John F. Howard advises organizations ranging from emerging companies to Fortune 100 enterprises on data privacy, cybersecurity, and technology-driven transactions. With a practice that blends regulatory compliance, incident response, and sophisticated commercial contracting, John helps clients manage risk while enabling business growth in an increasingly complex data environment.
John has extensive experience representing clients in the review, negotiation, and structuring of technology and data-related agreements across a wide range of industries. His transactional work includes master services agreements (MSAs), software as a service (SaaS) agreements, data processing and transfer agreements (DPAs and DTAs), business associate agreements (BAAs), nondisclosure agreements (NDAs), and other commercial contracts involving the creation, use, and transfer of sensitive data. He routinely advises on key risk allocation provisions—including indemnification, limitation of liability, and data breach responsibility—helping clients align contractual terms with their broader risk management strategies. In addition, John develops customized template agreements, privacy policies, terms of use, and data protection frameworks that enable clients to scale efficiently while maintaining consistency and control across their contracting processes.
Complementing his transactional practice, John counsels clients on a full spectrum of privacy and cybersecurity matters. He conducts information security risk assessments, privacy impact assessments, and data transfer impact assessments, and advises on privacy program development and maturity. He regularly assists clients in drafting and implementing policies and procedures designed to comply with a complex web of laws and regulations, including state consumer privacy laws, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and international frameworks such as the General Data Protection Regulation (GDPR), UK GDPR, and PIPEDA. John is also frequently engaged to guide clients through data breach response and incident management, working closely with executive leadership to navigate legal, operational, and reputational considerations.
Before entering private practice, John served in multiple leadership roles at a large R1 public university, including Director of the HIPAA Privacy Program, HIPAA Privacy Officer, and HIPAA Security Officer. In these roles, he was the institution’s primary advisor on privacy and cybersecurity matters and was deeply embedded in enterprise contracting processes, advising on agreements involving data use, technology procurement, and regulatory compliance. He also partnered with the university’s procurement office to train contract attorneys on privacy and data security issues and developed standardized, annotated contract templates to streamline negotiations and improve risk consistency across the institution.
John began his career in information technology, spending more than a decade at an academic medical center and medical school in roles including systems analyst and risk assessment manager. This technical foundation enables him to translate complex legal and regulatory requirements into practical, business-oriented solutions.
A Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Manager (CIPM), John brings both legal and operational insight to his clients’ most critical data challenges. He currently teaches Data Privacy and Cybersecurity in Healthcare at the James E. Rogers College of Law and serves as a guest lecturer at Northern Arizona University.
Practice Areas
Education
Recognitions
Named among Best Lawyers: Ones to Watch® for Privacy and Data Security Law (2026); Technology Law (2026) by Best Lawyers
State Bar Licenses
Articles & Alerts
- Quoted, “HHS issues warnings on info blocking; make sure you’re ready,” Part B News (March 30, 2026)
- Co-author, “California Imposes Largest CCPA Fine to Date on Disney” (February 13, 2026)
- Quoted, “TikTok’s US Venture Enters New Phase of Privacy Scrutiny,” Bloomberg Law (January 28, 2026)
- Quoted, “ICE and Palantir: US agents using health data to hunt ‘illegal immigrants’,” The BMJ (January 27, 2026)
- Quoted, “States Passing New Restrictions on Health Data Sharing,” Healthcare Risk Management (January 1, 2026)
- Co-author, “The California Opt Me Out Act: What it Means for Businesses Subject to the California Consumer Privacy Act” (October 13, 2025)
- Author, “Transmission Security Has A Critical Role In Healthcare,” Law360 (September 26, 2025)
- Co-author, “Beyond HIPAA: How state laws are reshaping health data compliance” (June 26, 2025)
- Co-author, “California Privacy Protection Agency shuts down data brokerage through Delete Act enforcement” (March 4, 2025)
- Quoted – “Lawsuit: Amazon Violated Washington State Health Data Law,” Healthcare Info Security (February 25, 2025)
- Quoted, “Practices no longer off-limits to ICE raids; know your rights,” Part B News (February 3, 2025)
- Co-author, “Updated HIPAA Rule Is A Necessary Step For Data Protection,” Law360 (January 10, 2025)
- Quoted, “Healthcare Now Third-Most Targeted Industry for Ransomware,” Secureworld (November 14, 2024)
- Co-author, “The Value of an Effective HIPAA Compliance Program Amid OCR HIPAA Audits” (October 22, 2024)
- Co-author, “How Tech Trackers May Implicate HIPAA After Hospital Ruling,” Law360 (July 16, 2024)
- Co-author, “HHS Bulletin on Online Tracking Technologies Declared Unlawful: What Covered Entities and Business Associates Need to Know About the AHA Lawsuit” (June 25, 2024)
- Quoted, “OCR Investigates Change Healthcare After Major Cyber Incident,” Healthcare Risk Management (June 1, 2024)
- Quoted, “AI Creates Liability Risks for Healthcare Organizations,” Healthcare Risk Management (March 1, 2024)
- Co-author, “OIG Releases Final Rule for Information Blocking Penalties” (July 31, 2023)
- Quoted, Applicability of HIPAA for out of state records requests, IndyStar (July 25, 2023)
- Co-author, “What To Know About New Nevada Consumer Health Data Privacy Bill” (July 14, 2023)
- Co-author, “Cyberthreats and K-12: EdTech Third Party Risk Management Checklist” (June 27, 2023)
- Co-author, “FTC Continues To Enforce Child Online Privacy Protections” (June 26, 2023)
- Co-author, “How Will the End of HIPAA Enforcement Discretion Affect Covered Entities When the Public Health Emergency Expires on May 11?” (April 28, 2023)
- Co-author, “End of Year Website Audit Recommended to Ensure CPRA Compliance” (December 6, 2022)
- Quoted, “Big Penalties for Right to Access Initiative,” Healthcare Risk Management (December 1, 2022)
- Co-author, “With Recent Settlements, HHS OCR’s HIPAA Right of Access Initiative Continues To Be a Focus of Enforcement” (September 19, 2022)
Presentations
- Co-presenter, “Safer Patient Payments: Cut Risk and Capture Revenue,” Florida Medical Association (April 28, 2026)
- Co-presenter, “The Interoperability Wars – Information Blocking, EHR Ecosystems, and the Fight Over Healthcare Data” (April 21, 2026)
- Presenter, “Charting the Future: Legal Considerations for Healthcare Professionals in the Age of AI,” Clark Hill Healthcare Industry Symposium, Dallas, TX (February 4, 2026)
- Co-presenter, “How State Privacy Laws and AI Are Reshaping Consumer Data Protection” (January 29, 2026)
- Co-presenter, “The New Health Data Laws Every Retailer Must Know” (November 12, 2025)
- Co-presenter, “Navigating Legal Changes and Future Trends for Healthcare Providers“ (September 18, 2025)
- Co-presenter, “From CPRA to My Health, My Data Act: How to Stay Compliant with State Consumer Healthcare Privacy Laws” (July 30, 2025)
- Co-presenter, “Charting the Future: Legal Considerations for Healthcare Providers in the Age of AI and Cyber Challenges,” Clark Hill Healthcare Summit (December 5, 2023)