Wes Morris, Senior Director, Consulting Services, Clearwater, speaks with Bethany Corbin, an attorney who provides strategic guidance and legal counsel to health care innovation companies and Femtech, about the challenges health care organizations face when attempting to comply with different regulatory frameworks and strategies for compliance related to data privacy. They discuss the HIPAA Privacy Rule, 42 C.F.R. Part 2, and the Information Blocking Rule; navigating the conflicting data privacy structures; how HHS is seeking to harmonize certain privacy requirements; strategies for compliance; and the future of data privacy. Bethany recently authored an AHLA Briefing related to this topic. From AHLA's Hospitals and Health Systems and Health Information and Technology Practice Groups. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Wes Morris, Senior Director, Consulting Services, Clearwater, speaks with Bethany Corbin, an attorney who provides strategic guidance and legal counsel to health care innovation companies and Femtech, about the challenges health care organizations face when attempting to comply with different regulatory frameworks and strategies for compliance related to data privacy. They discuss the HIPAA Privacy Rule, 42 C.F.R. Part 2, and the Information Blocking Rule; navigating the conflicting data privacy structures; how HHS is seeking to harmonize certain privacy requirements; strategies for compliance; and the future of data privacy. Bethany recently authored an AHLA Briefing related to this topic. From AHLA's Hospitals and Health Systems and Health Information and Technology Practice Groups. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Good morning and welcome. Welcome to this episode of a H LA's podcast. Speaking of health law, I'm your host, Wes Morris, senior Director of Consulting Services for Clearwater, a leading provider of cybersecurity risk management and compliance services, primarily to the healthcare space. Joining me today is Bethany Corbin, an attorney with almost a decade of hands-on experience, providing strategic guidance and legal counsel to healthcare innovation companies and FinTech, a term applied to software diagnostics, products and services focused on women's health. She holds several certifications in the healthcare and information privacy space, is an advisory board member to the Women's Health Innovation Series and hosts her own podcast, legally EmTech, which provides practical, ethical, and legal insights to the EmTech community. Bethany has extensive academic and practical experience advising clients on legal risks and emerging regulations that can create conflict for organizations on their journey from startup to global public companies. Our discussion today will take advantage of that experience to address some of the challenges organizations face when attempting to comply with different regulatory frameworks and strategies for compliance. So, welcome, Bethany. It's good to have you here today.
Speaker 3:Thank you so much, Wes, for that wonderful introduction. I am very excited to be here.
Speaker 2:Well, excellent. Well, we're gonna dive right in. So you and I have talked a little bit in the past about some subject areas that we think are important to cover. And while we know that some of our listeners will be advanced practitioners with lots of experience in this space, there are also likely to be people joining us today who are somewhat new to the world of, uh, healthcare data privacy, the frameworks, the rules, the requirements, the responsibilities, all of these sorts of things that go on. So it seems like a really good place to start here would be a, a bit of a recap or setting, stage setting, if you will, um, a a a around the different federal data privacy laws that work in the US healthcare system. And so one of the things that always comes immediately to my mind when I think about this subject is this, is that unlike, say, the G D P R, which is kind of global in nature, when we think about the, uh, the US healthcare and, and, and data privacy, um, view, uh, of things is, is that we operate more sectorally. We, we, we start with healthcare has hipaa, but part of healthcare also has 42 C ffr part two, that's the substance use, uh, disorder, confidentiality, uh, requirements. And then we have other organizations or related organizations that bring in other rules like the information blocking rule. And then if we get outside of healthcare directly, then we have any number, the Federal Trade Commission has their rules. And, and so all of these things can become somewhat confusing in trying to reach a reach a place of am I doing what I need to do to manage my business and my, uh, consumers that I'm dealing with in their data and that sort of things. So let's go back. Let's, let's go back to 2002 and start with just a brief recap of the privacy rule and then talk us forward through the privacy rule, what you think's important there about that, uh, that our listeners would need to know and then into some of these other uh, areas.
Speaker 3:Absolutely, Wes, I'm happy to do that. Healthcare privacy really has evolved, um, you know, in a kind of an interesting trajectory since the publication of the HIPAA privacy rule. And it's especially timely right now because we're seeing a lot of health and human services department rules starting to come out on different types of healthcare data privacy issues. So I think, I think setting the background is a great way to start. And as you mentioned, Wes, I'll start first with the HIPAA privacy rule. So the HIPAA privacy rule is really prohibiting the use or disclosure of protected health information or p h i without an individual's authorization unless an exception exists. Right? So it's more of a do not disclose unless framework. Yeah. And the privacy rule is therefore enumerating these required and permissible disclosures for P H I and that p h i is being housed by either a covered entity or one of their business associates mm-hmm.<affirmative>. And so when we think about these permitted disclosures or uses, there's a wide range, um, that's contained in that HIPAA privacy rule. And it can include things like treatment payment, healthcare operations, disclosures that are required by law, um, court proceedings, right? Public health activities, law enforcement requests, those types of things. So whenever we're thinking about that, right, there's also just historically been a lot of confusion amongst providers about how the HIPAA privacy rule applies. And there's sort of been a tendency among certain provider groups to actually withhold more information than they disclose, even though that disclosure would be permitted because the risks of violating HIPAA are pretty severe. So, so that, that is kind of the, the 2000 foot overview of the HIPAA privacy rule.<laugh>,
Speaker 2:I, I often think about it as, um, the, the priv, the HIPAA privacy rule sets guardrails. It says, don't exceed this, but inside these guardrails, you do have a lot more latitude than most organizations tend to use. Um, and, and so what do you think is the key component for a a, um, an attorney who's advising their healthcare client or whatever, what do they need to be thinking about in terms of the, um, how they educate that community, uh, and those providers and the, and the nurses and the front desk techs, and all the various people who have to know this? What's your, what's your take there?
Speaker 3:Yeah,<laugh> in terms of education of this, it's really important, you know, first that the attorney understand the boundaries of the HIPAA privacy rule and the other legislation that is out there. I can't tell you how many times I even see attorneys misspelling hipaa, um, right. It's one p not too, and I can tell you that's the first thing that's automatically gonna make someone think you're not an expert, is if you misspell hipaa and we've all done it. Right. Even I have done it in the very early stages of my career, and I can, I saw how quickly it diminished your authority. So as an attorney, right? So true.
Speaker 2:Yes.
Speaker 3:Exactly. Yeah. You wanna be thinking about how can you communicate the substance of these rules to your client in a way that's gonna be impactful, right? It's not gonna be helpful to them if you just list off, here's the permitted disclosures, here's the required disclosures. You need to be thinking about it in terms of examples, how they can use this, what is gonna be actionable on their part, how can they put this into a policy or a procedure that can protect them? And here's the thing too, right? As, as an attorney, you're often thinking about risk mitigation for your client. And so that, and that too is how the providers are thinking about it, right? We don't wanna get in trouble with h h s, don't wanna violate the HIPAA privacy rule, interestingly, right? That's not necessarily the approach that the government wants you to take. And we saw this, and I, I know Wes will get into this in a little bit, but we saw this with the information blocking rule, which came out as a way to say, we've seen a lot of providers taking a risk adverse approach to data disclosure under the HIPAA privacy rule. We wanna flip that on its head and encourage disclosure and transfer of this health data to promote, promote care coordination. So I think, I think now as an attorney, you've gotta think about it in terms of these two competing priorities, right? You've gotta be risk adverse for your client, right? Making sure that they are complying with the law, but doing so in a way that is going to further what the government has said is the objective in healthcare right now, which is that interoperability and care coordination.
Speaker 2:Yes. Yes. And when we think about how we educate the community that we're serving, you've gotta really think beyond the simple things. Um, I can't tell you how often I go into a healthcare organization to do assessment work or support work for them. And the first thing that I say is, Hey, let me see your HIPAA training. And what I get is, this is public law 1 0 4 dash 1 0 1, signed by Bill Clinton. It was called the Casaba Kennedy Act in the 1990s. And it does nothing to help the people who have to follow that rule, understand what they really have to do. So I am so with you on this that you've got to be able to think about it from, I, I love your, your point of examples. Examples makes perfect sense. And, and that's sometimes hard for an external agent, such as me or you if we're, if we're not a part of that healthcare system, but we're providing them guidance and insight, we have to continue to bring that point back, don't we?
Speaker 3:Absolutely. Wes, and the other thing too is you've got to know your client, right? Because how your client needs to implement hipaa, the privacy rule specifically, right? That can be really different from how another client in this same space is implementing that rule and what they want their policies and procedures to be. And that's another mistake that I often see from attorneys, right, is the assumption that once you've understood right, or created a structure, you can kind of quote, unquote copy and paste that amongst your clients. Mm-hmm.<affirmative> for me, I find it's really important to learn the intricacies of what my client does, right? Where, how are they transmitting this data? What are the most common requests that they're getting? What are the most common violations, right? If they're doing appropriate auditing and monitoring, you know, where are the most violations coming from? How can I create examples or training that's going to really get at the heart of what they need? And so that's something, you know, I, I think for attorneys comes with a lot more experience, right? And, and getting to know more companies and healthcare organizations in that space. But it's something where I have just really found you can't just have, use a cookie cutter approach for data privacy compliance amongst all of your clients.
Speaker 2:Yeah. I, I remember a few years ago, I was really hitting on that point around educating your workforce on what they really need to understand. And this was shortly after I was, uh, at a conference, and this was shortly after a case at the University of Utah Medical Center where a nurse was physically grabbed, bear, hugged, and lifted and carried out of the building by a police officer because she refused to provide or allow access. Uh, and I found that, I used that example in my, uh, in my training. And the moment you put that on screen and you show them the point being that she had been properly trained and she was doing the right things, it still had an initial ugly outcome, but it turned out to be, um, one of the better things that had happened,<laugh> in this space, if you can find examples like that, things that, that grab attention and hold attention, that's how you get people thinking about this. Let's sort of shift a little bit here though, because we've talked so far about the privacy rule, and we've talked about the idea of permissible and impermissible disclosures. I use the term guardrails around what you can and can't do. But then if we look at a slightly different privacy requirement, one that's been around much longer than hipaa, uh, and that's part 2 42 C ffr part two, the substance use confidentiality records regulation, that puts a really much tighter, uh, requirement on an organization that is subject. So, so we have organizations that are subject to both rules. Talk to us a bit about part two and contrast it to some of the, the privacy rule requirements.
Speaker 3:Yeah. So part two is something that I see a lot with attorneys who maybe not be, or, you know, may not be healthcare data privacy experts, is something they may not have come across as frequently as the HIPAA privacy rule. So part two is called Right, the Confidentiality of Substance Use Disorder Patient Records. It's located in 42 C FFR part two. That's, so that's where part two comes from. And these part two regulations only apply to part two programs, right? So you have the HIPAA privacy rule, which applies to those covered entities. Um, high-tech makes it applicable, right? To the business associates. Now you've got part two, which is just applying to part two programs. And a part two program is any federally assisted program that's holding itself out as providing, or that does provide alcohol or drug abuse diagnosis, treatment or referral. And so if you are a provider working in a part two program, you are prohibited from disclosing information that would identify a patient as having or being diagnosed with or otherwise being referred for treatment that's related to a substance use disclosure, unless an exception applies, right? If you're a provider in that part two program, right? You also can't do things like acknowledge that a person is a patient in a substance use program unless you have that patient's consent, right? And similarly, as with the HIPAA privacy rule, right? There are certain exceptions that are enumerated to this disclosure prohibition. And that can include things like communications with an, you know, a part two program for those who need to know, or medical emergencies or reporting crimes or reporting child abuse or neglect, right? Those types of things.
Speaker 2:And, and there's one that I will add to the mix that almost nobody knows about. Uh, for, for about 20 years I worked as a substance abuse counselor in the US Air Force. There is a section of the rule that specifically says these prohibitions do not apply to interchange of information within the armed forces<laugh>. So you can get into a real weird place if, depending on who your client is and who you're advising, right? Absolutely. If you don't realize that, go ahead. You, you were, you were
Speaker 3:Taking a No, that that's absolutely right, Wes. And, and it's interesting, right? Cuz there are so many different, you know, exceptions to, to these rules that apply in different situations. So you've really gotta know what client you're serving, what space they're in, because applicability can really differ.
Speaker 2:It really can.
Speaker 3:You know, the other thing that's interesting about part two has to do with reclosure. Um, and this is, this is a bit different than HIPAA privacy rule because once substance use disorder, right? S u d data has initially been dis disclosed, no reclosure of that information is permitted unless you have that patient's express consent. And so whenever part two came about, right, the goal here of this restriction was to ensure that patients who were receiving that substance use disorder treatment in these part two programs that they were not being discriminated against, right? Or facing adverse consequences related to their treatment and their data. What's actually happening, um, right? Is that we have providers who are both subject to HIPAA privacy rule and part two and when that happens, right, they've got to implement these different types of data segmentation because of that re disclosure prohibition, right? And the need to kind of keep this data separate from the patient's initial or general medical record, and that produces a lot of administrative burden, administrative inefficiencies and in the behavioral health context can really actually discourage the use and the adoption of electronic health records. And so that's something that we're also starting to see that can conflict with the government's push towards interoperability,
Speaker 2:Right? And then that takes us right into, so how, what happens then when you interject another rule such as the information blocking rule into that whole picture?
Speaker 3:Yeah. The information blocking rule really turned things on its head whenever it came out. And there was, there was a lot of, not only discussion, but I would say panic amongst the healthcare community when that rule dropped because we go from having this longstanding HIPAA privacy rule framework of don't disclose unless to this information blocking interoperability framework that says you must disclose unless, so the first thing to know right about the information blocking rule is that it is going to require healthcare actors, which includes healthcare providers to facilitate real-time or expeditious exchange or disclosure of electronic health information. So we're talking about a subset of P H I here, right? It's p h i that's stored electronically. And so you've got to make that disclosure or exchange or allow access to patients upon their request. Yes. Now that, that's different right? Than hipaa, which says do not allow, unless information blocking is saying you must facilitate this near real-time exchange unless an exception applies. And there are, you know, eight exceptions there within information blocking for things like privacy and security, right? You can't do it because of content and manner right there, there's a lot of different exceptions there with a lot of different requirements. Um, but this really, really was kind of a paradigm shift in healthcare data privacy that we hadn't seen in a long time. And so it can be tricky, right? Because providers, now let's say that you're subject to both HIPAA privacy rule and part two, right? Well, now you've got the information blocking rule, which comes in and says that you have to disclose that data. What most people initially were overlooking in the information blocking rule is that it does have an exception that says if there's a federal or a state law that requires, you know, some prerequisite to disclosure. So for instance, right. Patient consent that that does not, that is not overridden right? By the information blocking rule. So you can still comply with the part two requirements of getting that patient consent with the information blocking rule. Um, but it does to a certain extent, right? Limit the interoperability and the free flowing exchange of that data. The other thing that's kind of limited about this as well, right, is as I was just mentioning, there is a lack of adoption of EHRs in the behavioral health communities. Um, there was actually a 2022 I believe, study that showed, and it was, um, a study that was by the Medicaid and the chip payment and access commission and it showed that there's only about 6% of behavioral health facilities and 29% of substance use disorder treatment centers that are using electronic health records, right? And, and that's compared to really about 80% E H R utilization amongst hospitals. So that is something that we're gonna have to overcome in order to really achieve the goals of the information blocking rule and promoting that care coordination and care access. Because right now right, we don't have those behavioral health records necessarily in very, you know, in EHR structures that can be transmitted and transferred easily.
Speaker 2:Yeah. And yeah, and you know, the funny thing is is is that from the beginning, because of my background working behavioral health substance use disorders, and then literally 20 years ago now becoming a privacy officer of my first hospital, uh, I, um, I have long found that people don't under that, that some organizations, I won't say all or most, but some organizations don't understand the nuance of one thing. And that is the psychotherapy note provision.
Speaker 3:Yes.
Speaker 2:That thing is, and so they, they read the, the black letter language of the rule and it says, you know, these, these elements would comprise, you know, and these elements would not, and they say, oh, well that's my whole chart, so my whole chart is a psychotherapy note negative. Right.<laugh> that is not true at all. Um, do you have a, a moment to talk just a little bit about the nuance of what is in a behavioral health patient record versus what's in a psychotherapy note?
Speaker 3:Yeah, it's a great question, Wes. You know, there, and I've, I've come across the exact same things you have, right? Where people assume that kind of their entire behavioral health record is protected. Mm-hmm. Um, and they, and they make that assumption too, whenever it's in a non part two program as well. I have, I've seen a lot of people be very confused about whether or not their substance use disorder data, their behavioral health record is protected. Um, and you know, the first thing is right, if you're going to just a general healthcare provider and you're talking about your substance use disorder treatments and history, that's most likely not gonna be a part two program, right? Right. That's not gonna be protected by part two. Um, and so I see a lot of patients get confused cuz they No, you can't disclose that, right? You can't, you can't send that data downstream. You can't disclose that to law enforcement. Um, actually right.<laugh> the part two regulations aren't applying similarly. Right? Whenever we're talking about psychotherapy notes, that is a very limited aspect of your medical record, right? It is not your entire behavioral health record, it's not your behavioral health history, it is just those psychotherapy notes that's gonna be a very small portion of your record. Right? Um, and that is, you know, and, and in the information blocking rule, right? The definition of e h I does exclude psychotherapy notes similar right? To, to the HIPAA privacy rule. And, but that's, that's gonna be such a small portion and I can't emphasize that enough. And, and wes, I've seen the same confusion you have.
Speaker 2:I think the way that I have learned to explain it, uh, is, is very simple if it's in the electronic record or if it's in the patient chart intermingled with other things, it is not a psychotherapy note.
Speaker 3:Yes.
Speaker 2:If it's a psychotherapy note, it is being maintained separately by the provider and only by the provider, um, for their use, for their training of other people, for their actions, et cetera. Um, and and the way to think about it is a, a, um, a, a mental health chart note, which would be disclosable under all these other things would be a progress note. Whereas if you think about what this psychotherapy note thing means, it's a processes note. So it's the difference between John came in for his visit, these are the medications, this is the diagnosis, this is the treatment plan. That's all valid stuff, right? We can be in the chart. What's in the other chart then is the, is that deeper discussion or what's, what's in that psychotherapy note I should say, isn't is that deeper discussion about, you know, their edible complex<laugh> or, you know, why, why, why they've continued to do certain things, uh, to their own detriment. It's, it's the kind of information that is really only useful between the provider and the patient and really has no value or bearing on how we get the bills paid, how we do our operations, uh, all those sorts of things. So that's the way that I tend to, to, uh, express that. And I think it's helpful to people when you can give it that context process note, psychotherapy, progress note, mental health chart. So yeah,
Speaker 3:That's a, that's a great way of explaining it, Wes. Yeah.
Speaker 2:And you'll actually find that if you, uh, go back and you read the public comments from the privacy, well, from the original, um, uh, listing, you will find that exact statement or very, very close to it. The, the terms process and progress. You'll find them in there, they explain it, and I just, I've often wished that that had been in the actual rule itself because it, that's where the confusion comes in. So, okay, so when we think about part two, we think about the privacy rule, we think about the information blocking rule, all these sorts of things. W we know that we have conflicting situations and structures. Uh, we've already started to cover some of, and in fact we've covered quite a bit here, just in a nice blow of that information. Um, but when we, when we think about, um, the implications of these things, is there one of these rules that takes priority over the other?
Speaker 3:Yeah. So, so if you are a healthcare provider who, right, who happens to be subject right? To information blocking HIPAA privacy rule, and part two, the general advice that you'll typically receive, right? Is to make sure you're complying with the most stringent rule, um, because it is possible to comply with the HIPAA privacy rule and part two and information blocking, right? But the part two regulations in certain aspects are going to be more stringent than the HIPAA privacy rule regulations for those aspects. So you wanna make sure, right, if there is a conflict that you're complying with the most stringent law. But, you know, one of, one of the things I hear a lot from providers is, gosh, right? It's hard to comply with both. I can't comply with all of them, right? You actually can, but it takes a lot of coordination, right? It takes a in-depth understanding of what all of those laws say and how they actually weave together. Um, and that's where, you know, having compliance counsel right, or legal counsel help with understanding and right. And creating those policies to make sure that you're in compliance, that can be really helpful.
Speaker 2:Yeah. Um, I think, uh, the, the way that I have always thought of it is, is that if, if we use, say HIPAA as the, the foundation here, the privacy rule is a floor, not a ceiling. Yes.
Speaker 3:Right?
Speaker 2:Absolutely. And, and so it is the point below which you will not go, or you will be risk being in violation, but it does not stop you from going to higher levels. And you know, the funny thing too about the privacy rule is, is that there's a lot of disclosures in there that are referred to as permissible meaning, and, and, and it even says the organization may do something. Yes. It doesn't insist that you must, although there are times when there are other rules that will require, such as reporting of gunshot wounds or, or, uh, certain domestic violence or, or child abuse and some of those kinds of things where you, you could, you could say, well, the, the privacy rule doesn't demand that I do it. Yeah. But you got these three other things that are absolutely demanding that you will Yes. So you could say, no, we're not gonna disclose, but now you're gonna face other consequence.
Speaker 3:Absolutely. Absolutely. You know, and, and that's to where I've seen providers come in and where they're not certain Right. Or they don't wanna open themselves up to risk, they won't disclose, even though HIPAA says you could. Right. They'll take a more stringent approach, um, which can, you know, in certain cases, hamper information exchange and care coordination. But that's, that's how they've been trained to come and interpret these rules and interpret their risk profile.
Speaker 2:So, so when we think about this, you know, here, here you and I are, and, and our colleagues are trying to help the industry learn to be more balanced about this, right? But there is actual stuff happening at the federal level that is trying to harmonize some of this a little bit better. Talk a little bit about some of the harmonization that's going on right now. I know, especially around part two to hipaa.
Speaker 3:Yeah. So, so h h s is being very active on the issues of data privacy, right? In a way that we haven't seen in a while. Um, but also in a way that the industry has been pushing for a long time. So when the HIPAA privacy rule first came out, right? We didn't have widespread adoption of EHRs, right? There wasn't this digital exchange of information. Now we're in a society right? Where EHRs are common, right? I can request my patient records from my patient portal, I can print them, I can download them. And so we're in a different technology than we were when HIPAA privacy rule was passed. And that had led to a lot of calls for H H S to modernize the HIPAA privacy rule. And at the same time, there have been a lot of calls for, for quite a while actually, for HIPAA to harmonize, I'm sorry, for h H s to harmonize the HIPAA privacy rule and the part two regulations, because as we've been discussing, right, Wes, there are certain ways in which the HIPAA privacy rule and the part two rule don't mesh, right? They, they've got different standards, they're contradictory on certain aspects, right? They define the same terms differently. So because of that, H H S has proposed a couple of rules. Um, so we're in the notice of proposed rule making that N P R M, we don't have a final rule yet, um, but H H S does and has recognize the difficulties that healthcare providers are facing when they're trying to comply with part two and hipaa, right? And the information blocking rule. So back in November of 2022, H H S did announce an N P R M, um, that was focusing on increasing the coordination among healthcare providers who are treating substance use disorder patients. And H H s has recognized, right, and acknowledged that it does have conflicting regulatory frameworks in place that are inhibiting care coordination. And that could be potentially right, perpetuating stereotypes about individuals with s u D disorders, right? So because of that, um, HI did propose an N P R M that is seeking to bring these two rules more into alignment and the ways, and there's a lot<laugh>, you know, it's a long, long NPR r m and I will not go into all of the details about it, but, you know, just some of the proposed revisions, um, that we're starting to see out, I'll just quickly go over them, the kind of the most important ones mm-hmm.<affirmative>, the one that everybody has been talking about, right? Is this single patient consent. Um, and so the part two proposed rule would relax some of the patient consent requirements and would allow for a single written consent from a patient to authorize future uses and disclosures of their s u d record for purposes of treatment payment and healthcare operations, right? And we see that T P O language back in the HIPAA privacy rule mm-hmm.<affirmative> similarly, right? For reclosure, there would be permission to re disclose part two records in accordance with the HIPAA privacy rule with certain exceptions. Um, there's a proposal, right, to create new rights under part two that would better align with individual rights in the HIPAA privacy rule, like the right to an accounting of disclosures or the right to request restrictions on disclosures for T P O. Uh, so, you know, so we're seeing a lot of that. There's other things coming into play with that N P R M, like updated breach notification requirements to H H S and affected parties, right? That would kind of apply the standards from the high tech app and the HIPAA breach notification rule, right? To breaches the part two records by part two programs, um, you know, updating the, the HIPAA notice of privacy practices requirement for covered entities who are maintaining part two records. So we're really starting to see, um, the Department of Health and Human Services recognizing this and really trying to harmonize efforts here.
Speaker 2:Right? Right. You know, it's funny, if you think about it, you have, you have health and human services, the big house, you have O C R, which is handling the privacy rule. Um, you have C M s, which has got the info blocking stuff, but yet jurisdictionally and inter relationally, they don't connect. Well, it's funny how, how difficult it is to move these things, but, you know, it does make sense. And, and if you really think about it, I think you hit a point around the substance use disorder rule around part two that is, is sort of critical. The original alcohol and drug disclosure and the original rule at, uh, at part two, it was phrased in a different way back then, all the way back to the early 1970s, around 1973, um, was designed specifically to try to protect the individual from harms caused by disclosures of their record because of the perpetuation of stereotypes. You know, the, the the way that we viewed a, uh, a person with an alcohol use disorder in 1973 was from more of a moral lens and less of a medical lens. And so, you know, a lot of these things that are happening are trying to shift those things as well. And so, I, I really like the fact that you used that point in dis in discussing the concerns around the part two rule is, is that it's trying to move us to a better understanding of people and less of making a moral judgment about them. But that's why these rules came into play in the first place. Um, and I first started working in substance use disorder program in 1985, and so this was still fairly young stuff. And, and, uh, boy, it was interesting to learn a lot of these things. Um, so when we think about all of this, you've already touched on this to some fair degree, but strategies for compliance. What should our communities be thinking about when it comes to, uh, ensuring that our organizations are complying with these rules? One of the things we've already talked about is the fact that it's a floor, not a ceiling. Where else would you go with that?
Speaker 3:Yeah. The other thing I would say is because we're seeing a lot of action from h h s in the data privacy area right now, I would be ready to update your policies, procedures, and forms when these new rules come out. Now, there will be right, a grace period in order for you to get everything in order, but HHS has definitely signaled that things are going to be, be changing. And so now is a good opportunity to start taking a look at your policies, procedures, and forms, right? Making sure that yes, I'm in compliance right now, but also, okay, we see the direction where H H S is going, right? Here's the things that we might need to change. And knowing where your documents are, right? Kind of pulling all that together so that you can implement it quickly when it comes out, that's gonna be really helpful. Um, especially right, if there's new patient consent forms that you're gonna need to draft or change, um, with the part two regulations and the changes there. The other thing, right? That I would say too is make sure, and, and Wes I know we've talked about this, right? But make sure that you're ready to guide employees through stringent privacy training, right? Because it's not gonna be enough Whenever those new rules could come out to just say, great, here's an hour overview of what those new rules say. Mm-hmm.<affirmative>, you need to talk about the practicalities of it, right? You, you need to be saying, yeah, okay, within X amount of days after this rule comes out, we're gonna have gone through it, we're gonna understand it, we're gonna see how it applies to our organization, what we are changing, and then we're going to go and educate our employees and contractors on not only what the rule says, but also the practical implications of that rule to their business and their everyday lives, and how that has changed. Um, so that's kind of where I oftentimes see organizations fall behind, is they're so focused on updating policies and procedures, right? And, and kind of doing all the technical behind the scenes stuff that they sometimes forget to train their employees on what they need to do in a way that's gonna be really effective for them. Right. Um, the other thing, just depending on where H H S goes with its rules, is going to make sure, right, that if you're using ehr, that you're keeping up with the standards that are being required for using the EHRs, right? That if we still do need to segment data, that you're using proper data segmentation and you've got those policies and procedures and controls in place to make sure that data is being restricted or disclosed in the appropriate manner going forward.
Speaker 2:Yeah. There's, uh, how do I, how do I say this without getting myself in trouble?<laugh>, there is a, there's a lot of change afoot in the United States in the realm of reproductive health.
Speaker 3:Yes, absolutely. A
Speaker 2:Lot<laugh>. And sometimes the noise is almost overwhelming with what one state's doing versus what another state's doing versus what the, uh, uh, you know, and then what the media is reporting and all of these sorts of things. And I, and I feel like I would like to wrap this up with some thoughts today around where does data privacy go from here and how do we manage to those kinds of social changes in the noise that's happening out there?
Speaker 3:Yeah. It's such a great question, Wes, right? Because I know we've spent a, a lot of time today talking about part two, but we also have a couple of other h h s rules on data privacy that are lingering out there, right? Um, we've had revisions that were proposed through another N P R M to part, um, to HIPAA's privacy rule. Yeah. Right back in, in 2021. And so we're still waiting on those changes, which again, is, you know, trying to bring hip the HIPAA privacy rule into an updated technological environment. Um, the thing that we just saw released earlier this month was on exactly what you're talking about. We updated reproductive health data rules. Um, you know, h h s is really looking at whether or not, you know, this type of health data should be used in context that could criminalize individuals for seeking out reproductive healthcare, right? Um, specifically, right. H h s proposed an N P R M that would modify standards for uses and disclosures of P H I, by limiting, when that p h I could be shared or disclosed, if it involved reproductive health data and reproductive healthcare, that was lawful where it was provided. So we are seeing action from h H s on multiple fronts with respect to data privacy. One thing that h h s is gonna have to do now, right, is because they've been working on these pieces of legislation over several years, is making sure that they are all kind of internally harmonized. Um, I know we talked about, you know, the different departments or, you know, agencies within H H s, um, but making sure that they're coordinating on all of these different rules in terms of kind of where we go from here. We we're also seeing, and I know Wes, we focus a lot today on federal action, but we're seeing a lot of action on data privacy on the state level. Yeah. And that, I think is where a lot of, a lot of concern is also coming from, right? Because we're seeing states not only with their general privacy rules that have been coming out more frequently in general privacy bills that are making their way through the state legislatures, but on reproductive healthcare, we are seeing data privacy protections coming through at a rapid pace in states, you know, like, like California, right? New York, those types of states that are seeking to be front runners and reproductive justice. And so because of that, right, they're creating different protections for reproductive health data. Like you don't have to disclose it to law enforcement from other states right? In response to subpoena, or you can't disclose it in response to those subpoenas and those restrictions, right? Are going to be different than what we currently have in the HIPAA privacy rule because this, you know, new reproductive health data, N P R M hasn't been implemented, right? So it's a rapidly changing environment out there, especially on the reproductive health front. And I, I definitely think that over the next, you know, eight plus six, eight plus months, we're gonna see some substantial rules coming out in these areas. And it's gonna be really important that organizations are ready and able to understand how these regulations are going to impact them, what it means for their own compliance and how they operate, especially if they're in a multi-jurisdictional network. Um, that's gonna be really challenging, I think, with these reproductive healthcare laws.
Speaker 2:Yeah. Um, I'm gonna pose something and see if you maybe agree or disagree with this point when it comes to trying to harmonize all this and decide which rule most applies and which rule can, you know, is, is, is most critical. I have long counseled to think of it from the standpoint of, number one, what gives the patient the greatest rights? Or number two, what imposes the most restriction on the covered entity or the organization? Would you agree with that as a, as a philosophy of trying to organize around this?
Speaker 3:I like that. We actually, I, I really do. I like, I, I personally like thinking about it from the, you know, what gives the patient the most rights because we should, you know, we're in healthcare, which is very much a patient driven industry. Um, that's, you know, that's the entire audience that we're trying to serve. I really like that. And I do think, though, you know, the other point you make about it being, you know, restrictive on the covered entity, I think that's the way that a lot of, you know, organizations are going to be looking at it as well, because they wanna make sure that they're not violating any laws. Um, so kind of imposing more restrictions on them on when they can disclose, I think is gonna help them keep their risk management profile where they want it to be. So yeah, I, I think that's a, a great framework.
Speaker 2:Excellent. Excellent. Well, as we wrap this up, is there anything you would like to cover that we haven't touched on yet? I mean, I feel like we've covered a lot of ground here.
Speaker 3:We have. Yeah. I, you know, I think, I think the only closing thought I would say is things are changing pretty rapidly. Um, consumers, to an extent that I have not seen before, are paying more attention to data privacy when it comes to healthcare, especially women who are being impacted by the reproductive health laws that are being passed. And so I've started to see more and more consumers even asking healthcare organizations, how are you handling this data? Right? If somebody comes to you with a subpoena, are you disclosing this data? Are you not? What is your policy? Um, so I think just being prepared for those questions as they're going to continue to come with this changing healthcare landscape, can help you also show that you are, you know, you're on the consumer side, you wanna be transparent about how you are handling their data, and that can help consumers feel more trust and actually regain some of the trust that they have felt is lost during the reproductive health battles. Um, so that's, that's something that to me is a bit new, just seeing a lot more consumer ownership and interest in their data privacy.
Speaker 2:That's a good point. And, and I think you and I probably do something similar. When you hear somebody in your circle make a statement that is completely erroneous, you immediately say, wait,<laugh>. Yep. I know I do<laugh>. I do. Uh, you know, when I, when I was looking to join Clearwater 10 years ago, um, one of the questions was, how well do you know the privacy rule? And one of my choices on it was a little survey, one of my choices where I can have a dinner conversation about it and keep it interesting. And I said, yes, that's me,<laugh>. And, and, and I still find it even today, even though we've got people who are definitely more knowledgeable, more engaged, there's also a lot of misinformation out there. And so continue to be that person is the way I see myself, and I hope others do as well, that when you hear somebody say HIPAA with two peas,<laugh>, I love that. Uh, uh, and, and they start spouting things that are just inaccurate. Be okay with stepping up as long as it's safe to do so with stepping up and say, wait, let me explain the reality here. The more we educate our world, the better it is for all of us. This has been a fantastic conversation, Bethany. I am so happy that you joined me today for this. And, uh, thank you so much for your time, your interest, and your expertise. Maybe we'll even be able to swing another, uh, podcast in the future where we take some of this onto a, a different direction or, or, or deeper into it. I would love it.
Speaker 3:I would love it too, Wes, especially as these healthcare laws get implemented and passed and we start to see how, how organizations are responding, um, I think, I think it would be very interesting to explore further.
Speaker 2:Excellent. Well, for our listeners, my guest today has been Bethany Corbin. I'm Wes Morris. Uh, on behalf of Clearwater Compliance, we thank you very much for your time and your interest in our podcast here today, and hope that you gained something from it that makes your practice work just a little more smoothly. So long everyone,
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.