Andrew Mahler, Vice President, Compliance and Privacy, Clearwater, speaks with Jennifer Kreick, Partner, Haynes and Boone LLP, about how health care organizations can strengthen their cybersecurity measures in light of the 2021 HITECH Act Amendment and the HHS Office of Civil Rights’ 2022 guidance regarding recognized security practices (RSPs). They discuss some examples of RSPs and how organizations can navigate the complex regulatory environment to operationalize cybersecurity practices. Jennifer recently co-authored an AHLA Briefing on this issue. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Andrew Mahler, Vice President, Compliance and Privacy, Clearwater, speaks with Jennifer Kreick, Partner, Haynes and Boone LLP, about how health care organizations can strengthen their cybersecurity measures in light of the 2021 HITECH Act Amendment and the HHS Office of Civil Rights’ 2022 guidance regarding recognized security practices (RSPs). They discuss some examples of RSPs and how organizations can navigate the complex regulatory environment to operationalize cybersecurity practices. Jennifer recently co-authored an AHLA Briefing on this issue. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Hi everybody. Thanks for joining our podcast today. Um, I'm Andrew Muller. I'm the Vice President of Privacy and Compliance at Clearwater Compliance. And, uh, here with me today I have Jennifer Craig, uh, an attorney and, uh, very, very happy to be speaking with her, uh, as we talk through, uh, cybersecurity risks and, uh, and, and other, other issues that we're seeing, you know, and you're seeing out in the field. Jennifer. So Jennifer, welcome. And, um, could I get you to introduce yourself for the, uh, for the listeners?
Speaker 3:Sure, absolutely. Thanks Andrew, and I'm excited to be here as well. Um, my name is Jennifer Craig. I'm a partner in the healthcare practice group at Hanes and Boone. Um, I really just work with our healthcare industry clients on healthcare, regulatory and transactional matters. So that's everything from HIPAA and health information, privacy and security, fraud and abuse, corporate practice of medicine, um, some other healthcare compliance issues. And I also serve as the HIPAA privacy official for our law firm when they act as a business associate.
Speaker 2:Oh, that's great. And, uh, we, you and I were talking earlier about, uh, about your career path and, and you've had an opportunity to do a lot of different, you know, different things, you know, in your life, in your professional life as you've been, uh, as you've been moving through, uh, you know, different roles. Um, could you share with us a little bit about, about your background and, and sort of how you came to, uh, to be at Hansen Boon?
Speaker 3:Sure. Um, so, you know, before going to law school, I worked as a project manager for an electronic medical records software company. Um, and that was really kind of my first job out of college, uh, implementing, um, e h r systems at, at hospitals and, and health systems. Um, and, and that was really helpful and beneficial for me because it was, it was pretty much my first exposure to the healthcare system outside of being a patient. Um, and, and I got to see, uh, you know, provider workflows. So everything from, you know, scheduling to conducting the visit, um, the billing side, uh, you know, just kind of the whole process. Um, and, uh, you know, this was back in 2008, so, um, a really exciting time to be in, in healthcare and particularly the, you know, health information technology, um, industry. Uh, you had things like the high tech act, uh, coming out, you had meaningful use coming into play. Just, you know, all of these things kind of felt like a rush to implement e h R systems. Um, and it was really fun. Uh, one of the things that I guess got me interested, not just in healthcare, but in, in the legal side, was, um, you know, some of the work that I was doing with the, um, patient portal software. And, um, so what happened there is, um, issues coming up around, um, you know, Andrea, we had talked about this before, uh, kind of proxy access for minors. So, um, you know what I'm talking about there is like a parent or a guardian mm-hmm.<affirmative> accessing a child's records. That's probably the most common, um, instance. And, um, there are state laws that can, you know, impact or potentially limit a restrict a patient's, uh, a parent's access to certain sensitive health information, um, o of their child. So something like h I v results potentially, or, um, you know, substance abuse treatment, something like that, uh, wi without a minor's consent. Um, and so there were questions coming up around how to set up the system to, to account for these laws. Um, so for example, you know, do you automatically terminate parent access at a certain age? Do you try to maybe restrict access to certain types of, of, uh, procedures or, or test results? I, if you can do that on a procedure basis, you know, even if, if that's really possible. Um, and then what about, you know, what if you operate, uh, what if you're like a national health system and you operate across, uh, state lines? Um, so, so these were the questions that were coming up and in my mind they were really, um, just kind of fascinating issues. And, uh, I will say it's kind of funny sitting here talking with you today, because these are really some of the same questions and issues that still, still are coming up. I I still, still see clients dealing with these today.
Speaker 2:Well, I was gonna say, I mean, I think especially with 21st Century Cures Act and information blocking, you know, I'm sure I know for us, and I'm sure for you too, we're hearing, you know, some anxiety from, you know, from people in, in operations roles within the healthcare setting, trying to figure out, you know, okay, h how, how can we comply with the information blocking rule and at the same time protect, uh, protect patients who may be minors, um, and also making sure that we're making, you know, the data accessible to, to their legal guardian or, or parent under state law. So I, I think it's probably just, I, I probably gotten a bit more complicated maybe, you know, over the years too. I'm, I'm sure you've, you've had some experiences with that.
Speaker 3:Yeah, that's a good point. I would say, yeah, it's definitely an issue that's not going away. And, and like you pointed out now, probably today, even more complicated,<laugh> what was before, so
Speaker 2:<laugh>, right. Well, um, we're really here to talk, uh, talk about an article that, uh, that the American Health Law Association put out that, that you authored, uh, strengthening Cyber Posture to effectuate compliance and, and mitigate penalties under hipaa. And this, this came out earlier this year in January. Um, fantastic article. I, I really learned a lot reading through this. Uh, I'm wondering if you can share, uh, share for our audience, you know, a bit about, uh, a bit about this article, maybe a, a high level summary and, and also maybe what caused you to, uh, to really want to, uh, put, put this article out there.
Speaker 3:Sure. Um, absolutely. So, um, maybe I'll take the, the kind of second half first. So we had been, um, you know, kind of monitoring and seeing throughout the year. And, and so this was back in 2022. So, uh, kind of throughout 2022, um, you know, just a lot of publications and, and guidance coming out from O C R. There were some blog posts, there were some, you know, newsletters, um, you know, a, a, you know, Q1 report type of thing. Um, and, and just really kind of giving, uh, number one, kind of putting folks on notice about cybersecurity risks and, and focusing on those. And also, um, you know, providing some really good guidance on, on how to address some of these risks and, and how the, the HIPAA security rule applies and, and, and kind of some guidance, um, for, for compliance. Um, that was really helpful. And so, you know, then we saw, um, you know, there had been a, a 2021 High-Tech Act amendment specifically on, um, recognized security practices. Um, and, and what it did is it added a requirement for OCR r to consider a regulated entity, so a covered entity or business associates implementation of, of recognized security practices or R RSPs, um, in certain HIPAA compliance and enforcement activities. So what, what that really means is that OCR is going to take into consideration the RSPs, um, that a, a regulated entity has had in place for the previous 12 months when OCR R is making decisions around, you know, fines or audits or, or other remedies, um, you know, for potential violations of the HIPAA security rule. And, um, so they had released a, a YouTube video in October that provided some guidance around the, um, you know, implementation and, and interpretation of, of some of these RSPs that, you know, just given all the past guidance, um, seemed like a really good time to, uh, step back and, um, provide not just a, not just kind of an article on, um, RSPs and, and kind of summarizing OCR R'S guidance there, which we, which the article does, but it also provides a kind of broader checklist based on some of the other guidance, um, that OCR had given. Um, and, and so kind of summarizes everything in one place and, and gives folks, um, that kinda guidance, um, and the recommendations in a more consolidated and, and maybe easier to read format.
Speaker 2:Yeah. And I, I guess if I can, you know, reflect it, reflect back to you, um, you know, so that, so I, you know, really understand and, and listeners do too, it, so OCR r put put out this, um, you know, this request, uh, for public comment and, you know, is the idea that a recognize, you know, recognize security practices would, would essentially be a, you know, uh, a, I mean, you, you talked about it as a mitigating factor, but it could be a essentially a basis for, you know, what appears to be an effective cybersecurity program, and then we'll, you know, as, uh, sort of thusly if there's a, an investigation or an audit, um, you know, that type of an effective cybersecurity program could, could serve as a, you know, a mitigating factor if there's large penalties or fines. Am I, am I sort of stating that correctly?
Speaker 3:Sure, absolutely. Yeah. And, and so I, I think what's important there, Andrew, kind of what you're pointing out is, um, you know, this is not, uh, you know, the implementation of the RSPs are voluntary, so it's not mandatory. Um, it's, it's not absolutely required. Uh, although I will say there is a lot of potentially overlap sometimes between HIPAA security rule requirements and, and maybe some of these, um, RSPs, uh, but anyway, it, it, it really is a, a voluntary, um, thing and, and there's no penalty for failing to implement them. Um, you know, a another point I think that OCR R had stressed is, um, in its YouTube video, is that these are the impl, even if you do implement RSPs, it's not a safe harbor. Um, so it's not like a get outta jail free card or, or, or anything like that. Um, it doesn't provide immunity from liability. Uh, but OCR R will consider R S P implementation, like you said, as a mitigating factor, um, in if they, if there is a HIPAA security rule, um, investigation, and, and if you do kind of properly implement them and, and have the required documentation to, to, to demonstrate that, um, then it can result in an early and potentially favorable termination of, of an audit.
Speaker 2:Yeah. That, that, that makes, that makes a lot of sense to me. Um, o one thing that I'm, I'm curious about, you know, when, when we talk, you know, when we talk about recognized security practices, o obviously that can mean a lot of things. Um, and, and we've heard, you know, since, since h h s put out this, this, you know, uh, request for comment and, and information, um, you know, a lot of movement around, okay, what, what do recognize security practices mean? What do they look like? And so I guess I'm curious, you know, could you give us some examples of what you're seeing, you know, what, what maybe your clients are doing to prepare or to sort of start thinking through recognize security practices? And, and then maybe just a second question, wh where does, you know, where do frameworks like high trusts and, and other frame, you know, other frameworks fall into this if, if, you know, or you have predictions?
Speaker 3:Yeah. So that's a great, great question, Andrew. And, um, you know, I, I would a actually also be really interested in your thoughts on this, uh, but I'll, I'll jump in and give some initial comments and then would love to hear what, what you think about it as well, um, and what you're seeing. So, um, you know, the High Tech Act amendment, they specifically recognized three categories of RSPs. So, um, the, the first RS P category was, um, you know, essentially standards and guidelines and best practices, methodologies, procedures, and processes that are developed under, um, section C 15 of the National Institute of Standards and Technology Act. So that's nist. Um, and you know, most, most folks, I'd say, um, you know, at least in like cybersecurity and compliance, especially in the healthcare industry, they're familiar with nist. And so that's probably the most, um, common approach that I see, uh, just, you know, from clients, um, that I work with. Um, and, you know, so covered entities and business associates that choose the NIST kind of FR category, um, are going to adopt cybersecurity practices that align with cybersecurity framework. Um, the second category of, of R S P is, um, approaches under section 4 0 5 D of the Cybersecurity Act of 2015. And, and so folks that that implement, um, those, what they're really doing is they're implementing the cybersecurity practices that are described in the health industry practices, managing threats and protecting patients technical volumes. Mm-hmm.<affirmative>. Um, and then the last category is, is essentially kind of an other category, but there's a caveat. So it's other cybersecurity programs that are recognized by statute or regulations. And, and that's really kind of the key piece. Um, and, and that's something that OCR R has, has stressed is that they're gonna ask for the specific citation. I, if that's the category that folks choose to use, um, they're gonna wanna see the statute or or citation that you're relying on there.
Speaker 2:Yeah. I, I, I think we're seeing, uh, essentially the same thing, you know, within our, our client base and, and out, out in the field. And, and I guess I wanna make one, one quick clarification too. I, I think I've been referring to this as, as a request for public comment, and I just wanna clarify. It's, it's technically an R f I, uh, request for information. So sorry about that, Jennifer. Um, and, and I think, you know, when we're thinking about the, you know, what these RSPs are, you know, I think my, my hope for the direction that h h s will go with this is, is to take, you know, exactly the approach that you've outlined as opposed to, you know, as opposed to h H s taking a, a really firm stance on a particular framework or methodology, but, but to embrace, you know, potentially a variety of, of, of these frameworks and, and, you know, potentially that's aligning itself a bit more with, with nist, because I, I think that's, that's what we, what we tend to mainly see, you know, our clients really looking to, in terms of, uh, in terms of frameworks.
Speaker 3:Yep. Agreed on that. Um, yeah, I mean, it, it's a, it's an interesting point. I, I think, like you're pointing out, I, you know, I think h H s has in the past kind of referenced nist, um, in, in other, um, contexts. So I'm, I'm thinking specifically about, um, kind of su secure destruction and, and that sort of thing. Yeah, yeah.
Speaker 2:Yeah. I, and I guess where I'm, where I'm also sort of thinking, and I'm curious, uh, curious about, you know, you have been, you know, you talked about, you know, your, your career even, even before, uh, before, you know, becoming a partner at, at Haynes Boon. And I, I guess I'm wondering, you know, for you, when you're thinking about when you're advising clients or you're, you're helping to, uh, to represent them, you know, helping them to, to think through how can they meet the, the legal requirements, how can they meet the regulatory requirements? Um, you're sort of operating, you know, in, you know, essentially using, using one of your hats, right? And your other hat that, you know, maybe stems from your prior, your prior role in prior life is, is more on that operation side where you're actually having to, to build it and do it or, uh, or help, you know, manage people who are building it and doing it. And, and so I'm curious, you know, do you, do you sort of have, do you draw distinctions, you know, in terms of how you're thinking about, uh, providing legal advice now versus, you know, how, how an organization can really operationalize some of these cybersecurity practices? I hope that question makes sense.
Speaker 3:Yeah, it, it does Andrea, and it's a great question. Um, and, and it's something that folks like I would say really, really struggle with. Um, and, uh, you know, I, I see this from a lot of different, um, I would guess I, I I would say viewpoints or, or lenses maybe. Um, you know, in terms of, and, and I really feel for our, our healthcare clients, because they really are dealing with such a complicated regulatory, um, environment, and there are so many di they get pulled in so many different directions. So I, I feel like sometimes it's, it's about like, what fire do I put out today? Um, and, and what legal issues am I dealing with today instead of maybe looking be or having the, um, the ability to kind of take a step back and look broader about kind of what's best for the organization and, and where should I, um, uh, you know, kind of focus long term. Um, you know, one of the challenges I think folks deal with in, uh, you know, trying to operationalize some of these things are the, essentially the costs and the resources that are involved in, um, kind of effectively managing these cybersecurity risks and, and developing a good cybersecurity program. Um, you know, and one of the issues that I see a lot or, or folks dealing with is, um, you know, kind of this, um, proactive versus reactive approach. So, you know, on, you can take kind of a, um, you know, in, in terms of having to, to put out the fires on a, on a daily basis, you know, a lot of times I get pulled in when somebody ha already has a security incident that they're dealing with. And so we're, we're kind of working at it backwards, right? We're, we're trying to see what documentation we had in place and, and how can we mitigate this and, and that sort of thing. And, and we do also put in place, um, you know, programs and, and efforts to improve things, um, policies and, and cybersecurity programs going forward. But a lot of it is, is kind of in that reactive framework. Um, and, and, and it makes sense, right? I mean, because folks are getting pulled in in such different directions. Um, you know, I, I would say what, from an operational perspective, you know, I, I think it is real, it's harder to implement, um, or to do effectively, but the more that you can kind of develop this proactive approach in terms of, um, you know, really having an effective, um, cybersecurity program in place to, uh, kind of, you know, identify, respond and, and address these types of inti incidents before they occur, um, that can really put you in a, in a much better place, although it is a lot harder to do. Um, and, and so I think these, uh, the kind of focus on the RSPs is potentially a good way to encourage folks to, to do some of those things. Um, you know, one of the things I see, um, happen a lot, and it's, you know, nobody's fault, but it does kind of happen is, is you end up having kind of your HIPAA policies and procedures, uh, kind of tucked away in a drawer, or, um,<laugh>, you know, maybe you, you just, you know, it's something that the IT team deals with, and, and so it's not kind of like a regular, um, uh, kind of interdisciplinary kind of, um, framework. And, and so I think, you know, to the extent that these RSPs can maybe change that, it, it will be a really positive thing.
Speaker 2:Yeah. And I, I really love the way that you, that you put that about, you know, working sort of backwards, working, you know, backwards in time as you're helping clients, you know, not not just manage the, the urgent issue, but you know, you're helping to, to sort of weave a narrative, tell a story about, you know, the policies that the, the organization has in place, all, all of the meaningful work that they've done to try to prevent certain things from happening. And, uh, and so you, I I, I think that's a great, great way to put it, that you really are sort of looking, kind of looking backwards with them. And, and I, I know from, you know, talking with some of our clients, and I'm sure this is probably the same for you, uh, to your point, th these issues can become very overwhelming because you have so many fires to put out and, you know, you sort of get to a point where if, if everything's a, you know, if everything's a fire, nothing's a fire, right? And, and I think helping people to, to be empowered to, to really thoughtfully think about how to implement these, you know, these practices, these standards, these, these, uh, controls, um, in a way that, you know, in, in a way where they're able to, to sort of piece that together, maybe even sort of thinking forward in time for them. So thinking, okay, where, where do I want, where do I want to be when we have an incident? And, and what, what sort of story do, do I want to be able to tell about my organization when, when we have an incident or a breach or, or an attack? Because we know we, we probably are gonna have, have all of those things at some point. Um, so I, so I think that's, that's, that's a really, really neat way to put it, Jennifer. So I don't know, you know, for o other thoughts that you have in terms of, you know, in terms of organizations sort of proactively thinking about, um, RSPs, I, I know that, you know, you, you've written about, you know, the importance of, of evidence and, and making sure that these regulated entities, you know, have evidence that RSPs are implemented. What, what, what sort of evidence, you know, do you think is important for these organizations to really be thinking about and and preparing?
Speaker 3:Yeah, so, um, Andrew, that's a, I'm so glad you brought this up because that really is the key here. Um, so, you know, it, it is fantastic if an organization implements RSPs, but from OCR R'S perspective, it is going to come down to what sort of documentation and evidence you have in place, um, to, and, and they've really focused on, um, kind of demonstrating that those RSPs are implemented enterprise wide. Um, so I will give you some specific examples of, of what that evidence and documentation can look like. Um, another point that I want to just highlight because, um, OCR r has highlighted this as well, uh, you know, they have really, um, focused on, or, or mentioned, I guess that maintaining an accurate inventory of IC IT assets, um, can, can really help folks ensure that the implementation is truly enterprise wide. Um, so, so that's one good place to start. Um, in terms of documentation, um, you know, they, this can be anything, uh, really it, there's no just, um, you know, one, one thing that's gonna work here. So, so you can get pretty creative with this. Um, this could be things like policies and procedures, uh, that, that involve the implementation and use of the RSPs. It could be potentially project plans and meeting notes or minutes, um, you know, diagrams or narrative detail, uh, about the R S P implementation and use, um, you know, training materials, um, you know, evidence of, of the attendance records, um, that sort of thing. Even, uh, results of server and web vulnerability scans, um, you know, the results or outputs of these RSPs that are implemented, uh, screenshots and reports, anything like that. Um, you know, uh, vendor contracts or invoices, uh, statements of work, uh, you know, the, the type of documentation, um, is really not as important as, as the fact that there is some. Um, and, and the other piece that's really key here is that the documentation should include the dates. Um, so, so that's, that's going to be one of the key elements because in order to, um, really benefit or, or use this, um, this kind of mitigating factor, you have to show the implementation and use for the entire previous 12 months. Um, so, so making sure that you, um, that have dates on all of that documentation, I is really going to help. Um, you know, the other thing that I want to just make clear, because I know this happens a lot, um, you know, just that kind of initial adoption of the R S P, that is not gonna be enough here. Um, really what you're going to have to show is that it was actively and consistently in use by the organization for that whole time period. Um, so, so this is not something where you just have the policy and procedure and put it in a drawer. This is more of making sure that you have kind of checks throughout the 12 month period, kind of on a regular rolling basis, um, of, of, you know, this documentation.
Speaker 2:That's Yeah, that's, that's really helpful. I, I mean, we, we, we, we talk with our clients a lot about the importance of, of documentation. And I, I think some of our, some of our longer term clients, you know, they've, you know, the, the more that we continue to, to look at policies and procedures, um, you know, the more they, you know, they feel confident and comfortable that if there is an investigation, if there is, you know, somebody, whether it's, uh, whether it's h h s or or, or a state ag, that they're going to have, uh, ev you know, to your point, evidence, they're gonna have documentation, they're going to have policies, they will have, you know, um, evidence of meetings, meeting notes, those sorts of things that they can provide to, to the regulator to, to help, again, to help sort of tell the story of all of the work that, that they've been doing. And so I think some, you know, I think I, I don't know if you run into some clients, but you know, some clients like this, but you know, of course, there's, or some organizations that will say, well, you know, why, why is a policy all that important? Or why is a, you know, why are meeting notes all that important? And, and I think to your point, something that we stress a lot, I is just, you know, those, those are oftentimes your first line of defense, and that usually is the first thing that a regulator will ask for is, is some sort of evidence, some documentation. Um, so it's just, I think underscores your, your point, uh, of how vital, uh, vital it is to document the work that's, that's happening as it's happening and, and to, to maintain those documents.
Speaker 3:Yeah. That, that is really the key here, Andrew. And, and I, um, you know, I feel for, like I said, I, I feel for how challenging this regulatory environment is because it, it, it takes a lot of time and effort, and it takes a lot of resources to make sure that you have the documentation in place that you need. Um, and, and to your point, I do get a, a lot of, um, kind of concern or pushback on, um, you know, the, the volume and amount of policies and procedures and, and that sort of thing that, that folks need. Um, and, you know, I, it, it is challenging, uh, but like you said, it, it just really is so necessary
Speaker 2:Here. Yeah. Um, so as, as we're wrapping up, um, something that I'm, I just have to ask you, I'm really interested in, um, you know, the HIPAA security rules were coming up on, its, you know, almost 20th anniversary and, uh, and, and when the rule, you know, was implemented, this is, uh, you know, this was honestly probably only a couple years after, after Google had really come around and been, been mainstream and Facebook and social media and, and so there were a lot of things that the security rule, you know, didn't, didn't specifically account for. I, I think it, it's not to say the security rule didn't, didn't address those things in different ways or couldn't, but it just, you know, wasn't contemplated. And so I'm, I'm curious, you know, as you're thinking into the future, and, and, you know, I'm, I'm sure you're getting questions from clients about this, you know, as you're thinking, we're thinking about conversations around artificial intelligence and quantum computing and, and all of these things, um, that, that are sort of out there, you know, either in the present day or just in the very near future. Curious, you know, as, as you think about what, what recognized security practices could look like, you know, in an ever-evolving cybersecurity landscape.
Speaker 3:So, that's a great question, Andrew. Um, you know, what, and, and it's a tough one. Um, I, I think the nice thing about these RSPs is that they are, um, you know, really intended, I think to allow the, an organization to evolve and grow and continue to evaluate and, and address kind of risk that the, that the organization is facing. And so, um, you know, that's really helpful when you're thinking about things like risks with ai, um, and, and how to assess those risks and, and account for them, you know, things like what information's being collected, how is it maintained, stored, you know, protected, who has access to it, all of those things. Um, you know, so I, I think RSPs can be really helpful for that. Uh, I, I, I think they also do a, maybe a, a really good job, maybe a better job than the HIPAA security rule in terms of, um, you know, addressing some of these other issues that, that companies are dealing with and, and need to be dealing with. So things like, for example, um, you know, relationships with vendors and, um, you know, third parties that have access to DA to data your business associates, um, you know, like supply chain kinda risk assessment processes and, and that sort of thing audits for, for those third parties. Um, so, so I think that can be helpful and, and that kind of, um, maybe goes to your point a little bit about, uh, some of these, you know, new issues that we're dealing with, um, in, in terms of like tracking technologies and, and things like that. Mm-hmm.<affirmative>, um, you know, I, I will say, I, I just wanna mention this. I, I don't know how many other folks are the, it's funny to me because talking about, you know, AI and, and tracking technologies and, and those types of things, um, are much more forward looking. But I, in my practice on a daily basis, I'm dealing with basic questions around, you know, texting and, and emailing mm-hmm.<affirmative>. Um, so, so even though, and, and those are so challenging, um, for, uh, our healthcare clients to, to address within the framework of the HIPAA security rule, um, you know, just, you know, texting among healthcare providers, um, who maybe don't have access to and aren't going to be using the same, um, kind of platform or app and, and, and that sort of thing. Texting with patients, emailing, um, it just, you know, these types of things get really challenging. Um,
Speaker 2:Yeah. That, that's, I mean, that's a, that's a really, really interesting point. I, I think there's a lot of low-hanging fruit that that is, you know, these are the things that people are dealing with, you know, day to day, um, that organizations really need some support around, you know, as opposed to, you know, it's, it's great to be thinking about, yeah, how are we looking at the code to, to see where we're tracking data about people and, and, you know, h how do we feel about, you know, the use of AI in certain contexts. But, but I, I think you're making an excellent point. There's a lot of, there's a lot of basic things out there that people need needs, you know, staff need support around, and I think texting is, is a really great example. I mean, you sort of mentioned supply chain and I think about, you know, managing your, managing your, your cybersecurity risk with your vendors. I mean, these are things that people have been talking about for years and, uh, it still can be difficult to, to operationalize.
Speaker 3:Absolutely. Yep.
Speaker 2:Um, so just as we're winding up, Jennifer, and thanks again for, for joining today. Uh, do you, any other, you know, parting words, you know, encouragement, thoughts for, uh, for those out there that, that are, are thinking about, you know, RSPs and, and thinking about, you know, how to really protect, uh, their organization?
Speaker 3:Well, I don't know if I have encouraging words,<laugh>,<laugh>, um, uh, but you know, I, I would say one thing is that I, I'm just so proud. I, you know, I, I feel like our healthcare clients do such an excellent job, um, you know, providing patient care and, and really putting the patient first and, and, um, data protection and cybersecurity is, is definitely a part of that. And I, and I think folks are, are really trying to do their best out there. Um, in terms of advice, I would say, uh, you know, like we had talked about, we spent a lot of time on this, but, you know, documentation here is really key. So the more that you can incorporate a documentation kind of practice and process, um, requirement into your R S P implementation and your compliance program generally, um, you know, being able to tr kind of track the dates here, I think that's going to have, um, really be helpful for folks and, and, and make sure that you have the documentation and information on hand when you need it.
Speaker 2:Yeah. Thanks. Thanks so much, Jennifer. And again, um, Jennifer, Craig, uh, is the guest, uh, for today, partner with Haynes Boone. And, uh, this is Andrew Muller, again, vice president of, uh, privacy and Compliance at Clearwater Compliance. Thanks again, Jennifer. It's really been a pleasure talking with you.
Speaker 3:Absolutely. Thank you. Thank you for having me.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A, speaking of health law, wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.