Sarah Cronan Spurlock

Sarah Cronan Spurlock is a member of the firm’s Health Care Service Group and is Co-Chair of the firm’s Privacy & Data Security Group. Sarah regularly advises clients on a wide range of health care and privacy matters, including fraud and abuse laws, physician and hospital contracting, information privacy and security laws, and data breach prevention and response. Her practice includes regulatory and transactional matters and health care litigation. Sarah is a Certified Information Privacy Professional (CIPP/US) and serves as the firm’s Chief Privacy Officer.

Recent News, Articles & Speaking Engagements

Shifting Sands of U.S. Privacy Laws

International Association of Defense Counsel Webinar, December 11, 2019

No-fault insurance in Kentucky

Cyber Security for Rural and Critical Access Hospitals: Tips for Improving Data Security and Mitigating the Impact of a Cyber Attack

Alliant Management Services Management Meeting, April 10, 2019

Introduction to Health Law

Panel member, Health Enterprise Network Healthcare Fellows, University of Louisville Louis D. Brandies School of Law, March 19, 2019

Taking Stock of Your 2019 Cybersecurity Resolutions

Pings That Go Bump in the Night: A Discussion of Health Care, Cybersecurity Threats, Prevention Tips and Mitigation Tactics

Moderator and Panelist, 2018 Kentucky Health Law Institute, Lexington, KY, September 14, 2018

Residents in Business

faculty panel, University of Louisville School of Medicine, May 15-17, 2018

Employment Contracting Seminar

Kentucky Medical Association, Louisville, Ky., January 27, 2018

Leadership in Action: Take the Lead in Solving the Opioid Epidemic

2017 Kentucky Medical Association Annual Meeting, Louisville, KY, August 25, 2017

Cyber Threats & Ransomware

Kentucky Academy of Hospital Attorneys, Kentucky Hospital Association Annual Convention, May 29, 2017

Digital Fortress

Modern Steel Construction, May 2017

Residents in Business

faculty panel, University of Louisville School of Medicine, May 15-16, 2017

Cybersecurity for business: Improving data security and mitigating the impact of a cyber-attack

Kentucky Society of CPAs Spring Business Conference, Louisville, KY, April 20, 2017

Be Cyberwise: Protect & Position Your Business for Growth

Ohio River Valley Women's Business Council, 2017 Catch the Wave Conference, April 18, 2017

The Interplay Between Social Media and Healthcare Privacy

American Bar Association Regional CLE, Brave New World: Emerging Cyber and Electronic Issues in Health Care Litigation, March 31, 2017

Improving Data Security and Mitigating the Impact of a Cyber-Attack

Kentucky Medical Group Management Association Spring Conference, March 16, 2017

Under Attack: Cyber Threats Against the Health Care Industry

presentation, Kentucky Health Law Institute, September 15, 2016

Passwords, Revisited

The Goods, Kentucky Association of Manufacturers, September 2016

Build a Better Machine

Residents in Business

faculty panel, University of Louisville School of Medicine and Greater Louisville Medical Society, May 24-26, 2016

Stop. Think. Connect.

presentation, Stites & Harbison Summer Associate Program, May 16, 2016

Law Firm Data Security: It's the End of the World As We Know It (And I Don't Feel Fine)

presentation, Southern Law Network, Louisville, Kentucky, May 13, 2016

Don't Bet on Longshots - Practical Advice on Data Security for Financial Institutions

Stites & Harbison Creditors' Rights & Bankruptcy Service Group Day at the Races, Keeneland, April 14, 2016

Identifying and Protecting Your Core Data

The Goods (p.36), Kentucky Association of Manufacturers, March 2016

Data Breaching Now Its Own Industry

by Robert Hadley, The Lane Report, December 8, 2015

Data Breaches: Is Your Attitude about Data Security Putting You and Your Company at Risk?

The Goods (p. 16), Kentucky Association of Manufacturers, November 2015

Employee Attitudes Fuel Your Data Security Plan

Legaltech News, October 29, 2015

Are you ready for a HIPAA Audit?

Kentucky Association of Health Care Facilities Webinar, October 21, 2015

Technology Highlights for the Restructuring Professional: Privacy, Data Security & Electronic Discovery

co-presenter, International Women's Insolvency & Restructuring Confederation (IWIRC) Day at Keeneland, October 9, 2015

Prevention and Response: Is Your Business Prepared for a Data Security Breach?

Stites & Harbison, PLLC Thirsty Thursday networking event, May 21, 2015

Is your attitude about data security putting you and your company at risk?

Professional Insight, Business First of Louisville, March 27, 2015

Hot Topics in the Area of Health Law Privacy

Kentucky Health Law Institute, Novemer 7, 2013

HIPAA Wants You

Final Rule Amending HIPAA Regulations

Physician Employment Contracting Symposium

co-presenter, Kentucky Medical Association, November 3, 2012

Turning up the heat on HIPAA compliance: What to expect from increase enforcement and Office for Civil Rights audits

co-author, Louisville Bar Association's Bar Briefs, November 2012

HIPAA Update for Physician Office Managers

Kentucky Pediatric Office Managers Association, October 11, 2012

Stolen laptop leads to $1.5 million HIPAA settlement

HIPAA and HITECH's Impact on Certified Public Accountants

Kentucky Society of CPAs Healthcare Conference, May 16, 2012

Keeping up with technology demands: Delayed deadlines for Meaningful Use and ICD-10 reflect overburdened healthcare providers

Medical News, April 2012

HIPAA Audits and Investigations - What to expect when the Office for Civil Rights comes knocking

Louisville Bar Association, Health Law Section, April 11, 2012

Make Way for Medicaid Managed Care: What to expect as Kentucky departs from traditional fee-for-service reimbursement in favor of managed care for Medicaid recipients across the Commonwealth

Louisville Bar Association's Bar Briefs, November 2011

HITECH Challenges for Physicians: Keeping Up with Changes to Health Information Privacy and Security Rules in an Expanding Electronic Environment

Kentucky Medical Association, August 23, 2011

HIPAA and Social Media Issues for Employers, Hot Topics and Critical Issues Pertinent to Employers and Health Care Providers

Health Law and Labor & Employment Sections, Louisville Bar Association, June 2, 2011

HITECH's Amendments to HIPAA: Recent Changes to Health Information Privacy and Security Rules and their Impact on State Regulatory Investigations

National Board for Certification in Occupational Therapy, Annual Conference on Occupational Therapy State Regulation, October 23, 2010

HIPAA Update for Employers

Society of Human Resources Management Mid-West Kentucky Chapter, Madisonville, Ky., April 2010

How will the HITECH Act affect your law firm?

Louisville Bar Association, Health Law Section, April 28, 2010


The Regional Medical Center of Hopkins County, Madisonville, Ky., March 2010

Current Trend: Employment of Physicians by Hospitals

2010 Health Law and Compliance Update 1-2 (John Steiner ed., 2010)

Grounding Cyberspeech: Public Schools' Authority to Discipline Students for Internet Activity

97 Kentucky Law Journal 149 (2008)
Bar Admissions
Firm Leadership

Chief Privacy Officer

Privacy & Data Security Practice Group, Co-Chair

American Bar Association, Health Law Section
Kentucky Bar Association
Louisville Bar Association, Health Law Section, Chair (2011)
American Health Lawyers Association
International Association of Privacy Professionals
Defense Research Institute
Community Involvement

Yew Dell Botanical Gardens, Board of Directors (2018-present)

Louisville Legal Aid Society, Volunteer (2009-16)

Sisters of Charity of Nazareth, Inc., Board of Directors (2011-16)

Focus Louisville, February 2016 Class

More Than Stites & Harbison

Sarah joined Stites & Harbison in September of 2009 after participating in the firm's summer associate program in 2008. In the summer of 2007, she worked in the legal department at Brown-Forman Corporation in Louisville. Before law school, Sarah lived in New York City where she worked at Friedman, Wang & Bleiberg, P.C. as a paralegal, and Lehman Brothers, Inc. in human resources supporting the information technology division.

Sarah is an accomplished equestrian and enjoys riding American Saddlebred horses in her free time.


Best Lawyers in America®, Health Care Law (2019-20)

Business First of Louisville, 20 People to Know in Law (2018)

Business First of Louisville, Partners in Health Care People to Watch (2014)

Spurlock Best Law2020
Cipp Seal Hires Small
See more related to Sarah Cronan Spurlock
Press Releases

Best Lawyers in America Honors 75 Stites & Harbison attorneys for 2020

LOUISVILLE, Ky.—The Best Lawyers in America© 2020 has recognized 75 Stites & Harbison, PLLC attorneys as selected by their peers in 49 areas of practice. Forty-three of those attorneys selected have been honored for 10 consecutive years or more.

by Stites & Harbison, PLLC August 22, 2019

No-fault insurance in Kentucky

House Bill 151, “An Act Relating to Insurance Fraud,” was signed by the Kentucky Governor on March 26, 2019 and went into effect on June 27, 2019.

by K. Kelly White Bryant, and Sarah Cronan Spurlock July 09, 2019

The Race to Privacy

Date: 6/5/19
Time: 4:30 p.m. - 6:00 p.m.

Stites & Harbison, 401 Commerce Street, Suite 800, Nashville, Tennessee 37219

IP attorneys Alex MacKay, Mari-Elise Paul and Sarah Spurlock will discuss the latest information on data privacy.

Alexandra MacKay, Mari-Elise Paul, May 15, 2019
Client Alerts

Groundhog Day? Supreme Court Strikes Down Class Arbitration Efforts...Again

In what finally may prove to be the effective death knell for most efforts to pursue class-wide arbitration, a closely-divided United States Supreme Court has now held that a party cannot be required to arbitrate claims on a class-wide basis unless the arbitration agreement clearly contemplates such a possibility.

by Chadwick A. McTighe, Marjorie A. Farris, April 30, 2019
Client Alerts

Taking Stock of Your 2019 Cybersecurity Resolutions

Did you decide that 2019 will be the year you tackle those cybersecurity threats to your organization that keep you up at night? It’s February, and a good time to take stock of whether your organization is following through on its cybersecurity goals. Some estimate that 80% of resolutions fail by the second week of February.

by Jennifer Henry Jackson, and Sarah Cronan Spurlock February 08, 2019
Press Releases

Best Lawyers in America honors 72 Stites & Harbison attorneys for 2019

LOUISVILLE, Ky.—The Best Lawyers in America© 2019 has recognized 72 Stites & Harbison, PLLC attorneys as selected by their peers in 49 areas of practice. Forty-two of those attorneys selected have been honored for 1...
by Stites & Harbison, PLLC August 16, 2018

2018 Kentucky Health Law Institute

Date: 9/13/18 - 9/14/18

Griffin Gate Marriott Resort, 1800 Newtown Pike, Lexington, KY40511

Presented by UK Law Continuing Legal Education in partnership with the Kentucky Bar Association Health Law Section and Kentucky Academy of Hospital Attorneys

K. Kelly White Bryant, Ozair M. Shariff, July 30, 2018

MCM Financial Institutions Summit 2018

Date: 7/31/18

Buffalo Trace Distillery, 113 Great Buffalo Trace, Frankfort, KY 40601

The 2018 MCM Financial Institutions Summit will feature discussions with regional and national experts on the topics of risk management, bill payment, information technology, cybersecurity, and alternatives with insurance management.

Sarah Cronan Spurlock July 18, 2018

Telehealth reform: Coverage expansion, reimbursement criteria will improve access to care

Technology advancements have had a significant impact on the way healthcare is delivered, particularly to patients in rural areas and to those with restricted access to medical care.

by Ozair M. Shariff, and Sarah Cronan Spurlock June 29, 2018
Press Releases

Sarah Cronan Spurlock appointed to Board of Yew Dell Botanical Gardens

LOUISVILLE, Ky.—Yew Dell Botanical Gardens recently appointed Stites & Harbison, PLLC attorney Sarah Cronan Spurlock to its Board of Directors. Yew Dell Botanical Gardens is recognized around the world as a center of gardening, plants...
by Stites & Harbison, PLLC February 06, 2018

Kentucky Medical Association Employment Contracting Seminar

Date: 1/27/18

Louisville Marriott East, 1903 Embassy Square Boulevard, Louisville, KY 40299

This event is designed to educate physicians on employment contracts.

Sarah Cronan Spurlock December 20, 2017

2017 Kentucky Medical Association (KMA) Annual Meeting

Leadership in Action: Engaging the Family of Medicine Attendees at the education portion of the KMA Annual Meeting -- The Kentucky Physicians Leadership Academy -- can earn CME credits for House Bill 1. The afternoon...
Sarah Cronan Spurlock July 18, 2017

Kentucky Society of Certified Public Accountants Spring Business Conference

A merging of the Financial Professionals Conference and the Small Business Conference 8:00 a.m. - 4:00 p.m. This conference was created by combining the Small Business Conference and the Financial Professionals conference. The focus will...
Sarah Cronan Spurlock February 16, 2017
Press Releases

Stites & Harbison promotes five attorneys in 2017

LOUISVILLE, Ky.—Stites & Harbison, PLLC announced today that five attorneys have been promoted within the law firm effective January 2017. The new Members (Partners) include: Amy Baker (Atlanta office – Real Estate & Banking Service...
by Stites & Harbison, PLLC January 04, 2017

Build a Better Machine

We have read countless articles on data security, but not one about having a good relationship with the people you entrust with your data security. There seems to be a misconception that data security is something not easily understood or practiced, and so should be left to the skills of a limited few who work in isolation to “fix” the problem.

by Ian T. Ramsey, and Sarah Cronan Spurlock July 05, 2016
Client Alerts

OCR Launches Phase 2 HIPAA Audits via Email Destined for Your Spam Folder

On March 21, 2016, the Office for Civil Rights (OCR) announced that it has begun the next phase of HIPAA compliance audits. The Phase 2 audits are being rolled out in three steps: Step 1...
by Dustyn B. Jones, and Sarah Cronan Spurlock March 24, 2016

Privacy & Data Security - April 23, 2015

Presentation by Liz Thompson, Ian Ramsey and Sarah Spurlock.

by Ian T. Ramsey, Sarah Cronan Spurlock, July 28, 2015
Client Alerts

Data Breaches: Is Your Attitude about Data Security Putting You and Your Company at Risk?

With all of the recent data breaches, the nervous jitters among those who have spent time ordering new credit cards or signing up for credit monitoring are no surprise. The possibilities of what might...
by Ian T. Ramsey, and Sarah Cronan Spurlock July 21, 2015
Press Releases

Stites & Harbison attorneys Ian Ramsey and Sarah Spurlock earn Global Privacy & Data Protection

(image) LOUISVILLE, Ky.—Recently the International Association of Privacy Professionals (IAPP) awarded Stites & Harbison, PLLC attorneys Ian Ramsey and Sarah Cronan Spurlock the Certified Information Privacy Professional/United States (CIPP/US) credential. Ramsey and Spurlock join...
by Stites & Harbison, PLLC April 22, 2015
Client Alerts

Are your employees putting your organization at risk for a cyber-attack?

Targeting employees is one of the easiest methods a hacker can use to attack a company. Cyber-security awareness and preparedness are imperative to businesses both large and small. You do not want one of...
by Ian T. Ramsey, and Sarah Cronan Spurlock April 02, 2015
Client Alerts

Target Data Breach Opens Potential Recovery Path for Financial Institutions

2014 was a big year for data security breaches and 2015 may reveal even more complex and troubling problems. Individual consumers are either numb from the continual news feed detailing the various criminal scenarios...
by Brian R. Pollock, Ian T. Ramsey, March 02, 2015

HIPAA Wants You

Presentation to Stites & Harbison's Thirsty Thursday networking event on the effects of the new HIPAA rules to health care providers.

by Sarah Cronan Spurlock July 25, 2013
Client Alerts

Final Rule Amending HIPAA Regulations

On January 17, 2013, the Office for Civil Rights, Department of Health and Human Services, announced the long-awaited final rule implementing changes to HIPAA’s privacy, security, and enforcement rules required under the Health Information...
by Sarah Cronan Spurlock January 22, 2013
Client Alerts

Stolen laptop leads to $1.5 million HIPAA settlement

Failure to take necessary steps to comply with the Health Insurance Portability Act (“HIPAA”) Security Rule has recently led to a Massachusetts based provider’s $1.5 million settlement with the U.S. Department of Health and...
by Ozair M. Shariff, and Sarah Cronan Spurlock September 26, 2012