Paul Rothermel
Managing Attorney
O: 651.430.7150
M: 651.364.7514
Paul Rothermel advises medical device manufacturers, pharmaceutical companies, digital health companies, and healthcare organizations on privacy, cybersecurity, and data governance matters that sit at the intersection of regulation, technology, and real-world operations. Clients turn to Paul for advice on privacy and information security requirements for product design, clinical research, commercialization strategies, reimbursement programs, cross-border data flows, and policy-level risk management.
Paul’s practice is shaped by a practical understanding of how privacy and cybersecurity programs function inside complex organizations. He works closely with legal, compliance, IT, security, product, and commercial teams to translate HIPAA, state privacy laws, GDPR, and emerging regulatory expectations into operational programs that can be implemented, defended, and sustained. Whether the issue involves launching a new digital product, responding to regulator scrutiny, supporting M&A diligence, or designing internal governance, Paul focuses on helping clients make defensible decisions that align compliance obligations with business realities.
At Gardner Law, Paul serves as a strategic resource for clients navigating privacy, AI, and data protection across the full product and business lifecycle, with a particular focus on FDA-regulated industry where enforcement, reputational risk, and operational complexity are closely linked.
Focus Areas
Paul’s practice focuses on privacy, cybersecurity, and data governance for healthcare and life sciences organizations, including:
- HIPAA Privacy, Security, and Breach Notification compliance
- State privacy laws, including CCPA and emerging comprehensive privacy regimes
- GDPR and international data protection compliance
- Digital health privacy, website and application data collection, and online tracking risks
- Clinical research privacy, including informed consent, cross-border transfers, and DPIAs
- Cybersecurity risk management, incident response planning, and third-party risk
- Data protection provisions in commercial, technology, and clinical agreements
- Appointment and support of privacy officers and data protection officers
Representative Experience
- Designing and operationalizing enterprise privacy and information security programs aligned with HIPAA, state privacy laws, and GDPR
- Serving as privacy officer and data protection officer for U.S. and global organizations
- Drafting and negotiating business associate agreements, data processing agreements, standard contractual clauses, and complex data governance provisions
- Counseling device and drug manufacturers on privacy requirements in clinical trials, reimbursement and patient support programs, and post-market activities
- Conducting privacy and cybersecurity diligence in connection with mergers, acquisitions, and strategic investments
- Advising on website and mobile application privacy issues, including online tracking, consent mechanisms, and regulatory enforcement risk
- Supporting incident response planning and post-incident remediation efforts
- Performing assessments of vendor, partner, and third-party privacy and cybersecurity controls
Differentiators
Paul’s work is distinguished by a focus on operational credibility and defensibility. Rather than treating privacy and cybersecurity compliance as a document exercise, he helps clients build programs that reflect how data moves through their organizations and how those practices will be evaluated by regulators, partners, and counterparties.
His experience advising regulated manufacturers and digital health companies informs a pragmatic approach that anticipates downstream scrutiny from regulators, business partners, and enforcement authorities. Paul is known for working efficiently with internal teams, spotting issues early in product and program development, and helping clients navigate ambiguity without overengineering solutions or introducing unnecessary friction.
Clients value Paul’s ability to provide clear risk framing and actionable recommendations, especially in fast-moving situations where legal, technical, and business perspectives must align quickly.
Thought Leadership, Teaching, & Ventures
Paul regularly writes and presents on privacy, cybersecurity, and emerging regulatory issues affecting healthcare and life sciences companies. He speaks to legal, compliance, and operational audiences on topics such as HIPAA compliance, privacy officers and governance structures, online tracking risks, AI and privacy, and cybersecurity readiness.
He contributes to firm publications, client alerts, and webinars, and has been recognized for his thought leadership in addressing evolving privacy enforcement and regulatory trends impacting regulated industries.
Education
- Juris Doctor, Mitchell Hamline School of Law
- Bachelor of Arts, History, University of Northwestern – St.Paul
Admissions & Affiliations
- State of Minnesota
- Minnesota State Bar Association, Health Law Section
- International Association of Privacy Professionals
- Certified Information Privacy Manager (CIPM)
Personal
Paul enjoys spending time with his wife and two boys – camping, attending concerts, and, as a long-suffering Minnesota sports fan, at various sports events. He is an avid French horn player and finds time to play basketball and other sports when he can. He and his wife also volunteer together with a non-profit, Together for Good, which works to keep families together through difficult circumstances.
Honors and Awards
- Super Lawyers Rising Star 2023 – 2026
Articles, Presentations & Press
- Are You Prepared for a Cybersecurity Incident?
- No Slowing Down: Three More State Privacy Laws Take Effect
- California Privacy Claims Target Online Tracking
- Privacy and AI Heatmap for 2026: What Device & Drug Makers Should Watch in 2026
- US State Privacy Law Replay 2023
- New WA Privacy Law ‘Turns The Beat Around’ on Drug and Device Makers
- Whose Data Breach Is It Anyway?