Skip to Main Content
Professional Photo

Andrew J. Droke, CIPP/US


Andrew is co-leader of the Firm's GDPR Team, and he counsels clients in a broad range of data protection, privacy, and cybersecurity matters.

Professional Biography

As a member of the Firm's Health Law group and Data Protection, Privacy, and Cybersecurity Team, Andrew advises clients regarding information privacy, security, and compliance strategies by offering practical and actionable advice tailored to fit each client's needs.

Andrew routinely counsels clients with respect to their privacy, cybersecurity, and information practices, including the compliance obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA), 42 CFR Part 2, the California Consumer Privacy Act (CCPA), and global data protection laws such as the General Data Protection Regulation (GDPR). As co-leader of the Firm's GDPR Team, Andrew assists U.S.-based and global organizations with data processing agreements, issues involving international data transfers, and navigating conflicts between foreign privacy laws and U.S. compliance obligations with respect to data use and processing.

In addition to assisting with the development and implementation of customized policies, procedures, and controls, Andrew helps clients identify, evaluate, and manage the risks associated with their privacy and information security practices. Andrew also assists organizations with identifying and addressing data protection and privacy risks through diligence counseling and negotiations in mergers and acquisitions.

During law school, Andrew served as a judicial extern for the Honorable Bernice B. Donald on the United States Court of Appeals for the Sixth Circuit.

  • Worked with large not-for-profit hospital systems and behavioral health systems to develop and implement revised information privacy and security programs addressing HIPAA, 42 CFR Part 2, and applicable state laws.

  • Assisted national retailers and data analytics companies in strategic planning with respect to data collection, use, and intra-organization sharing under the CCPA and GDPR.

  • Coordinated revisions to website and mobile application privacy notices for retailers, distributors, health care providers, health care technology companies, non-profit organizations, and a professional sports franchise.

  • Worked with emerging companies, including health IT vendors and health care providers offering new models of care, to analyze complex business relationships and to develop and implement comprehensive privacy and information security programs.

  • Coordinated information privacy and security aspects of a $450M acquisition of a hotel data and analytics company.

  • Assisted in structuring, drafting, and negotiating software, vendor, and other service provider agreements and business associate agreements for covered entities and business associates.

  • Helped electronic medical record vendor analyze its obligations under the GDPR and revise its website terms of use and privacy notices.

  • Worked with clients to develop external notices and internal policies to facilitate compliant data collection and handling, including privacy notices, data privacy policies and privacy risk assessments.

  • Assisted with sales of ambulatory surgery centers, dental practices, and speech pathology practices and health systems' acquisitions of physician groups, including information privacy and security diligence.

  • Named a Best Lawyers in America® "Ones to Watch" in Health Law and Technology Law (2021)
  • Listed in Mid-South Super Lawyers as a Rising Star in Health Care (2020)
  • Member – International Association of Privacy Professionals (CIPP/US)
  • Member – American Health Law Association
  • Member – International Association of Privacy Professionals
  • Member – American Bar Association
  • Member – Tennessee Bar Association, Health Law Section
  • Member – Nashville Bar Association
  • Chair  – IAPP Nashville KnowledgeNet

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept