AHLA's Speaking of Health Law

Top Ten 2023: Data Privacy Requirements

AHLA Podcasts

Based on AHLA’s annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2023. In the sixth episode, Barry Mathis, Principal, PYA, speaks with Valerie Breslin Montague, Partner, Nixon Peabody LLP, about the new data privacy laws that have just been released. They discuss how health care entities and providers can remain compliant with the new laws and prepared for possible data breaches, considerations for telehealth programs, and risks for hybrid workforces. Sponsored by PYA.

Watch the conversation here.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

A H L A is pleased to present the special series highlighting the top 10 health law issues of 2023, where we bring together thought leaders from across the health law field to discuss the major trends and developments of the year. Support for A H L A in this series is provided by P Y A, which helps clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations, and fair market value assessments, and tax and assurance. For more information, visit p y a pc.com.

Speaker 2:

This is, uh, another episode of the, uh, top 10 Podcast with American Health Lawyer Association. I'm Barry Mathis with p y a and I have with me today as, as a guest. Is is Valerie Chu. Uh, and we're gonna be talking about, uh, the article that Valerie wrote. It's episode number six of the Top 10 podcast, uh, entitled A New Year, new and Old Data Privacy Requirements. Valerie, before we get started, why don't you introduce yourself to our listeners, tell a little bit about your practice.

Speaker 3:

Sure. Thank you Barry, and thanks to a H L A for having me. I'm looking forward to this discussion. Uh, my name is Valerie Montague. I am a, uh, health information privacy and healthcare partner at Nixon Peabody in Chicago. And my practice focuses on just everything we're gonna talk about today. So compliance with HIPAA and other federal, uh, you know, security and confidentiality requirements, as well as state law. Everything from structuring and compliance program to incident and data breach analysis, and also, um, you know, also working with organizations to try to keep them outside of the regulatory space if, if their operations allow. So happy to be here.

Speaker 2:

Very good, thank you. Happy to have you here, uh, with these podcast series with a H L A. So we've, we've got a, a small amount of time. We wanna cover as much ground as we can. Um, and to borrow a, a cliche that's been around a long time, the only real constant is change, and there's nothing more true when it comes to healthcare compliance. It seems like every year there's a little something changing, we hope for the better, pushing towards, uh, more compliance that makes sense for processes and, and treatment and care of patients. Uh, and in this case, we're, we're talking about the, the new privacy laws that have been released in 2023. So without, without getting too far into the weeds there, I don't wanna drag you into a, a full privacy discussion, but just a little overview, what are these privacy laws and, and how, you know, when they came about in 2023 and who are they primarily impacting?

Speaker 3:

Sure. So, you know, as, as everyone knows, California has kind of been the, the leader in this consumer privacy space with their, uh, C C P A, and this year we're looking at some significant modifications to that through the C P R A. And then a number of states have kind of followed suit as they have in, in the, in the recent past with some, some new privacy, consumer privacy laws popping up, um, at the start of this year. So I think it's, it's designed to protect, you know, consumer privacy law in, in across sectors. It, it does have an impact on healthcare organizations, as you could see from the article. There's, there's some carve outs if you're regulated under hipaa, if you're a nonprofit, depending on the specific laws. But again, a lot of those organizations hold data that might be subject to the particular requirements if it's not a, you know, an organization-wide or entity wide carve out. So it's just some, another layer to add when you're trying to understand the regulatory scheme is, is what states are operating in and, and what consumer privacy regulations they have in place.

Speaker 2:

Very good. And you mentioned twice in, in that explanation carve outs, um, so that our listeners might understand when we're talking about carve outs. One, what, what are those carve outs? Not, not individually specifically, uh, and should, should those consumers or, uh, entities who are trying to remain as compliant as they can, what should they be on the lookout for in terms of understanding those carve outs and how it might impact them?

Speaker 3:

Yeah, you know, I, I think it's important cause I know a lot of our industry obviously is, is so focused on HIPAA compliance, and that's sort of, you know, the, the overarching standard that a lot of healthcare organizations are held to. And there's a lot of focus on what you can and can't do under hipaa. But I think it's important to note as, as these laws filter through, um, you know, if an element of your business is, is subject to them, even if there's, you know, even if the particular law says compliance with HIPAA is satisfactory to comply with, you know, this aspect, you know, the breach notification aspect of the consumer privacy law or whatever that may be. So it's important to understand, you know, first where your operations are, right? What states are you triggering? If you, if you have a, a practice and you have patients coming in from across the border, you got need to make sure you're analyzing that as well. Um, and then also once you know, sort of where, where you're operating, what, what laws apply, what carbos apply, where are the exceptions to the carve out, you know, if, if you're, if it, if your health, if your EHR system data is carved out, well, maybe your employment records are not. So it's really important to understand where you're operating and, and what laws apply,

Speaker 2:

Right? So it is, there's a lot of changes between the state. So I think, uh, one of the takeaways I get from that is knowing what's there and the privacy changes based on the state that I'm operating in and those surrounding states, uh, is, is a very important part of understanding my, the impact to the organization that I may work for. Right?

Speaker 3:

Yeah, that's exactly right. And I think in, in, you know, in, in today's world, as organizations become more nimble and have the ability to operate across the country or across the region, it's really important to keep an eye on what those applicable local, um, units are doing over and above what you may be subject to on the federal side.

Speaker 2:

Perfect. So, uh, we, we both work in similar spaces, uh, with clients who come to us for, for various reasons. Uh, sometimes it's, it, it's advice on here's the new law, what should we looking for, which you've spoken to. A lot of times it's because something has happened, right? Uh, and the most common, something that's happened these days seems to be a data breach, either an internal to external by accident or an external breach from a bad actor. So, uh, we've been living with breaches now for quite a while. It doesn't seem like it's going to stop based on, uh, the, the clandestine folks and the dark web and the bad actors, uh, that are doing their damage plus just good old human factor. Uh, we make mistakes. We, we, we release things we shouldn't to the wrong people, it's just part of being a human being. So, as related to these privacy laws, um, what should entities and providers be, uh, preparing for? How can they prepare and advanced, uh, for such a breach, uh, internal or external?

Speaker 3:

Yes, that's a great question. And I, I think as, as, as you and I would both advise, it's, it's great to have a plan in place before something happens. So an in incident response plan is, is probably the first plan of action. And, you know, to the extent you have one of those on the shelf, pull it out and, you know, run through it. Make sure that the details are updated, make sure the contact information is updated because when you get that first call from a user who's not able to access the system or from your IT department, you wanna be able to, you know, pull that out and, and get ready to roll and, and be efficient in your response. I think another really key aspect and, and you know, I'm seeing this right now on a project I'm working on is, you know, data mapping. Know what you have, know where it is, know what kind of data it is, know whose data it is. Is it your employee's data? Is it your vendor's data? Is it health? You know, patient data, member data. Um, and then, you know, again, back to where you operate, what, where do your patients reside? Where are your vendors located? What, what states are implicated? Because you'll need to know that pretty quickly at the start. So you know what timing obligations that you may have. And then the last thing I'll point out is, you know, beyond the laws and regulations, you wanna have a sense of your contractual obligations, particularly on the vendor side. If you're gonna be reporting up to a covered entity or a customer of any sort, you wanna make sure what your contracts say about, you know, these types of incidents. Do you have a security incident reporting requirement? Do you have to report potential breaches? Is it more than just something that's a catastrophic incident? So really having that framework in place before anything happens is going to save you time and money if something does happen.

Speaker 2:

Yeah, well you, you've really hit on something there. Uh, the, the end that's so, so important. Um, I have experienced, uh, some clients and, and again, uh, from an advisory standpoint, not necessarily legal, that, that didn't clearly understand even what their cyber security insurance policy required in terms of reporting breaches or, um, timing on reporting to that insurance in order to be able to file a claim and things. So I, I think the, the listeners absolutely, that last point you made is, is huge understanding, backing up from that, it's one of the first questions an investigator's gonna ask you is, where is your data? What have you done to understand what type of data you have? What is the universe? Because quite honestly, if they ask you, are you protecting your data? And you say yes, but you can't answer the former question, then the second question becomes, you know, uh, a lot less integrity that we're protecting our data if we don't know where it's at and how we're using it. So, great, great, great points. Um, one of the things that I, I wanna touch base cuz you, you mentioned a few things in your article and some of the carve outs and, and you know, uh, kind of post covid 19 I think is mentioned a couple of times, um, post or or during the, the pandemic, we had a lot of relaxed regulations around what we could do to treat patients remotely. Well, now all that's being rolled back, right? And, and these new privacy laws in the states, there's, there's likely pieces and fingers of that. So from a telehealth standpoint, uh, if I'm currently running telehealth, what are the kind of things that I should be, uh, asking myself or, or looking for, uh, with regards to new privacy laws?

Speaker 3:

Well, I think, I think an important one, you know, as, as things roll back is, you know, if there was obviously flexibility on the, the use of platforms during the pandemic and they didn't have to be, you know, your vendor didn't have to have a business associate agreement. They didn't necessarily have to comply with hipaa. So I think to the extended organization hasn't addressed that. And um, you know, obviously switched vendors or, you know, worked, made sure that their vendor comes up to compliance with HIPAA and signs a business associate agreement, that's an important one. You want really wanna make sure you've got that in place before that that flexibility is kind of taken back. Um, another thing I think, you know, you, your workforce is, is is operating in a different manner and you wanna make sure if you haven't during the, the, the rush of the pandemic and when you're focused, especially at the hospital and other healthcare provider level may have been on other things, you wanna make sure your workforce is trained to operate in this, in this new environment. You wanna make sure that they, um, understand what the regulations and the requirements are, your internal policies, especially when they're, you know, when they're using these platforms that they may not have used before. And then on the, the vendor side, you know, to the extent you didn't have the opportunity to dig deep and really understand your vendor security scheme, whether you're, you know, HIPAA regulated or not, I think that's an important, you know, uh, task to take. And, and you know, if, if there's a, the contract up for renewal or a a new platform that is being presented to you, you really wanna take the time to dig into, you know, that what the security posture is at the vendor and get comfortable with that because obviously if, if they're using your data or if they have access to your data, there's, there's risk on your end too. So really having a solid understanding of who you're working with.

Speaker 2:

Very good. I'm gonna back up a couple of points in there kind of in the middle. You'd mentioned the workforce in your article and, and I'm not reading it, I'm, I'm actually recalling it cuz I did read the article, um, this, you described it as hybrid, it's kind of this hybrid work from home. So I I, you know, my experience, those who, who, uh, clearly work from home, uh, for example, coders and, and a lot of those have gone home. Uh, they, they developed work at home policies, procedures, and practices, and then you've got those that are remaining in the office. But to, to your point, and I, and from the article, it's those hybrids, right, that compose because they're, they're kind of back and forth, sometimes they're remote, sometimes they're at home. And, and I'm wondering if we could focus just, just for a couple of minutes on some of the risks associated with that and maybe what folks should be be looking for, uh, around a hybrid approach, specifically policies, procedures, which I don't think a lot of them have.

Speaker 3:

Yeah, absolutely. I mean, I think a first step is to understand how the technology is gonna work. You know, is is there a device that they're bringing back and forth? Do you have the, you know, control over that device with encryption and the, you know, the, the login, um, through the, the, you know, secure network and all that. Um, I, I think it's also important in addition to, to updating the policies to make sure that this remote, uh, workforce and the remote operations and the hybrid operations are included in the organization's security risk assessment. Um, even if you're not HIPAA regulated, whatever sort of technical compliance assessment that you undertake to make sure that, you know, you're identifying the risk areas and that you are taking that and, and implementing a corresponding risk management plan to address anything that's been identified. So whether it's bringing laptops back and forth, whether it's the secure network they log in through at home, you know, whether it's uh, you know, the, the security of their workspace when they are working remotely in a, you know, a public manner. So I think that it's important to kind of think through and make sure you're analyzing it from a training perspective, from a policy perspective, and then also from, you know, an IT security perspective.

Speaker 2:

Great. Um, I couldn't agree more. The, the hybrid nails. It's a, it's a very good description because for those who are strictly working at home, they likely have policies for secure and effective work workspace at home. They have the portals, they're using the same portals that someone who travels for that work. But when you get into that hybrid, you, you mentioned it, I think about at least twice in your your explanation, it's back and forth with that, that mobile device, you know, uh, we've seen, you know, good practices or best practices about storing it in the trunk, not letting anybody see you, that you don't, you don't do it in the middle of a trip kind of thing when you've forgotten. All those kind of things need to be addressed because they can lead to these breaches we talked about. And, um, I think with these new privacy laws, again, uh, reemphasize, you need to know what state, you know, or you know, what state you're in, you need to know what those privacy laws changes are in that state because some of that could be infected, impacted, um, with, with new requirements around even those hybrid tell, uh, those hybrid remote work and telecommuting situations. So, very good. Thank you. Um, the, the next, we'll try to kind of finish things up with this right here, but we, we talked about the telehealth and the carve outs and things and, and those are great things to focus on, but really there's more, right? I mean if you, if, I mean we've talked about hipaa, we, there's other things beyond that. It goes beyond those things. So talk for just a minute about how this kind of accordion's out into other privacy, um, uh, risks associated, not just telehealth and these carve outs, but, but everything else. Cause people tend to focus on those, those kind of things that they're, they're may be experiencing, but there's some other things they should probably be looking at. Correct?

Speaker 3:

Yes. I mean, I, one key one that jumps out for me, especially with, you know, newer organizations who are entering the healthcare space, you know, vendors that popped up during, during the pandemic is sort of your outside focused disclosures on how you're going to use information, both, you know, to your customers and also publicly facing. So, you know, if there's a privacy policy on the website, terms of use to make sure those are accurately describing how the data is going to be used, how it's going to be disclosed, how it's going to be protected if you're, you know, again, even for organizations outside of the HIPAA scheme, I, if you have some sort of data incident, if you have some sort of patient complaint, you run the risk of having the FTC come in and and say, Hey, you know, what you have on here doesn't seem to be how you're actually using the data or, you know, you don't have this whole category of disclosures but are part of your operations, you know, made, made public to the, your individual customers or, or to, you know, individuals who are using your services. So I think that's a key area that sometimes can kind of slide under the radar and again, that applies, you know, a across the board.

Speaker 2:

Very good. So, uh, we'd like to thank those that have been listening and we've been talking to Valerie Chu and, and Valerie's with uh, Nixon and Peabody and they should be proud to have you cuz you absolutely know your stuff. We thank you for your time and uh, we hope folks will tune in to the next series of podcasts.

Speaker 3:

Thank you Barry. Appreciate the conversation.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.