Kathie McDonald-McClure



Kathie McDonald-McClure leads the Firm’s Data Privacy & Cyber Security practice and is a member of the Health Care Service Team. Her longtime passion for and attention to technology-related matters has given her a leg-up in assisting clients with regard to data privacy and cyber security. She regularly advises businesses and business managers on compliance with HIPAA, FERPA, GLBA, GDPR, and state data privacy and breach reporting laws. Because data privacy has become so interconnected with cyber technology, she has become the firm’s go-to for advice on health technology agreements and data privacy and security reps and warranties.  She works with clients and their IT team in the preparation and updating of data security policies and procedures to meet today’s expectations from multiple angles: legal and regulatory, contractual, cyber insurance, consumers and other third parties.

In 2009, she created the Firm’s first legal blog: Wyatt HITECH Law, which was named after The HITECH Act, a federal law that incentivized healthcare providers to adopt and make a “meaningful use” of certified electronic health records technology (CEHRT).  The HITECH Act also bolstered HIPAA’s data privacy and cyber security protections for individually identifiable health information. As the federal government’s incentives for adopting CEHRT came to an end, the blog’s focus shifted to significant legal developments in data privacy and cyber security that could impact organizations in all industry sectors.

Ms. McDonald-McClure’s career in healthcare, both in-house and in private practice, has contributed to her broad healthcare regulatory practice, which revolves around state and federal healthcare program matters with a focus on regulatory compliance and risk management. She assists clients with enrollment and revalidation in Medicare and state Medicaid programs, state board of pharmacy licensing, and due diligence for acquisitions (including CHOWs).  She regularly advises on the Anti-Kickback Statute (AKS) safe harbors with a niche specialty on the discount and rebate rules.  She has drafted contract templates for client sales staff that are designed for compliance with AKS safe harbors. In line with her data privacy work, she regulatory advises healthcare clients on compliance with 21st Century Cures Act requirements related to electronic health information, including “information blocking,” “interoperability,” and “patient access”. 

She has broad experience in the area of human research. She regularly advises healthcare providers on clinical trial agreements, research policy development, FDA and OHRP regulatory compliance, informed consent form compliance and HIPAA research authorizations, insurance and indemnification for adverse outcomes, Medicare Secondary Payor recovery issues, Medicare billing compliance, and data de-identification. She drafted U.S. contracting and informed consent templates for a global medical device company and assisted in training the company’s staff on issues that impact contract compliance.

Ms. McDonald-McClure’s healthcare clients include hospitals, long-term care providers, physicians, chiropractors, pharmacies, durable medical equipment suppliers, behavioral health, clinical laboratories, home health, physical and occupational therapy providers, and medical device companies. Her non-healthcare clients include manufacturers, community support agencies, public school districts, colleges and universities, among others.  She is a member of several healthcare and data privacy related associations and has continuously maintained her Certification in Healthcare Compliance (CHC) by the Compliance Certification Board (CCB)® since 2007.

Show More


  • State and federal data privacy laws including HIPAA, HITECH, FERPA, FTC, GDPR, CCPA, and Part 2 (Substance Use Disorder Confidentiality)
  • Data security incident response (SIR), including forensics, breach notification, government agency investigations and the development of SIR policy and procedure
  • Electronic Health Information (EHI) Interoperability (formerly Meaningful Use) and the Information Blocking Rule applicable ensuring patient and provider access to EHI
  • Healthcare technology agreements (including electronic health records) review, advice and negotiation
  • FTC Red Flags Rule and Identity Theft policies
  • Employer wellness programs and on-site clinics as related to compliance with HIPAA and healthcare provider-related licensing rules and regulations
  • Privacy notices on websites and mobile apps
  • Human research compliance with the Federal Policy for the Protection of Human Subjects (Common Rule), HIPAA, FDA, False Claims Act, Anti-Kickback Statute, Stark Law and more
  • Clinical trial research agreement development and negotiation between industry and institutional health care providers
  • Physicians Payments Sunshine Act compliance guidance for both product manufacturers and teaching hospitals
  • Anti-Kickback Statute, Stark Law, Civil Monetary Penalties Law compliance advice relevant to healthcare transactions
  • Vendor discounts and rebates advice, including employee training, on healthcare product sales and services arrangements relevant to compliance with the Anti-Kickback Statute
  • Healthcare mergers and acquisitions due diligence, including Medicare and Medicaid Change of Ownership (CHOW) transactions involving acquisition of the seller’s billing number(s).
  • Enrollment, revalidation and change of information in Medicare and state Medicaid programs, including disclosure of ownership and control and adverse actions (hospitals, nursing homes, DME suppliers, pharmacies)
  • State pharmacy board matters including licensure and complaints
  • Nursing home arrangements advice for medical directors, PT/OT and other ancillary services, and I-SNPs
  • Durable medical equipment (DME) compliance with Medicare DME standards, billing and competitive bidding program rules
  • Long-term care pharmacy contracting and compliance matters
  • Medicare Secondary Payer (MSP) recovery issues related to liability claim settlements involving Medicare beneficiaries
  • Medicare reimbursement compliance advice involving billing under IPPS, OPPS, DRGs, RUGs, MIPS, APCs, HCPCS, NDC, etc.
  • Concierge medicine practice advice including patient consent forms, space sharing arrangements, HIPAA, and Medicare billing compliance
  • Clinical integration arrangements involving behavioral health, primary care and/or acute/post-acute care and population health
  • Group purchasing organization (GPO) arrangements
  • Compliance audits for hospitals, skilled nursing homes and DME suppliers, including employee training and education
  • Government surveys, citations, subpoenas, warrants, and civil investigative demands
  • DOJ and OIG exclusionary issues
  • Fraud, Waste and Abuse (FWA) multi-state policy development for compliance with the Deficit Reduction Act of 2005 (DRA)
  • Health care professional licensing board representation
  • Liability insurance coverage questions including cyber liability insurance policies


J.D., University of Louisville

  • Executive Editor of the Journal of Family Law

B.S.B.A. with highest honors, University of Louisville


  • Kentucky


  • Highest Professional AV Rating by MartindaleHubbell Law Directory. Peer references stated that “her ability to navigate an extremely complicated area of the law and then communicate with clients in a plain-spoken, easy to understand manner is admirable . Kathie practices with high ethical standards and is always very responsive to client concerns and schedules.” “Kathie is an excellent attorney, a true advocate for her clients and a model for legal ethics.”
  • Woodward/White’s The Best Lawyers in America® Lawyer of the Year Health Care Law, 2018
  • Woodward/White’s The Best Lawyers in America® Health Care Law, 2009-present
  • Selected as a “Partner in Healthcare” by Business First, 2008-2016


  • Vice President and Counsel with Kindred Healthcare, LLC, a national long-term care company which, at the time, provided long-term acute care (LTAC) services, skilled nursing home and rehab care, pharmacy and other healthcare services in over 40 states. As Vice President, was responsible for managing the company’s Liability Claims Department and a staff of approximately 13 lawyers and claims professionals. During her 12-year tenure at Kindred, she also was responsible for day-to-day legal advice in the areas of healthcare, employment, healthcare liability claims and risk management, and liability insurance policy coverage.
  • Prior to in-house counsel position with Kindred, was with Greenebaum Doll & McDonald (now Dentons Bingham Greenebaum) for six years, representing local, regional and national companies before state and federal courts in commercial, insurance, employment and copyright and trademark protection litigation.
  • Before joining Wyatt, she completed the Pepperdine Caruso School of Law Winter Intensive Course in Dispute Resolution and served as an independent healthcare liability claims mediator.


  • Louisville, Kentucky and American Bar Associations (ABA) and the ABA’s Healthcare and Litigation, Tort & Insurance Sections
  • Louisville Bar Association, 2005 Chair of Health Law Section, 1991 Chair Litigation Section Mock Trial Seminar, Past Member of Board of Directors, Past Member of Publications Committee
  • International Association of Privacy Professionals (IAPP)
  • American Health Law Association (AHLA) and the following AHLA practice groups: Life Sciences; Fraud & Abuse; Hospitals and Health Systems; Payors, Plans, and Managed Care; and Post-Acute and Long-Term Care (LTC) Services
  • Health Care Compliance Association (HCCA)
  • Certified in Healthcare Compliance (CHC) by the Compliance Certification Board (CCB)®, 2009 to present
  • LTC Legal Risk Forum Participant, 2017-2019
  • Healthcare Financial Management Association (HFMA)
  • Kentucky and American Societies of Healthcare Risk Management (KSHRM and ASHRM)
  • American Society for Pharmacy Law (ASPL)
  • Association for Conflict Resolution (ACR), Member 2003-2016


  • Member of the Governing Board for the Greater Louisville (GLI) Health Enterprises Network (HEN), January 2007-April 2022, and Executive Committee, 2008-2021; Vice-Chair, HEN Nominating Committee, 2016-2021, and HEN Policy Forum, 2010-2014
  • Leadership Kentucky, Class of 2017 Graduate
  • Executive Leadership Team Member, American Heart Association 25th Anniversary Heart Ball fundraiser, 2017
  • Honorary Chair, Elder Serve Champion for the Aging Awards Luncheon (fundraiser), 2012
  • Health Enterprises Network Fellows Class, 2006
  • Co-Chair, Local Organizing Committee for US Figure Skating’s Regional Championships in Louisville, KY, 2006-2007
  • Member, Board of Directors, Louisville Skating Academy, 2007-2008
  • Member, Board of Directors, Court Appointed Special Advocates (CASA), 1994-1995


Ms. McDonald-McClure has written or edited more than 100 articles for the Wyatt HITECH Law Blog (see BLOGS below). She’s also a frequent contributor to Wyatt’s Coronavirus News and Resources Blog – a blog (initially a newsletter) created in 2020 to keep clients up-to-date with issues relating to the Coronavirus pandemic. She regularly authors or edits articles with health care regulatory developments, cyber risk news, economic recovery news and more.

Other publications include:

  • Overview & Guidance Note for Kentucky data privacy law for DataGuidance by OneTrust, a global privacy intelligence platform (September 2019, updated 2020)(co-author with Mary Fullington)
  • Lorman Education Services: “Data Security in the ‘New Normal’ of Teleworking” (September 2020) (co-author with Margaret Young Levi)
  • Lorman Education Services: “Audio-Video Conferencing Risks and Tips for Healthcare Providers” (September 2020) (co-author with Margaret Young Levi)
  • Lorman Education Services: “CISA/NCSC Joint Alert Warns of APT Groups Targeting Healthcare and Essential Services” (August 2020) (co-author with Margaret Young Levi)
  • Risk Management in Health Care Institutions: Limiting Liability and Enhancing Care, Chapter 16, “Risk Management in Long Term Care Institutions and Services” (2014 3rd )
  • Valeo Communications: OCR Steps Up HIPAA Audits July 2011)
  • HCCA Compliance Today, “Medicare’s New Mandatory Reporting Requirements for Liability Insurers, Including Self-Insured Entities” July 2009)
  • LBA Bar Briefs, “Mandatory Reporting of Liability Settlements: Law to Shine Spotlight on Attorney’s and Their Clients’ Pocketbooks” June 2009)
  • “Enforcement Activities By Investigating Authorities and Responding to Investigations,” Chapter 5, Kentucky Health Law (2009 5th ) (co-author with R. Benvenuti, Ill)
  • HCCA Compliance Today, “Outpatient Therapy Clinics and Their Referring Physicians: Fraud and Abuse Risks” (April 2008)
  • HFMA Kentucky Chapter Financial Scene, “Deficit Reduction Act Update” (January 2007)
  • HFMA Kentucky Chapter Financial Scene, ”The DRA’s New False Claims Requirements” June-July, 2006)
  • HFMA Kentucky Chapter Financial Scene, “US Supreme Court Limits Medicaid Recoveries in Persona l Injuries Settlements” June-July, 2006)
  • HCCA Compliance Today, “Compliance 101, Clinical Trials Primer” June 2006)


Ms. McDonald-McClure has given more than 75 presentations on a variety of healthcare and data privacy and security topics, including HIPAA Privacy Rule, HIPAA Security Rule, data security incident response, state data breach laws, cyber-security insurance coverage, HITECH EHR Meaningful Use, 21st Century Cures Information Blocking and Medicare Program Interoperability Rules, Maintaining Electronic Health Record integrity, the Anti-Kickback Statute, False Claims Act, Affordable Care Act, ACOs and acute/post-acute collaborative arrangements, Physicians Payments Sunshine Act, Medicare reimbursement and payment methodologies, Medicare Hospital Two-Midnight Rule, Medicare Secondary Payer law and MMSEA Section 111, Section 6032 of the Deficit Reduction Act of 2005 (DRA)(Medicaid compliance mandates), behavioral health law and more. She also presents in-house seminars for legal, operations, sales, risk and insurance personnel of clients, either in person or through the use of virtual conferencing tools.


Ms. McDonald-McClure is the creator and editor of the Wyatt HITECH Law Blog, named after the Health Information Technology for Economic and Clinical Health Act of 2009 a/k/a The HITECH Act. The HITECH Act promoted the adoption of certified electronic health record technology (CEHRT).  While the financial incentives were winding down, legal developments on the privacy and security front, beyond healthcare, were ramping up.  By late 2015, the Wyatt HITECH Law Blog expanded its focus.  Today, the blog is no longer limited to HIPAA and HITECH and covers legal developments in privacy and security that have implications for anyone handling confidential personal information in any industry sector.