’s Chief Privacy Officer.

Capabilities

Practice Areas

Behavioral Health Care Data Center Service Group Health Care Privacy & Data Security

Recent News, Articles & Speaking Engagements

Medical Cannabis Seminar

panel member, Kentucky Academy of Healthcare Attorneys Webinar, November 13, 2024

with Bailey M. Browning , K. Kelly White Bryant , Jennifer J. Cave , Jackson B. Hurst-Sanders , and Robin E. McGuffin

Tips for Defending Against Data Breach Litigation in the US and Abroad

co-speaker, International Association of Defense Counsel (IADC) 2024 Annual Meeting, July 6-11, 2024

The Cost of Third-Party Data Breaches: How to Avoid a Financial Disaster

co-speaker, The Knowledge Group Webinar, June 14, 2024

with Chadwick A. McTighe

AI in Health Care: Navigating Growth, Risks and Implementation

Kentucky Hospital Association Annual Convention, May 20-22, 2024

with Stacy Shea Luna (Shea)

Framework debate shows as Kentucky nears comprehensive privacy law

by Joseph Duball, International Association of Privacy Professionals (IAPP), The Privacy Advisor, March 12, 2024

US Chamber Urges 6th Circ. To Ax FirstEnergy Class Cert.

By Katryna Perera, Law360.com, February 20, 2024

with Bethany A. Breetz , Marjorie A. Farris , Chadwick A. McTighe , and Michael D. Risley

Mitigating Hospital Cyber Risks - Ransomware’s Impact on Operations and Outcomes

Cybersecurity Crisis Management: Strategies for Health Care Professionals, Kentucky Hospital Association, January 23, 2024

Artificial Intelligence in Healthcare

Stites & Harbison Client Event, November 2, 2023

Cybersecurity: The Rising Cost of Cyber Threats

by Shannon Clinton, The Lane Report, September 25, 2023

Mitigating Hospital Cyber Risks - Ransomware’s Impact on Operations and Outcomes

Kentucky Hospital Association 94th Annual Convention, Lexington, KY, May 15-17, 2023

Health Care Providers and Business Associates Beware: Use of Online Tracking Technology May Violate HIPAA

with Stacy Shea Luna (Shea), Stites & Harbison Client Alert, April 27, 2023

Kentucky Lawmakers Considering Comprehensive Data Privacy Legislation

Stites & Harbison Client Alert, March 8, 2023

Ransomware Threats: Prevention Tips and Response Strategies

panelist, American Bar Association, Infrastructure and Regulated Industries Section Webinar, February 28, 2023

Incident Preparedness: Developing a Program to Respond to Security Incidents

Speaker, Data Security and Privacy Symposium, Atlanta, February 8, 2023

Call to Action for Critical Infrastructure Businesses - New Federal Cyber Breach Reporting: Obligations and Ransomware Prevention Strategies

Bench & Bar, Kentucky Bar Association, November/December 2022

Patient Inducement Prohibitions: Anti-Kickback and Civil Monetary Penalty Considerations

Kentucky Primary Care Association Annual Conference, October 11, 2022

Under Attack: Ransomware Threats, Prevention Tips, and Response Strategy for Health Care Providers

Revenue Cycle and Compliance Summit, First Healthcare Compliance, June 23, 2022

U.S. Privacy And Data Security Developments - Where Do We Go From Here?

Mondaq WEBINAR, January 6, 2022

Help! They've Hijacked Our Network and They Want Money - Now What? Strategies for Managing the Cyber-Attack

Moderator, IADC 2021 Annual Meeting, August 15-19, 2021

“No Company is Safe” — White House Urges Private Sector to Act Now in Hardening Defenses Against Growing Ransomware Threats

Stites & Harbison Client Alert, June 10, 2021

U.S. Privacy and Data Security Developments - Where Do We Go From Here?

Webinar, presented by Mondaq, June 3, 2021

Data Privacy Day: Scanning Data Privacy Issues for 2021

with Alexandra MacKay, Stites & Harbison Client Alert, January 29, 2021

Liberating Patient Data – Is Your Hospital Ready for the Information Blocking Rule?

Webinar, Kentucky Hospital Association, January 26, 2021

with Jennifer Henry Jackson

Not Your Grandma’s Quilt: Exploring the Current ‘Patchwork’ and Recent Trends in U.S. Data Privacy and Security Laws

Kentucky Bar Association Corporate House Counsel Webinar, November 18, 2020

Joint Agency Cyber Alert Warns of Imminent and Credible Ransomware Threat Against U.S. Health Care and Public Health Sectors

with Dustyn B. Jones and Ian T. Ramsey, Stites & Harbison Client Alert, November 2, 2020

Medical Liability Considerations for Physicians

Kentucky Medical Association Virtual Town Hall, September 24, 2020

Eliminating Kickbacks in Recovery Act

Kentucky Health Law Institute, UK CLE, September 2, 2020

The Future of Medicine for the Emerging Physician post COVID-19

Kentucky Medical Association Virtual Annual Meeting, August 22, 2020

Is Telehealth Here to Stay?

Medical News, June 30, 2020

with Jennifer Henry Jackson

OSHA Revises COVID-19 Guidance

with Shannon Antle Hamilton, Stites & Harbison, PLLC, Client Alert, June 5, 2020

Privacy 2020 – California’s Seismic Shift

Discussion of the California Consumer Privacy Act (CCPA), Southern Law Network, April 16, 2020

with Alisa Micu

OCR Eases HIPAA Burdens for Telehealth during COVID-19 National Emergency

with Jennifer Henry Jackson, Stites & Harbison Client Alert, March 18, 2020

Information You Need on the COVID-19 Coronavirus

Stites & Harbison, PLLC, March 2020

Shifting Sands of U.S. Privacy Laws

International Association of Defense Counsel Webinar, December 11, 2019

No-fault insurance in Kentucky

with K. Kelly White Bryant, Medical News, July 8, 2019

Cybersecurity and Data Breach Response for Lawyers: Threats, Prevention Tips, and Mitigation Strategies for Lessening the Risks of a Cyberattack

Kentucky Bar Association Annual Convention, June 12, 2019

Groundhog Day? Supreme Court Strikes Down Class Arbitration Efforts...Again

with Marjorie A. Farris and Chadwick A. McTighe, Stites & Harbison Client Alert, April 30, 2019

The Race to Privacy

Stites & Harbsion Thirsty Thursday Speaker Series, April 25, 2019

with Alexandra MacKay

Cyber Security for Rural and Critical Access Hospitals: Tips for Improving Data Security and Mitigating the Impact of a Cyber Attack

Alliant Management Services Management Meeting, April 10, 2019

Introduction to Health Law

Panel member, Health Enterprise Network Healthcare Fellows, University of Louisville Louis D. Brandies School of Law, March 19, 2019

with K. Kelly White Bryant

Taking Stock of Your 2019 Cybersecurity Resolutions

with Jennifer Henry Jackson, Stites & Harbison Client Alert, February 8, 2019

Pings That Go Bump in the Night: A Discussion of Health Care, Cybersecurity Threats, Prevention Tips and Mitigation Tactics

Moderator and Panelist, 2018 Kentucky Health Law Institute, Lexington, KY, September 14, 2018

Telehealth reform: Coverage expansion, reimbursement criteria will improve access to care

Medical News, June 25, 2018

Residents in Business

faculty panel, University of Louisville School of Medicine, May 15-17, 2018

with K. Kelly White Bryant

Employment Contracting Seminar

Kentucky Medical Association, Louisville, Ky., January 27, 2018

with K. Kelly White Bryant and Dustyn B. Jones

Kentucky Supreme Court Declines to Recognize New Tort of "Negligent Credentialing"

Medical News, November 8, 2017

with Bethany A. Breetz

Leadership in Action: Take the Lead in Solving the Opioid Epidemic

2017 Kentucky Medical Association Annual Meeting, Louisville, KY, August 25, 2017

Cyber Threats & Ransomware

Kentucky Academy of Hospital Attorneys, Kentucky Hospital Association Annual Convention, May 29, 2017

Digital Fortress

Modern Steel Construction, May 2017

with Ian T. Ramsey

Residents in Business

faculty panel, University of Louisville School of Medicine, May 15-16, 2017

with K. Kelly White Bryant

Cybersecurity for business: Improving data security and mitigating the impact of a cyber-attack

Kentucky Society of CPAs Spring Business Conference, Louisville, KY, April 20, 2017

Be Cyberwise: Protect & Position Your Business for Growth

Ohio River Valley Women's Business Council, 2017 Catch the Wave Conference, April 18, 2017

The Interplay Between Social Media and Healthcare Privacy

American Bar Association Regional CLE, Brave New World: Emerging Cyber and Electronic Issues in Health Care Litigation, March 31, 2017

Kentucky Health: Shadowing a Primary Care Physician

Kentucky Health, PBS.com, March 26, 2017

Improving Data Security and Mitigating the Impact of a Cyber-Attack

Kentucky Medical Group Management Association Spring Conference, March 16, 2017

Under Attack: Cyber Threats Against the Health Care Industry

presentation, Kentucky Health Law Institute, September 15, 2016

Passwords, Revisited

The Goods, Kentucky Association of Manufacturers, September 2016

Build a Better Machine

with Ian T. Ramsey, The Goods, Kentucky Association of Manufacturers, July 2016

Residents in Business

faculty panel, University of Louisville School of Medicine and Greater Louisville Medical Society, May 24-26, 2016

with K. Kelly White Bryant

Stop. Think. Connect.

presentation, Stites & Harbison Summer Associate Program, May 16, 2016

with Ian T. Ramsey

Law Firm Data Security: It's the End of the World As We Know It (And I Don't Feel Fine)

presentation, Southern Law Network, Louisville, Kentucky, May 13, 2016

with Ian T. Ramsey

Don't Bet on Longshots - Practical Advice on Data Security for Financial Institutions

Stites & Harbison Creditors' Rights & Bankruptcy Service Group Day at the Races, Keeneland, April 14, 2016

with Ian T. Ramsey

Identifying and Protecting Your Core Data

The Goods (p.36), Kentucky Association of Manufacturers, March 2016

with Ian T. Ramsey

OCR Launches Phase 2 HIPAA Audits via Email Destined for Your Spam Folder

with Dustyn B. Jones, Stites & Harbison Legal Update, March 24, 2016

Data Breaching Now Its Own Industry

by Robert Hadley, The Lane Report, December 8, 2015

with Ian T. Ramsey

Data Breaches: Is Your Attitude about Data Security Putting You and Your Company at Risk?

The Goods (p. 16), Kentucky Association of Manufacturers, November 2015

with Ian T. Ramsey

Employee Attitudes Fuel Your Data Security Plan

Legaltech News, October 29, 2015

with Ian T. Ramsey

Are you ready for a HIPAA Audit?

Kentucky Association of Health Care Facilities Webinar, October 21, 2015

Technology Highlights for the Restructuring Professional: Privacy, Data Security & Electronic Discovery

co-presenter, International Women's Insolvency & Restructuring Confederation (IWIRC) Day at Keeneland, October 9, 2015

Data breaches: Is your attitude about data security putting you and your company at risk?

Inside Counsel, September 24, 2015

with Ian T. Ramsey

Privacy & Data Security - April 23, 2015

with Ian T. Ramsey, Keeneland, April 23, 2015

Data Breaches: Is Your Attitude about Data Security Putting You and Your Company at Risk?

with Ian T. Ramsey, Stites & Harbison Client Alert, July 21, 2015

Data breaches: Is your attitude about data security putting you and your company at risk?

Medical News, July 6, 2015

with Ian T. Ramsey

Prevention and Response: Is Your Business Prepared for a Data Security Breach?

Stites & Harbison, PLLC Thirsty Thursday networking event, May 21, 2015

with Ian T. Ramsey

Are your employees putting your organization at risk for a cyber-attack?

with Ian T. Ramsey, Stites & Harbison Client Alert, April 3, 2015

Is your attitude about data security putting you and your company at risk?

Professional Insight, Business First of Louisville, March 27, 2015

with Ian T. Ramsey

Target Data Breach Opens Potential Recovery Path for Financial Institutions

with Brian R. Pollock and Ian T. Ramsey, Stites & Harbison Client Alert, March 4, 2015

Hot Topics in the Area of Health Law Privacy

Kentucky Health Law Institute, Novemer 7, 2013

HIPAA Wants You

Stites & Harbison Thirsty Thursday networking event, July 25, 2013

Final Rule Amending HIPAA Regulations

Stites & Harbison Client Alert, January 21, 2013

Physician Employment Contracting Symposium

co-presenter, Kentucky Medical Association, November 3, 2012

with K. Kelly White Bryant

Turning up the heat on HIPAA compliance: What to expect from increase enforcement and Office for Civil Rights audits

co-author, Louisville Bar Association's Bar Briefs, November 2012

HIPAA Update for Physician Office Managers

Kentucky Pediatric Office Managers Association, October 11, 2012

Stolen laptop leads to $1.5 million HIPAA settlement

Stites & Harbison, PLLC, Client Alert, September 26, 2012

HIPAA and HITECH's Impact on Certified Public Accountants

Kentucky Society of CPAs Healthcare Conference, May 16, 2012

Keeping up with technology demands: Delayed deadlines for Meaningful Use and ICD-10 reflect overburdened healthcare providers

Medical News, April 2012

HIPAA Audits and Investigations - What to expect when the Office for Civil Rights comes knocking

Louisville Bar Association, Health Law Section, April 11, 2012

Make Way for Medicaid Managed Care: What to expect as Kentucky departs from traditional fee-for-service reimbursement in favor of managed care for Medicaid recipients across the Commonwealth

Louisville Bar Association's Bar Briefs, November 2011

with Elizabeth Ann Johnson (Betsy)

HITECH Challenges for Physicians: Keeping Up with Changes to Health Information Privacy and Security Rules in an Expanding Electronic Environment

Kentucky Medical Association, August 23, 2011

HIPAA and Social Media Issues for Employers, Hot Topics and Critical Issues Pertinent to Employers and Health Care Providers

Health Law and Labor & Employment Sections, Louisville Bar Association, June 2, 2011

HITECH's Amendments to HIPAA: Recent Changes to Health Information Privacy and Security Rules and their Impact on State Regulatory Investigations

National Board for Certification in Occupational Therapy, Annual Conference on Occupational Therapy State Regulation, October 23, 2010

HIPAA Update for Employers

Society of Human Resources Management Mid-West Kentucky Chapter, Madisonville, Ky., April 2010

How will the HITECH Act affect your law firm?

Louisville Bar Association, Health Law Section, April 28, 2010

EMTALA

The Regional Medical Center of Hopkins County, Madisonville, Ky., March 2010

Current Trend: Employment of Physicians by Hospitals

2010 Health Law and Compliance Update 1-2 (John Steiner ed., 2010)

Grounding Cyberspeech: Public Schools' Authority to Discipline Students for Internet Activity

97 Kentucky Law Journal 149 (2008)

Recent Assignments

Successfully obtained summary judgment for a healthcare provider in Jefferson Circuit Court in a putative class action asserting claims for negligence, negligence per se, and invasion of privacy stemming from an alleged data breach disclosing patient information. Judgment was obtained prior to any class being certified.

Bar Admissions

Kentucky

Firm Leadership

Chief Privacy Officer

Privacy & Data Security Practice Group, Co-Chair

Office of General Counsel, as Chief Privacy Officer

Memberships

American Bar Association, Health Law Section

Kentucky Bar Association

Louisville Bar Association, Health Law Section, Chair (2011)

American Health Lawyers Association

International Association of Privacy Professionals

International Association of Defense Counsel, Cyber Security, Data Privacy and Technology Committee, Past Chair

Community Involvement

Yew Dell Botanical Gardens, Board of Directors (2018-present)

Louisville Legal Aid Society, Volunteer (2009-16)

Sisters of Charity of Nazareth, Inc., Board of Directors (2011-16)

Focus Louisville, February 2016 Class

Education

J.D., 2009 magna cum laude

University of Kentucky College of Law

Order of the Coif
Kentucky Law Journal, Notes Editor and Outstanding 2L Source and Cite Editor
Robert G. Schwemm Scholarship; Dorothy Salmon Memorial Scholarship
Marshall Writing Club, best appellant brief and best appellant oral argument
University of Kentucky Equine Law Society
Golden Key International Honour Society

B.A., Sociology, 2000

Indiana University

Double minor, Philosophy & Psychology

More Than Stites & Harbison

Sarah joined Stites & Harbison in September of 2009 after participating in the firm's summer associate program in 2008. In the summer of 2007, she worked in the legal department at Brown-Forman Corporation in Louisville. Before law school, Sarah lived in New York City where she worked at Friedman, Wang & Bleiberg, P.C. as a paralegal, and Lehman Brothers, Inc. in human resources supporting the information technology division.

Sarah is an accomplished equestrian and enjoys riding American Saddlebred horses in her free time.

Accolades

Best Lawyers in America^®, Health Care Law (2019-25)

Business First of Louisville, 20 People to Know in Law (2018)

Business First of Louisville, Partners in Health Care People to Watch (2014)

Contact Resources

Sarah Cronan Spurlock 's PDF Sarah Cronan Spurlock 's Contact VCF

See more related to Sarah Cronan Spurlock

Events

Kentucky Academy of Healthcare Attorneys Webinar: Medical Cannabis Seminar

Date: 11/13/24
Time: 9:00 a.m. - 12:00 p.m.

WEBINAR

Stites & Harbison attorneys Bailey Browning, Kelly White Bryant, Jennifer Cave, Jackson Hurst-Sanders, Robin McGuffin and Sarah Cronan Spurlock will be speakers at the Kentucky Academy of Healthcare Attorneys webinar, Medical Cannabis Seminar being held November 13, 2024.

Bailey M. Browning , K. Kelly White Bryant , Jennifer J. Cave , Jackson B. Hurst-Sanders , Robin E. McGuffin , and Sarah Cronan Spurlock November 05, 2024

Press Releases

Stites & Harbison, PLLC Lawyers Named to 2025 Best Lawyers® Publications

Stites & Harbison, PLLC is pleased to announce that 97 of its lawyers are included in the 2025 edition of The Best Lawyers in America®. Since it was first published in 1983, Best Lawyers® has become universally regarded as the definitive guide to legal excellence according to the publication. Additionally, 12 Stites & Harbison attorneys are named as “Lawyer of the Year” and 30 attorneys are recognized in Best Lawyers: Ones to Watch® in America, which recognizes attorneys early in their careers for outstanding professional excellence in private practice in the United States.

by Stites & Harbison, PLLC August 16, 2024

Events

International Association of Defense Counsel (IADC) 2024 Annual Meeting

Date: 7/6/24 - 7/11/24

Fairmont Hotel Vancouver, 900 West Georgia Street, Vancouver, Canada

Privacy and Data Security attorney Sarah Cronan Spurlock will be a speaker at the 2024 Annual Meeting of the IADC July 6-11.

Sarah Cronan Spurlock May 29, 2024

Events

The Cost of Third- Party Data Breaches: How to Avoid a Financial Disaster

Date: 6/14/24
Time: 12:00 p.m. - 1:30 p.m.

Webinar

Chad McTighe and Sarah Spurlock will be the speakers for The Knowledge Group's Webinar on June 14, 2024 discussing the costs associated with unforeseen security risks.

Chadwick A. McTighe and Sarah Cronan Spurlock May 28, 2024

Presentation Mikael Kristenson 242070 Unsplash

Events

Kentucky Hospital Association Annual Convention

Date: 5/20/24 - 5/22/24

Central Bank Center, 430 West Vine Street, Lexington, Kentucky 40507

Health care attorneys Shea Luna and Sarah Spurlock will be presenters at the Kentucky Hospital Association's Annual Convention in Lexington, KY being held May 20-22, 2024.

Stacy Shea Luna (Shea) and Sarah Cronan Spurlock April 22, 2024

Press Releases

Stites & Harbison, PLLC Lawyers Named to 2024 Best Lawyers® Publications

LOUISVILLE, Ky.—Stites & Harbison, PLLC is pleased to announce that 101 of its lawyers are included in the 2024 edition of The Best Lawyers in America®.

by Stites & Harbison, PLLC August 24, 2023

Client Alerts

Health Care Providers and Business Associates Beware: Use of Online Tracking Technology May Violate HIPAA

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) may be surprised to learn that use of certain online tracking technology may result in inadvertently sharing information protected under HIPAA with unauthorized third parties. On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued guidance with far-reaching implications for HIPAA regulated entities highlighting their HIPAA compliance obligations when using third-party online tracking technologies designed to collect and analyze information pertaining to a user’s interaction with the regulated entity’s webpages and mobile apps.

by Stacy Shea Luna (Shea) and Sarah Cronan Spurlock April 28, 2023

Events

Kentucky Hospital Association 94th Annual Convention

Date: 5/15/23 - 5/17/23

Central Bank Center, 430 W Vine Street, Lexington, Kentucky 40507

Stites & Harbison attorneys Sarah Spurlock, Ameena Khan and Shea Luna will be speakers at this year's Kentucky Hospital Association Convention in Lexington, Ky.

Sarah Cronan Spurlock and Stacy Shea Luna (Shea) April 05, 2023