AHLA's Speaking of Health Law

Top Ten 2021: Opportunities and Risks with Increased Interoperability in Health Care

April 09, 2021 AHLA Podcasts
AHLA's Speaking of Health Law
Top Ten 2021: Opportunities and Risks with Increased Interoperability in Health Care
Show Notes Transcript

Based on AHLA’s annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2021. In the fifth episode, Barry Mathis, PYA, speaks to Alaap Shah and Elizabeth Scarola, Epstein Becker & Green PC, about the challenges associated with the collection, storage, and use of big data in health care. They discuss issues related to regulating the various players who are driving data sharing and interoperability, navigating the regulatory variations among the states, tackling issues related to data blocking, how the pandemic has affected the big data environment, and predictions for the future. Sponsored by PYA.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

The American Health Law Association is pleased to present this special series highlighting the top 10 issues of 2021, where we bring together thought leaders from across the health law field to discuss the major trends and developments of the year. Support for A H L A in this series is provided by P Y A , which helps clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations, and fair market value assessments, and tax and assurance. For more information, visit pya pc.com .

Speaker 2:

All right , welcome everyone. Thank you for joining to this another of the A H L A top 10 podcast. This one , dealing with opportunities and risks with increased interoperability in healthcare . And today , uh, uh, my name is Barry Mathis. I am a principal with p y a and I will be your moderator. I have two fantastic , uh, guests with me today. Um, a lot Shaw and , uh, Beth , uh, scar is here, and , uh, you know, I'll , I'm gonna let, I would absolutely butcher trying to get through as many things as they've been involved in and what they're doing. I will mention this, A lot of this podcast is coming from an article that Alop and Beth wrote together called Sharing is Caring Opportunities and Risk , uh, with Increased Interoperability and Healthcare . So, I'm gonna pull a lot of questions from that. We're gonna have a nice discussion today , but I'm gonna turn it over a lot. Would , would you care to introduce yourself and talk a little about , uh, you and what you do and your space and , uh, and this article and, and then maybe Beth right after that, you can do the same.

Speaker 3:

Sure. Thanks Barry. Um, and then we're really grateful to be joining you today here for this A H l A podcast on , uh, data proliferation and healthcare . I think it's such a timely topic , um, given all the changes that are happening in ongoing sort of , um, revolutions and transformations that , uh, data will bring to the healthcare space. Uh , so by way of background , um, I'm a partner in the DC office of Epstein, Becker and Green , uh, which is a national law firm focused , uh, primarily in the healthcare life sciences space in labor and employment space. I , I co-chair the Privacy cybersecurity and data asset management team there. And my practice focuses largely on , um, helping clients with proactive and reactive counseling and defense , um, in healthcare , um, around legal and regulatory issues. Um, mostly in the privacy, cybersecurity and data asset management space. And my clients range from, you know, your traditional payers and providers and other life sciences companies and pharma companies, but increasingly has become focused on information technology companies, big data analytics companies, digital health companies , um, and, and everything in between. All these sort of what I call healthcare adjacent , uh, companies as well. And we do backend front end to backend compliance work. So help you get set up and be compliant in what you do, develop business strategies around that, test your systems and improve over time, as well as defend you in the, in the event that something really bad happens, whether it's a data breach or some sort of litigation. Um, and this is my second stint at Epstein Becker. I actually went in-house for a period of time in the middle of my career , um, where I spent time as the chief privacy and security officer and senior council for the American Society of Clinical Oncology, where I help them design, develop, and commercialize , uh, several big data analytics programs , um, to improve quality of care for oncology patients. So I, I've not only done this sort of from an outside council role, but lived and breathed it from an inside in-house council role as well in terms of beta , how to use data to improve the healthcare of patients.

Speaker 2:

Um , very good. Yep . Now , outstanding. So you're , you're what we call in the industry an an absolute expert. Beth, how about , how about you , uh, you know, what, what's, what's got you into this , uh, this arena today?

Speaker 4:

Well , it's a , a , a long a , a a long and interesting , uh, answer, but I'll make it short. <laugh>. Uh, so first of all, I guess I should start out by saying that I'm an associate in , uh, at Epstein Becker and Green . I work closely with alop . I am in the healthcare and life sciences practice in Tampa, Florida. Um, I I say long and interesting area B answer because I am a healthcare regulatory attorney by trade. Um, and I deal with a , a myriad of different healthcare regulatory type questions in my practice for clients ranging from, you know , a small startups or solo physician practices all the way to hospitals and electronic health record vendors. And , um, I was very interested on a personal level in the privacy space because I have a , uh, BRCA mutation, a genetic mutation personally. And so I saw through my experience before becoming an attorney and clinical research as well as personally as a patient , um, that there are a lot of opportunities in terms of healthcare with that we can be informed by the information that we have on a personal level and can inform research and development in the sciences. And so I was really excited to join Epstein Becker and Green to broaden my own practice and to get involved in this space. And I now work closely with aop , um, helping clients navigate a variety of different issues in the regulatory space. Um, not only, you know, stark and I kick back , but now also with , uh, interoperability with , uh, data and cybersecurity and happy to be here today to discuss all of that

Speaker 2:

Outstanding. And , and I like the fact that you brought up , you got kind of a personal slice of , uh, I myself had a , a motorcycle accident about seven years ago. And when people talk to me about the , the need for the data interoperability, I like to share my story. I, and the , and the , the healthcare facilities that took care of me both were wonderful, including the rehab. And it's about a three month long from time I was there into , into , um, uh, you know, therapy and rehab and kind of back and walking back to work again. But in the initial, I, I went to one hospital, they triaged me, you know, took all the X-ray cts, Barry , here's everything that's wrong with you . Your back's broken two places, you got all these broken bones, your knees are shattered, blah, blah, blah. And then they transferred me to where my back surgeon would be to another hospital. Well, they didn't get the information, you know, that , that it was a , an an inter inter hospital transfer. So when I came in, they retried me. And this is somebody that they already , you know, I already knew my back was broken two places, and they're flipping me around and I'm complaining, well, they thought I was, they thought I was drunk cause I was complaining. So that's the first part . The second when I went upstairs, they finally put me up in the orthopedic unit, and they started asking me the patient, what have you had in terms of pain medication? How many doses? I'm like, well, I don't know. Look at the system. They said , well, we can't do that. Our systems don't really talk to each other between the emergency room and the , you know, upstairs. And I'm like, okay, once you guys find out what I do for a living, we're gonna have a talk. So <laugh>, so, so there's a, there's, there's all kinds of needs in this, in this space, but let's jump into the article. I read the article, love the Article, sharing is Caring Opportunities and Risks with increased interoperability in, in Healthcare. And I thought where we would start is kind of what I led into with the need. You know, we've , we've talked about big data now going all the way back to 2012 when meaningful use came into play, and all of a sudden there's big boosts of everybody being on electronic medical records and Howard's sharing things back and forth. There was some money incentives out there. Um, and, and now we've got this data and, and I like the fact that your article points out that experts are saying that by the year 2025, there'll be 500 times more healthcare data than there was in the year 20, 20 12 when we started . So let's talk about that a minute , and, and, and I'm gonna ask you, let's, let's talk about that whole data universe and the need of what's happening there. So what, what can you tell us from your perspective, do you think are some of the challenges in that space?

Speaker 3:

Yeah. Well , um, the <laugh> , the biggest challenge is understanding what comprises healthcare data these days. Um, there , you know, from a, from a starting point years ago, it used to be the paper records on the shelf of a , a doctor's practice. Um, over time, obviously a as we all know, technology has infiltrated the healthcare and life sciences sector and has become the way we do business in that, in those sectors. Um, so with sort of near ubiquitous adoption of healthcare records , um, EHRs and EMRs, we started to digitize everything. And that has become sort of the standard by which we operate. So that's number one is created this sort of big bolus of, of clinical data. Um, then I think the fact that we've gotten, you know, cloud storage, like Amazon Web services and a Microsoft Azure and all these other really cheap ways to , um, collect and store data , um, it sort of made it very easy for us to do that and start to really think about what happens if we start aggregating data at, at mass. Um, and we actually started , um, we haven't gotten there quite yet, but yet, but we've definitely started to think about what are other sources of data that we wanna pull into , um, the equation when it comes to thinking about patient care. And it doesn't have to be something originating from a provider, for example. It could be , um, data that the patient themselves is, or is generating , uh, could be consumer, he , uh, health data, something that's being generated from, from , um, from other activities, social determinants, data, you know, so all of a sudden this idea of healthcare data being just what the doctor's creating and storing , um, has sort of been blown wide open. And it creates for interesting opportunities because now we can learn a lot more about patients using a whole bunch of data points that weren't really available before. Um, but it creates risk. And that's sort of some of the challenge that a lot of these organizations that are leveraging this kind of data have to face, you know, can we collect this data? Is it, you know, is it being appropriately used? How do we safeguard it? Um, how do we, how do we make sure that we're being , um, good data stewards , um, for, for our patients, for our organization as well, and for all of our partners when it comes to collecting this information, aggregating it, and using it for various purposes. So that's sort of big picture, but yeah, that's where we are.

Speaker 2:

Yeah, it's , uh, I , I like the fact that it's, you know, that you pointed out that there's, there's this explosion of, of data coming from a lot of different areas, things that in the past it was fairly, well, you know , uh, it was narrow. You , it was the , it was the doctors, the hospitals, maybe some universities and some vendors, a few vendors, the big vendors that are out there that's been there forever, but not a lot of other new players in there. And, and Beth, let me ask you this cuz you've got a lot of space and , and that regulatory piece and, and , and it looks like from, from your contributions you've done that. So these risks in , uh, that Alop just pointed out , uh, and my question is, we have all these new players are, are we good at managing those new players? Do we know, I mean, cuz I know at hymns a couple of years ago, I think there was 15 or 1600 new players in just the EMR market for bolt on applications around interoperability and things like that. Talk to me a little bit about that. Where, where's our concerns and our risk in that space?

Speaker 4:

Sure. That's a really good question. I mean, obviously the goal of interoperability is promoting data access, right? So you want the patient to be able to get the access to their own information. And what does that information mean? I mean, the rules are very specific in terms of the elements that, you know, must be transferred, but the policy goal that drives all of this is that healthcare information is gonna be flowing. And do we have a good handle and grasp on what entities there are that are going to be exchanging this information or how they're going to be regulated? Uh, yes, but the, the number of regulations that are going to be at play here are going to be numerous because not only do you have the interoperability rules and you have HIPAA at the, you know, federal level that govern some of those entities but not others. You also have various different state laws and and regulations. And so I guess I can just, you know, speak briefly to that and say that, you know, the CURES Act will regulate a certain , the interoperability of electronic health information and there will be penalties that apply to certain actors that, that, you know, are accused of information blocking and actually engage in the practice of information blocking, which is interfering with the use or access or exchange of the electronic health information. And the OIG is authorized to imposable monetary penalties of up to 1 million for those sorts of information blocking activities. Um, but we've yet to see what that enforcement is going to look like because we're, we're still waiting for the final rule there. Um, in the interim, there's a myriad of regulations that these entities that are looking to share data have to navigate. And I'd ask a lot to, to comment on some of those.

Speaker 3:

Sure. Yeah. And , um, to say it's a patchwork is an understatement. Um, there's, there's certainly a drive to share data , um, not only for the benefit of the patient ultimately , uh, or beneficiaries , uh, depending on the context, but, but even the organizations themselves are starting to see value in the data. Now the question becomes, like I said earlier, can we share this stuff and how do we go about making decisions about what we can and can't do? So, you know, at at the federal level, there's certainly , uh, established bodies of law that many organizations have to comply with. Um, hipaa, the Health Insurance Portability and Accountability Act comes to mind first and foremost because of its, you know , sort of longstanding tenure as our healthcare privacy and security rules. Um, that body of law though is , um, you know, it's got its holes. It's, it's certainly , um, an older body of law. So it hasn't necessarily been updated. And a lot of states have stepped into the , uh, fold as well and said, you know, we , we feel like we need some added levels of consumer protection, given that the, the data moving around so quickly nowadays and being collected is , um, you know, is putting people's privacy at risk. So you sort , sort of have to navigate the federal level, hipaa , uh, rules and high tech rules. Then you have these 50 different flavors of , uh, state laws as well around privacy and data protection. Um, and, and that's always in flux. You know, for example , um, only in the past two and a half, three years have we started to see , um, some real pushes at the state level to, to fill some of these holes. The California legislature past the C C P A , the California Consumer Privacy Act , um, which had made ripples throughout a number of other states and provided a lot of additional , uh, privacy rights above and beyond what other laws would have done previously. Uh, Virginia, for example, has passed something as well. So , um, it's all to say that , um, you can't go into this blind. You can't just go in and do whatever you want with data these days , uh, people are watching and, and certainly there are standards , uh, popping up here and there that people need to be navigating , um, and they're not always gonna be aligned , um, which is making it really difficult. Um, and that's not even to mention international, you know, I'll sort of Right , I'm not gonna get into that, that for a second. Yeah,

Speaker 2:

<laugh> , yeah . Yeah. We don't get into GDPR and some other stuff right now, but, but you know, you mentioned the , the California Data Protection Act do. Cause traditionally, I think as , as a lot of other states have looked at California in terms of what are you, what are you doing there? Do , do you think there's gonna be, I mean, a a lot more states doing the same thing, or is it, is it still kind of an individual state and and the people of the state are, are kind of driving it? Or, or is it more of the, let's see what the other folks are doing that works and that's what's driving it?

Speaker 3:

Yeah, I think it's a little bit of all of that. Um, there are certainly those few states that are always ahead of the curve when it comes to more progressive , um, legislation. California's one , New York is another , uh, Illinois is another, for example. So, so if, you know, history tells us anything, there are a handful of states that are always gonna be first movers on these things, and we should always keep an eye on them because they set the tone for what others are gonna do now, what the others do. Um, it's yet to be determined, right? Some of it has to do with the cultural aspects of the state. Some will take up these issues and some won't. Um, and it also depends on how long it takes for a legislature really to , to pay attention to this on a state level. Um, but you know, that , that is the beauty of our laboratory of states, essentially. Um, you know, I think what will happen, my prediction, I think we're probably going to talk more about this later, but, you know, some more state laws will come online and it's gonna force a conversation , um, at a , at a sort of multi-state level, and then perhaps the federal level as

Speaker 2:

Well. Yeah, perfect. Hang on to that king . We're gonna , we're gonna talk predictions here . You're exactly right here towards the, the end of our, our session. Um, I wanna go back to Beth for a second. Beth, you, you brought up the interoperability , uh, and data blocking piece there . Let's talk a little bit, and , and my question is, and , and I work in some of that space too, and I work with hospitals and, and vendor and , uh, you know , uh, software vendors, the, like , are we ready? Are we ready for this? I mean, as an industry, are we ready to tackle everything that comes along with data blocking, that sort of thing,

Speaker 4:

Ready? Or not? Here it comes <laugh>. Um, I would say, you know, obviously I think that parties were getting ready to really take these rules seriously, right when Covid 19 hit. And unfortunately, I think that, you know, it really, it , it , it put a speed bump there in terms of getting ready to comply with these rules. The industry itself is struggling, I think, you know, in all , in terms of all actors across the industry struggling with trying to get compliance up to date, but at the same time, everyone's doing their best. I mean, there's three rules that you have to get your arms behind. There's obviously the O N C final rule, the c m s final rule, and we have OIG G'S proposed rule. So at this point, the clients that we've been speaking to, I think really have a good understanding of, of what's out there and what they're required to do. And they're trying to implement best practices and policies in terms of compliance, and also take advantage of the strategies , um, that that can be held in this space. Because not only, you know, do you have to look at the rules for what they are, and you have to ensure that you, if you are an, an actor, do not conduct op , uh, do not operate in conduct or , uh, or information block. But at the same time, you have to think about what do these rules create in terms of an opportunity for the organization? Is there potentially an app that we can develop , uh, that would enable patients, you know, to have better lifestyles or access to their information to drive population health? Um, you know, what else is out there that, that these rules will enable us to do? Because at the end of the day, what they are doing is enabling the interoperability of data. And so with more data being accessible, there's more opportunities to utilize that data to drive healthcare outcomes. So I, I wouldn't say necessarily that everyone's ready, but regardless of whether they're ready, the rules are gonna keep pushing along.

Speaker 2:

Right, right. Well , I , I like the , the answer's perfect. Ready or not? Here it comes , um, uh, a a lot back to you, just just for a quick second. Uh, there's a , there's a section of, of yours and best articles that , that talk about drivers. And, and I get asked this myself, you know, the impact of covid this . So, and this is for both of you, feel free to jump in , uh, in , in terms of the data blocking the interoperability was, was the pandemic and the emergent state of that and us doing what we had to, which kind of broke down a lot of bureaucratic walls, did that really help us get there a little sooner? Or was it, is it now more of a hindrance? What's your opinion on, on how Covid has affected this whole , uh, data sharing, blocking , uh, uh, big data , uh, environment?

Speaker 3:

Yeah , it's a great question. It's, it's done a couple of things. Um, I think you're entirely right that , um, COVID has broken down a lot of barriers, especially, for example, in the telehealth space. Um, people have adopted telehealth both from a provider perspective, a payer perspective, and, and a a patient perspective. So all of a sudden that's a new avenue for us to be communicating and, and sharing data with each other. Um, but at the same time, when you have a pandemic <laugh> like Covid 19 , um, when it comes to prioritizing , um, people's attention and spend and resourcing and all that kind of stuff , um, providers in particular were har hard hit, and they ended up shifting a lot of their time and energy away from , um, some of these more forward looking sort of compliance aspects of their business. And , um, going back to let's just make sure we can continue to operate, make sure that our patients can continue to be seen, and that we're doing it in a way that , um, makes sense given the climate we're in. So I think it, it has stalled , um, pa especially provider's ability to comply. Um, and, and I think the regulators recognize that because as soon as the, the public health emergency was declared, the regulators recognized that there would be more time required for many of these organizations to comply with the rules. And so they sort of pushed off the, the dates of effectiveness and, and provided some more relaxation as well. And we still have yet to see what happens. We're actually just a few weeks away from the effective date , um, right . Kicking in. So , uh, you know, there could be a lot that happens in the next couple weeks that we

Speaker 2:

Have <inaudible> , so there could , but Beth, same question to you, and I wanna add a little twist on there. In the beginning of, of the covid, there was some relax of some of the privacy and secure specifically around telehealth. I'm curious as your thoughts is, is that over, I mean, at this point, should you, should you really have that out of the way, there's been enough time to get something that's a little more standard, a little more reliable and more industry , uh, appropriate? Uh, and then same, same question as, as , uh, a lot , you know , what is your opinion about h how covid overall impacted negative or positive?

Speaker 4:

Sure. I, you know, I think that there have been benefits and drawbacks to covid 19 in terms of its applicability to privacy and data, and also the, you know, regulatory, regulatory environment in general. I would just say, you know, to your first question, I think that in the beginning it was really important that organizations understand waivers that were issued, not only with regards to hipaa, but with regards to any of the fraud and abuse laws or, you know, other licensure laws, et cetera. But certainly a year into this, we've had time to really understand what those waivers are. And as you know, they're, they're consistently changing. And so as the vaccine is being distributed, and more and more people are getting the vaccine, the hope is that over time, those waivers can go away, because hopefully Covid will be, you know, less of an impact on all of us. But at the same time , um, you know, it's really important to actually adhere to the laws that are in place without the waivers and to be ready for any sort of new proposed legislation that comes down the pike, either at a federal level or at a state level. So I think it , it's not a perfect answer, but the answer that I would have is to understand the regulatory environment that you are in daily, monthly, you know, annually, and to create policies and procedures that protect data, that enable consumers and customers to really trust your organization so that they will authorize you to use that data and to leverage it and to be nimble with your policies and procedures so that you can respond when things change. If covid 19 has taught any of us anything, I think at a personal level and professional level, it's, we can't control the environment around us. Um, and , and things do change. And so it's important to just understand where you are , um, to have policies and procedures that will protect you to the law that's in effect at that time, and to be nimble and be able to react to things as, as they do change.

Speaker 2:

Um, okay . Uh , I'm gonna pose one, one question in here, and this is a little, this one we could go for, we could probably teach a master's course between the three of us on this one topic in question, and it's kind of embedded in everything. And, and it comes from, you know, a lot you mentioned , uh, patchwork and , and I think everybody who's listening may understand that's the gaps within the current, you know, regulatory pieces that we need to help govern all this. And, and some of it's just long in the two , so let's just, let's just put it out there. There, HIPAA itself long in the tooth, right? I mean, we've had, you know, through the high tech and omnibus and some others , we , we get it, there's been some changes, but long in the tooth. And then besides the regulations themselves for , for those who work in the space of helping, you know, provide guidance or even self-assessments and guidance, it's like, you know, analysis paralysis with whether you want to do a SOC or a NIST or a , a high trust , it's all these kind of things are out there. So, so this is a two-parter. One, how long in the tooth are the current rules? Do we, is it time to just reset based on the current, the technology has now gotten to a point that we need to go back and look at the whole thing in terms of healthcare and let's do something new. And if so, is it time for a federal standard that someone can actually get a certification to say, look, let's, let's get rid of all this guidance in these other pieces and do something that did everybody recognizes as a standard? It's a loaded question. I know it.

Speaker 3:

Yeah, no , that , that's a lot to think about. And you're right, this could be its own sort of several hours conversation. Um, uh, my thought is that I agree wholeheartedly that HIPAA is , um, it is long in the tooth, as you say. Um, it , it , even, even before it was long in the tooth, it was not a very prescriptive standard, right? And give , it gives you a framework to think about how to protect privacy and security, but it doesn't really lay out specifics. And even if it laid out specifics , um, this, this body of law really came into focus in the early two thousands, and now we're 20 years out from that. So , um, people struggle, like you said, in terms of how do I actually operationalize compliance , um, around these rules? And that's where you go into questions about how do I evidence that I'm doing this? It's sort of a fuzzy standard. Um, and then third parties have come into the mix to try to build bones around it. So that could be, you know, so standards , um, it could be the high trust standards , um, uh, or a number of others. And I , I think that some have done a , a good job with it. Um, the question becomes, you know, how how does that effort using more prescriptive standards , um, or certifications , um, lend itself to not only compliance , uh, to showcase that you're actually doing the right thing relative to hipaa, for example, but also to send a practical signal to the market that you know, you are doing something that's reasonable and appropriate for your organization. Um, and , and that's still a hard question to answer as well. I think people struggle with what's the right set of standards I'm supposed to live by. Um, more recently, there was a , an amendment to the High Tech Act that said that at least when it comes to enforcing hipaa , um, the regulators need to , uh, review, recognize security practices, which are sort of indices best practices coming out of the National Institute's, institutes of standards of technology , um, and others. So we're getting to a point where I think the regulators even recognize <laugh> , people are doing all these things, trying to find their way through this, this mess of, of, you know, different certifications and standards. Um, and they just want to emerge unscathed from the regulatory perspective, because at the end of the day, we're all trying to do the same thing, which is safeguard our patients or , or beneficiaries data, or our consumer's data. And, you know, even doing the best you can, I think we all have to recognize that there are some bad actors out there, <laugh> , you know, hacking groups that are right looking to take us down, and we shouldn't suffer from a regulatory enforcement perspective when everyone was well-intentioned to do the right thing. And, and the lack of guidance that HIPAA provides from a prescriptive point of view , um, you know, I think that's something people really need to focus on and think about how do we, how do we fix that? Um, so hopefully like many other laws, you know, there have been people who've advocated for a long time that there should be some sort of safe harbor. Um, this, this recognized security practices piece that just came through , um, is is one step closer to that, but it's not quite there because again, what is a recognized security practice? Again, the fuzzy test , right? So Right . We're still in the same place, effectively.

Speaker 2:

All right . Very , very good. Thank you. And, and , and bets same over to you. Is it, is it time, I mean, considering some of the things that , uh, ALOP had often pointed out , is it, is it time that we do something new here?

Speaker 4:

I I think that a lot of people would welcome that there's differing , uh, views on, I think what , what the best approach is , you know, in terms of like, even not only HIPAA revisions, but federal legislation, there's lots of proposals that are on the table. And I mentioned this just because some of them would allow a preemption and apply to various different, you know, I'd use the word actors, actors , not an interoperability context, but just different types of entities in the industry. And the idea is if there is one coordinated approach and there is a revision that would standardize things, it might be helpful because then entities wouldn't have to comply with a diverse patchwork of all 50 types of states and and regulations that way. They would just have one law to look to. But I think that overall the industry would very much welcome revisions. And part of that has to do, I think with HIPAA applying, you know, so narrowly to the types of health data and the uses of health data in terms of covered entities and business associates , um, there are all these new types of, you know, applications to health data and storage that are outside of that realm. Um, and so I think that the question of revisions to HIPAA in and of itself, yes, it's probably overdue, but so are, I think , um, you know, different legislative and regulatory approaches to, to coordinating one standardized way to treat this information and to protect it.

Speaker 2:

Perfect. Outstanding. So , uh, about one and a half minute apiece predictions, what do you , where do you think we're headed? If you had to answer that question , um, uh, for either one of your, your clients or, or someone else? Where are we headed when it comes to , uh, increased interoperability in healthcare and the protection and risk associated with that , uh, for 20, 22, 23, 24, and we talked about being 500 times the amount of data out there than there was in 20 20 12. So Beth, we'll start with you this time. We'll finish up with , uh, a lot . What , what are your predictions?

Speaker 4:

Sounds good. Well, I think I said earlier already, or not here it comes in terms of interoperability. I think I'd also add to that there, there's really no turning back in terms of the proliferation of healthcare data. It's here to stay. Um, and I think we're gonna see with, with interoperability, we're gonna see more and more data promulgated and then also utilized in ways that we can't even envision right now. And so I think that instead of entities looking at these rules as a , as, you know, enforcement and something scary, they really need to understand each of the sets of rules and the new proposed pieces of legislation to figure out how they can strategize, utilizing and leveraging the data in a compliant way, you know, with, of course, authorization and protections in place. But it's a really exciting time to be in the industry and to be able to leverage a sort of data in order to drive healthcare quality outcomes, research, innovation. I mean, really, there's so many opportunities, it's just a matter of getting your arms around it to make sure that you're doing it the right way.

Speaker 2:

Perfect. And aop ,

Speaker 3:

Yeah, so predictions. Um, I , I think that we, we have yet to see what the federal , um, folks are gonna do with creating a sort of co countrywide , uh, standard around privacy, although they're continuing to talk about it, bills keep coming out and, and more bills every year, year on year. Um, so in the meantime, I really think that the states are gonna tackle these issues. The more , um, progressive ones, we'll , we'll tackle them first, like California has. Um, I think that what's, what's gonna come into focus as the states , uh, take up this activity is that we're really gonna start to see , um, divergence in, in opinion , um, at the state level about how far we should go in terms of privacy protection. And that's gonna force the federal conversation to come into focus. Um, but I will say that as data flows around , um, it's showing, you know , it's showing cracks in the regulatory landscape we live in because things that are heavily regulated, pieces of data in the hands of a provider or a payer, as soon as it moves via the interoperability rules to , uh, you know, a third party digital health app, all of a sudden it's very unclear what kind of regulatory , uh, requirements exist for that data in the hands of that digital health company. Um, that's a big crack, that's a big privacy , uh, risk for, for people. And so people are gonna need to figure out that piece of it. Um, and that means that at the state level and at the federal level, there's gonna have to be more activity. So I think, you know, step one states continue to operate and pass legislation, and then eventually the federal government will step in and do something a little bit more , um, harmonious at the top level.

Speaker 2:

I, I, I completely agree with that. I think in this case, the, the need's gonna outpace some of the regulatory stuff, you know , um, necessity being the mother of invention, so to speak, that they're going to have to, they're gonna have a choice. So, I , I think your comments are spot on . Uh , this has been the A H L A top 10 podcasts , uh, this particular series, opportunities and Risks with Increased Interoperability and healthcare . And my name is Barry Mathis with p y a . We've been talking with Shaw and Beth Scar with , uh, Epstein, Becker and Green lop . I wanna say thank you, Beth. I wanna say thank you very much. I've enjoyed the conversation immensely, and I hope those who are listening have as well .

Speaker 3:

Thank you .

Speaker 5:

Thank you.