Alisa L. Chestler, CIPP/US, QTE

In her practice, Alisa serves as a trusted advisor to clients and routinely counsels them on their AI data strategy, with a strong base in digital health, life sciences, medical devices, and general health care. She counsels clients on technology transactions, data privacy, and security matters that arise from federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), Gramm-Leach-Bliley Act (GLB), Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Family Educational Rights and Privacy Act (FERPA), state data breach laws, and the General Data Protection Regulation (GDPR). Alisa also counsels clients on AI issues and negotiations and assists in developing and implementing their governance programs. She has significant experience assisting companies in developing comprehensive privacy and security programs and working with management to identify risk management issues, many times in anticipation of corporate transactions. She assists clients in identifying, evaluating, and managing risks associated with privacy and information security practices of companies, including assistance with website tracking technologies and associated issues. Additionally, Alisa counsels clients regarding incident response programs, including the development of the incident response plan, and working with clients through investigations.

Alisa drafts and negotiates technology agreements, including Master Services Agreements (MSAs), software license agreements, Software as a Service (SaaS) agreements, and professional services agreements, and oversees a team of attorneys skilled in such negotiations.

Alisa routinely assists clients in complex health information and technology issues, including the negotiation of sophisticated information technology and partnership agreements such as health information exchange (HIE) participation, electronic health record (EHR) negotiation, and data use agreements. She also advises on the adoption of and compliance with the increasing number of state laws regarding personal health data, as well as interoperability and information-blocking regulations. She assists digital health and consumer application companies in navigating the complexities of health care technology strategy, agreements, and compliance concerns.

Alisa worked as in-house counsel for more than 15 years for several health care organizations, including CareFirst BlueCross Blue Shield.

Follow her on X @alchestler.

• Leads a team of attorneys in the negotiation of technology agreements for a global company in the life sciences industry, averaging nearly 100 negotiations per year.

• Counseled non-profit health system on ongoing strategy and governance programming associated with the adoption of AI within administration and clinical operations.

• Counseled an emerging company on privacy and security issues prior to its initial capital raise.

• Represented an academic medical center in negotiating a $400 million electronic medical record software license and implementation services agreement with Epic Systems.

• Provided strategic and legal counseling for an international consumer application's entrance into the health market.

• Assisted a large hospital system in identifying cybersecurity issues and negotiating an asset purchase agreement and closing conditions.

• Listed in The Best Lawyers in America^® for Health Care Law (2025, 2026)
• Named to the Lawdragon 500 Leading Global Cyber Lawyers (2026)
• Listed in Washington, D.C. Super Lawyers, Technology Transactions (2023); Health Care (2012 – 2025)
• Member – Leadership Health Care (LHC) Leadership Cohort, Nashville Health Care Council (2024)
• Member – American Health Law Association
  • Health Information and Technology Practice Group – Chair (2018 – 2021)
  • Health Information and Technology Practice Group – Vice Chair (2015 – 2018)
  • Health Information and Technology Practice Group – Leadership Development (2014 – 2015)
• Member – International Association of Privacy Professionals
• Member – Health Care Compliance Association 
• Board Member – Second Harvest Food Bank
• Member – Tulane Family Leadership Council (2022 – 2025) 
• Chair – Compliance Committee, The Care Continuum Alliance (2009 – 2013)
• Member – American Health Information Management Association
  • Practice Council on Health Information Exchange (2012 – 2014)

• "Federal AI Framework and Trump America AI Act: Health Care Impacts" (April 2026)
• "Emerging Federal AI Policy: What To Know and How To Prepare" (April 2026)
• "Digital Accessibility Rule for: Websites, Kiosks and Apps – May 2026 Deadline Near" (March 2026)
• "Tennessee Trends and Developments," Chambers Data Protection & Privacy 2026 Global Practice Guide (March 2026)
• "HHS Compliance Deadline Approaching for Updated Part 2 Record Protections" (January 2026)
• "OCR's Latest HIPAA Guidance: Strategic Measures to Protect Your Systems and Data" (January 2026)
• "Prepare to Navigate the New Federal AI Policy" (December 2025)
• "OpenAI Updates Usage Policies: Key Considerations and Next Steps for Organizations Deploying AI," republished December 12, 2025, by Law360 (November 2025)
• "Powering Up Part 2: HHS Announced OCR Enforcement Authority for Part 2 Final Rule" (September 2025)
• "New and Updated HIPAA Privacy Rule FAQs" (August 2025)
• "Illinois Passes Extensive Law Regulating AI in Behavioral Health" (August 2025)
• "California AG Secures Landmark Privacy Settlement Over Tracking: What It Means for Your Website," republished in Law360 (July 2025)
• "Insider Threats Are Just as Dangerous as Ransomware – Lessons from the Latest OCR HIPAA Settlement," republished July 1, 2025, in Cyber Defense Magazine (June 2025)
• "DOJ Final Rule Applies to Anonymized, Pseudonymized, and De-Identified Data: What Data Licensors Need to Know," republished in FinTech Law Report (April 2025)
• "DOJ Issues Additional Guidance and Clarification on the Bulk Data Transfer Rule: What U.S. Businesses Need to Know," republished May 5, 2025, in Corporate Compliance Insights (April 2025)
• "DOJ Final Rule Targets Cross-Border Data Transfers: Key Implications for U.S. and Foreign-Owned Companies Operating in the U.S." (April 2025)
• "Location Data Practices Targeted by California Lawmakers and Regulators," republished in FinTech Law Report (March 2025)
• "OCR Issues "Dear Colleagues" Letter Regarding AI in Medicine," republished January 27, 2025, in The American Lawyer (January 2025)
• "Proposed HIPAA Security Rule Updates" (January 2025)
• "Texas Court Issues Injunction on 2024 HIPAA Reproductive Privacy Rule" (December 2024)
• "The Office for Civil Rights Recently Settled Two Ransomware Related Investigations" (October 2024)
• "Medical Records Scams: What You Need to Know" (June 2024)
• "HIPAA Updates: The Obligations Continue to Unfold" (February 2024)
• "OCR Enforcement Action Likely: Reminder of Steps to Take Now" (October 2023)
• "New SEC Rules: Public Companies Must Report Material Cybersecurity Incidents Within Four Business Days," republished August 1, 2023, in Corporate Compliance Insights (July 2023)
• "MOVEit Transfer Zero-Day Vulnerability: What Companies Need to Know," republished in CPO Magazine (June 2023)
• "FTC Proposes Rulemaking to the Health Breach Notification Rule to Include Information Disclosures by Health Apps and Other Technologies" (May 2023)
• "A Baker's Dozen: Top Questions In-House Legal Counsel Should Consider Asking to Better Understand AI including ChatGPT" (April 2023)
• "Reproductive Privacy Rights: Changes Coming for Health Care Organizations" (April 2023)
• "Initiative to Modernize National Organ Transplant System" (March 2023)
• "The LastPass Lesson: Why Your Company Needs to Care About Password Manager Breaches," republished April 2023, in Washington Business Journal (March 2023)
• "U.S. Department of Veterans Affairs Overhauls Cybersecurity Rules for Government Contractors" (February 2023)
• "Privacy in 2023: Management and Officer Liability for Privacy and Data Security Programs," republished February 1, 2023, in Corporate Compliance Insights (January 2023)
• "Privacy Reset in 2023: Effective January 1: What Employers Need to Know About Additional Rights in the California Privacy Rights Act," republished January 10, 2023, in the Los Angeles Daily Journal (January 2023)
• "New Executive Order Aims to Restore U.S.-EU Data Privacy Agreement," republished in Law360 (October 2022)
• "Software Developers With Federal Government Customers Must Provide Confirmation of NIST Standards," republished November 16, 2022, in Federal News Network (September 2022)
• "Mitigating Cyber Vulnerabilities in Medical Devices" (September 2022)
• "NCCoE Mitigating Risk to Telehealth" (September 2022)
• "HHS Issues Post-Dobbs HIPAA Privacy Guidance for Employer Health Plans, Other Covered Entities" (July 2022)
• "Cybersecurity: A Whistleblower's Paradise," republished in FEDweek (April 2022)
• "SEC Proposal: New Cybersecurity Risk Management Rules for Investment Advisers and Funds," republished in Corporate Compliance Insights (February 2022)
• "Biden Administration Signals Dramatic Shift in Focus to Confront Cyber Concerns In Government Contracting," republished June 18, 2021, in CPO Magazine (May 2021)
• Co-author – "INSIGHT: Health Care Providers, Think Before You Yelp … and Other HIPAA Concerns," Bloomberg Law: Privacy & Data Security Law News (January 2020)
• "Have You Assessed Your Cyber-Preparedness Lately?," BankNews (May 2016)
• Co-author – "The Raising of a Privacy Shield," e-Commerce Law & Strategy Newsletter (March 2016)
• "Cyber Security Takes Top Priority at Law Firms Nationwide," ALFN Angle, 2016 Winter Edition (February 2016)
• Co-author – "Ransomware Attack on Hospital Highlights the Importance of Preparation for All Organizations," Bloomberg BNA (April 2015)
• Co-author – "HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software," HR Professionals Magazine (February 2015)
• Co-author – "HIPAA/HITECH Resource Guide," American Health Law Association (2014)
• Co-author – "Minimizing EHR-Related Serious Safety Events," AHLA Public Interest publication (2013)

• "Transformative Tech Transactions: Contracting Strategies for AI-Enabled Digital Health, RPM and Patient Engagement in a Fragmented Ecosystem," AHLA Health Law Transactions Meeting (April 2026)
• "Evolving Healthcare Technologies: Legal Challenges in AI, Regulation, and Data Privacy," Vanderbilt Journal of Entertainment and Technology Law Symposium (February 2025)
• "B2B AI Technology Services Negotiations: Unique Issues in Negotiating Health Care AI Technology Services from Vendor and End-User Perspectives," AHLA – The Complexities of AI in Health Care (February 2025)
• Panelist – "The Difference Between Security and Privacy and Their Partnership," 2024 Nashville Innovation Summit (October 2024)
• "Running Legal Like a Business," LegalOps (September 2024)
• "Critical Incident Response Considerations: How to Prepare for and Respond to a Cyber Attack," Co.Mobility Summit Workshop (May 2024)
• "Tech Talks: Critical Incident Response Considerations" (April 2024)
• Panelist – "Cybersecurity: Pre-Breach Preparedness," LeadingAge webinar (October 2023)
• "North Alabama International Trade Association Roundtable: Weaponizing Cyber: How China, Russia and other Nation States Are Undermining Our Democracy and National Security" (August 2023)
• "Health Care Strategy: Data and Cyber Considerations," AHLA Long Term Care Meeting (March 2023)
• Moderator – "Privacy and Security Risk Management: Securing Your Enterprise and Beyond," 2022 Baker Donelson Long Term Care Symposium (November 2022)
• "Don't Let a Cyber Quarantine Wreck Your Transaction/Reps and Warranties and Risk Analysis: A Growing Trend," AHLA Health Law Transactions Meeting (April 2022)
• "The Law & Cyber Security: What Those in Trucking Need to Know," American Trucking Association (July 2020)
• "Unblocking Information - Industry Collaboration on Interoperability Model Contract Terms," AHLA Annual Meeting (July 2020)
• "Corporate Counsel 2020: How to Cyber-Proof Your Transaction - Privacy and Security Considerations," Tennessee Bar Association (May 2020)
• "Avoiding Cyber-Collisions- Don't Let Cyber Issues Wreck Your Transaction," AHLA Transactions Meeting (April 2020)
• "Crafting a Company's Privacy Regime to Meet Global Requirements," Georgetown Law 16th Annual Advanced eDiscovery Institute, Washington, D.C. (November 2019)
• "How the C-Suite, Board, & CISO Can Communicate Better," Cybercon 2019 (September 2019)
• "Cyberproof Your Transaction – Avoid Letting Cyber Issues Derail Your Transaction," 2019 AHLA Transactions Conference (May 2019)
• "Cyber Security," 68th Annual Southeastern Association of Tax Administrators Conference, Nashville, Tennessee (July 2018)
• "Get the 411– Keeping the Information Technology Elements of Your Transactions Online," AHLA Health Care Transactions Conference, Nashville, Tennessee (May 2018)
• Panelist – "Code Talkers and Cyber Security – What Do They Have in Common?," Tennessee HIMSS Cybersecurity Breakfast, Nashville, Tennessee (October 2017)
• "What's Now and What's Next in the Telehealth Industry: Utilize Technological Advances to Minimize Risk," Bloomberg BNA, Washington, D.C. (September 2017)
• "Blockchain, IoT. . . Around the World in Health Information Technology," AHLA Annual Meeting, San Francisco, California (June 2017)
• Panelist – "Business Case for Cybersecurity | Managing the Risk of Insecurity," Nashville Cybersecurity Conference (June 2017)
• "Welcome to the Future: Telemedicine and HIPAA HITECH," 2016 Long Term Care Symposium (November 2016)
• Panelist – "Under Disruption: Why Health IT is Out of Control," Summit of the Southeast, Tennessee HIMSS Annual Meeting (September 2016)
• Moderator – "Healthcare & Interoperability: What does interoperability mean to health care? Why is it so crucial to the next level of providing safe and effective health care?," 2016 SEUS-CP Conference, Nashville, Tennessee (May 2016)
• "Commercial and Government Procurement/RFP Process," Israel Defense Cybersecurity Conference (January 2016)
• "HIT or Miss? Legal and Ethical Concerns for Implementation of Health IT," Nashville Council of Health Care Attorneys CLE Program (November 2015)
• "The Rise of Health Care Technology: ERM Implications for the New Normal," American Health Law Association, Enterprise Risk Management Task Force Educational Webinar (October 2015)
• "EHR Standards: HIE, Meaningful Use, and Patient Portals: What Your Lawyers Are Worried About," American Health Information Management Association National Convention (September 2015)
• Moderator – "U.S. Federal Policy and Cyber Legislation and Regulation: What It Means for Your Business," and "Cybersecurity: Business Challenges and the Future," Securing Your Future: Staying Ahead of Developments in Cybersecurity and Its Impact on Technology, Advanced Manufacturing, Logistics, Health Care and Energy, Atlanta, Georgia (August 2015)
• Moderator – "The Role of State Governments in Cybersecurity," Securing Your Future: Staying Ahead of Developments in Cybersecurity and its Impact on Technology, Advanced Manufacturing, Logistics, Health Care and Energy, Atlanta, Georgia (August 2015)
• Panelist – "Fighting Hack Attacks and Data Breaches: A Booming Climate for Investors," Securing Your Future: Staying Ahead of Developments in Cybersecurity and Its Impact on Technology, Advanced Manufacturing, Logistics, Health Care and Energy, Atlanta, Georgia (August 2015)
• Panelist – "Defending the Grid: Latest Threats and How They Can Be Avoided," Securing Your Future: Staying Ahead of Developments in Cybersecurity and Its Impact on Technology, Advanced Manufacturing, Logistics, Health Care and Energy, Atlanta, Georgia (August 2015)
• Moderator – "Cyber Liability Coverage and Insurance," Securing Your Future: Staying Ahead of Developments in Cybersecurity and Its Impact on Technology, Advanced Manufacturing, Logistics, Health Care and Energy, Atlanta, Georgia (August 2015)
• "Health Care Technology: New Regulations and Impact of HIPAA," Nashville Bar Association CLE Program (August 2015)
• Moderator – "Part III: HIT and Data Sharing Issues for the ACO," Accountable Care Organization Bootcamp Webinar Series (March 2013)

• Human Resources' Evolving Role with Technology Changes Including AI, Privacy, and Cybersecurity – A Survival Guide (June 2025)
• The Cyber Risk Allocation Paradigm is Changing: Cyber Insurance's Evolving Issues (September 2021)
• Cyber Threats: Key Considerations for Employers (July 2021)

• Baker Donelson Attorneys Recognized in The Best Lawyers in America® 2026 Listing (August 21, 2025)
• Six Baker Donelson Attorneys Named to 2025 Washington, D.C., Super Lawyers List (May 29, 2025)
• Baker Donelson Attorneys Recognized in The Best Lawyers in America® 2025 Listing (August 15, 2024)
• Five Baker Donelson Attorneys Named to 2024 Edition of Washington, D.C. Super Lawyers (April 22, 2024)
• Baker Donelson Adds Renowned Biometric Privacy Thought Leader David J. Oberly in D.C. (November 8, 2023)
• Four Baker Donelson Attorneys Named to 2023 Edition of Washington, D.C. Super Lawyers (April 24, 2023)
• Four Baker Donelson Attorneys Named to 2022 Edition of Washington, D.C. Super Lawyers (April 28, 2022)

• Alisa Chestler Comments in Healthcare Info Security on Health Sector Coordinating Council Guidance on Emerging AI Security Challenges (November 12, 2025)
• Alisa Chestler Discusses Regulatory Considerations Related to AI and Patient Health Data Access on Healthcare Info Security Podcast (October 17, 2025)
• Alisa Chestler Quoted in Part B News on How Proposed HIPAA Rule May Mean 'Addressable' Measures Are 'Required' (January 20, 2025)
• Alisa Chestler Talks with Part B News About Fax Phishing Scams in Health Care (July 8, 2024)
• Alisa Chestler Featured in MedTech Intelligence Q&A on Overcoming Barriers to EHR Adoption in Behavioral Health (November 8, 2023)
• Alisa Chestler Featured on Healthcare IT News' HIMSS TV Discussing Behavioral Health Data Interoperability (October 18, 2023)
• Alisa Chestler Discusses SEC Rules Regulating Cybersecurity in Nashville Post Q&A (September 5, 2023)
• Alisa Chestler Quoted in Part B News on Cybersecurity Challenges Facing Providers in the Wake of MOVEit Data Breach (August 21, 2023)
• Alisa Chestler Comments on New SEC Cybersecurity Incident Disclosure Rule in VentureBeat (August 7, 2023)
• Alisa Chestler Talks with Healthcare Risk Management About Impact of Proposed OCR Rule Involving Reproductive Privacy Rights on HIPAA Policies and Procedures (July 1, 2023)
• Alisa Chestler Discusses Protecting Enterprise Assets Against Cybersecurity Failures in InformationWeek (June 21, 2023)
• Alisa Chestler Quoted in Behavioral Health Business on Future of EHRs in Behavioral Health Care (August 18, 2022)

• Human Resources' Evolving Role with Technology Changes Including AI, Privacy, and Cybersecurity – A Survival Guide (June 18, 2025)
• The Cyber Risk Allocation Paradigm is Changing: Cyber Insurance's Evolving Issues (September 23, 2021)
• Cyber Threats: Key Considerations for Employers (July 27, 2021)