AHLA's Speaking of Health Law

Keys to an Effective HIPAA Data Breach Response

October 08, 2021 AHLA Podcasts
AHLA's Speaking of Health Law
Keys to an Effective HIPAA Data Breach Response
Show Notes Transcript

Wes Morris, Managing Principal Consultant, Clearwater, speaks with Andrea Lee Linna, Partner, McGuireWoods, about the key steps that can make the difference between an organization’s effective response to a HIPAA data breach and one that sets it down a troublesome path. With cyberattacks accelerating and the rich data pool flowing across the health care industry squarely in hackers’ sights, having a well-established gameplan for responding to a HIPAA breach is a necessity for any organization that creates, receives, maintains, or transmits electronic protected health information. Sponsored by Clearwater.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Good afternoon, and welcome to the latest edition of the Speaking of Health Law podcast. I'm your host today. Uh, Wes Morris. I am the managing principal consultant with Clearwater. And joining me today is Andrea Lee Lena, who is partner at, uh, McGuire Woods Chicago office, and part of the firm's team of more than 60 healthcare attorneys. Andrea represents clients at the intersection of healthcare innovation and technology. She advises investors, healthcare providers and healthcare technology companies on mergers and acquisitions, data privacy and security, regulatory requirements, healthcare, it, and fraud and abuse. Andrea frequently speaks and writes about emerging healthcare and technology topics. She's been quoted by C N B C and Cranes and has given guest lectures on healthcare law at Northwestern Pritzker School of Law, uh, the University of Michigan School of Public Health, Loyola University School of Law, and the Wharton School of the University of Pennsylvania. And today we're going to be talking about getting back to the basics, uh, when it comes to, uh, a number of different areas. And Andrea, to start off our conversation today, how would you say that you would phrase the, getting back to the basics, what is it we're trying to get to here?

Speaker 3:

Mm-hmm.<affirmative>. Well, thanks we for having me. I'm super excited to be a guest on this podcast. I listened to the H l A podcast a lot, so it goes an honor. So I'm excited to be here. But yeah, we wanted to touch on today, you know, back to the HIPAA basics, because HIPAA's been around a long time and we are all extremely familiar with it all medical professionals, compliance officers, and health counsel, um, outside counsel think and know a ton about hipaa and much of their professional career has been, you know, since HIPAA's been enacted. But I think one thing that I've been noticing recently, and I'm sure many others are as well, is that this can provide a sense of comfort when maybe there shouldn't be any. I mean, I see nearly every day healthcare clients from small to big that they don't have their compliance programs in a good place. And this is a real compliance risk. Um, financial risk, reputational risk if there is a HIPAA breach. So many times, you know, a client or a company will experience a breach or OCR comes into investigates or, you know, they have an adverse consequence from, um, lack of HIPAA compliance and maybe an attempted sale of business. And HIPAA compliance finally comes back to the, to the forefront. So what we wanted to talk about today is just revisiting those basics of HIPAA breaches and HIPAA breach analysis. Um, so we can make sure you're kind of getting in front of that. And we all know hipaa, but we're also focused too, on all of what's the new thing? What's, what's the new reg, what's the new role? And maybe we need to just revisit and make sure our existing HIPAA compliance practices are in a, in a great place. And too, um, it's just the state of cybersecurity right now. I, I feel this way, I'm sure other people feel this way, is there's just an overwhelming number of threats. Um, persistent nature of privacy threats. I mean, you hear about breaches every single day. I mean, there's, from the international threats with state actors trying to hack in, um, and get information from national, national security, there's your opportunist targeting healthcare data specifically. And then you have your more common breaches outside of hacking in it, whether that's unauthorized disclosure or lost or theft. Um, and then after that 2020, right, you can't go without talking about Covid<laugh>. I mean, this has been, you know, 2020 is a year unlike any other, and you've got, you know, more and more people using their own devices, using their own cell phones, their laptops at home, remote work adoption due to this fam the pandemic. And then there's been reports, you know, comparing the data breaches that were reported in 2019 compared to those reported in 2020 with over a 55% increase in 2020 and expecting a similar increase for 2021. So yes, it's an old topic, but, you know, distressing that it, it can't be ignored. And, um, it's just as important now as it was, um, 10 years ago or 20 years ago, and we should really be keeping it in the forefront every day.

Speaker 2:

Yeah. Thinking, thinking back, uh, you know, I started working in this, in this field about a month after the privacy rule compliance date in 2003. Where has Wow. Um, oh my goodness. Um, and, and, uh, you know, I remember the early days with HIPAA and just trying to figure out how to write basic policies and procedures and, and, and train our folks and, and all of those sorts of things. And, and that first policy and procedure that ran 300 pages because I could not figure out how to write one that's meaningful<laugh>, you know, and, and, and then, and then it sort of went quiet for a few years. We had our basic policies, we had our training program, and then things just sort of coasted along a little, uh, until, well, we had the security rule come in 2005, but the big one was the breach notification rule that came as a part of high tech. That was kind of a game changer, wasn't it?

Speaker 3:

Why? Yeah. No, definitely. I mean, added Keith for sure,

Speaker 2:

When, when I think about the, the breach notification rule in specific, and I know we, we were gonna, we're gonna talk some about that. I think about the time before the breach rule in which we had to investigate a, uh, any, any sort of an impermissible disclosure or compromise. We had to investigate it, we had to document it, we had to take action to mitigate it, whatever the case might be. But the one thing we didn't have to do was tell the patient, unless they asked us<laugh>, you know mm-hmm.<affirmative>, unless they came to us and said, I'd like an accounting of disclosures, we didn't actually have to tell them. And that's really what changed with the breach notification rule. And as we've gone forward from there, you know, in the early days of the Breach Rule, there was still some kind of looseness there. Um, uh, you might recall this, where there was, uh, instead of the probability of compromise being the standard by which we evaluated a breach, it was a, uh, risk of harm. Uh, you, you might recall that particular standard, um, and mm-hmm.<affirmative> when we hit that risk of when we changed from the risk of harm, which kind of gave us a lot of leeway to decide whether to make a notification. And we got to the, the probability of Compromise Standard. That's really when the game started to change in terms of how we had to react and how quickly we had to react. But, you know, we're 10, 10 plus years in, I think almost 12 years in. Why is the breach notification rule still so difficult for us, and why is breach notification still such a difficult issue for us to, to manage mm-hmm.<affirmative> and why is this worth refreshing again?

Speaker 3:

Yeah. Well, and I think that's one of the places where I constantly, um, see covered entities and business associates, um, having missteps in HIPAA compliance is around breach analysis. Um, so often I will see, whether it's in the deal context or otherwise, where perhaps you're receiving hotline complaints that involve P H I and they're, there's just no record that they were adequately investigated. There's no documentation or potentially there's patient complaints that aren't properly getting to the, you know, HIPAA privacy and security officers or officers, and they're not getting, um, to general counsel and being reviewed and investigated in the way they should. So I think that's an area just I'm seeing more and more of, where's that documentation? Where is the breach analysis? And really just reminding covered entities and business associates that that's a critical requirements. I mean, you're required to maintain that documentation, um, if you're, you know, when you go through that breach analysis. So really demonstrating, like you were talking about, is there a low probability that the PHI has been compromised? And then looking at the factors that are in the breach notification rule to determine whether you actually have a reportable breach. And I think this is a critical step, not only to determine, okay, do I have to report, but also prevent you from over-reporting? Right? Not every single potential breach is an actual reportable breach. I mean, there are many legitimate reasons in the, in the privacy rule why you may not have to report. Um, so looking at, you know, carefully looking at that four factor test that, you know, the nature and extent of the c i involved, are you dealing with disclosures of full medical records? Are you disclose, you know, social security numbers, mental health information? What is the scope of the identifiers that have been potentially disclosed? Who was the auth unauthorized person who used the phi or who may have received it? Was the PHI actually acquired or viewed? And then the extent of your mitigation. And I think that last one too is so important of make sure you're documenting all the great things you're doing. What steps did you take to mitigate any risk? You know, did you train people? Did you have to fire someone? Did you have to put in additional security protections? Did you do another security risk assessment? I think so often, um, parties are either just not documenting and that's why we're not seeing it. Um, so they should be documenting to make sure they're getting, you know, that's all critical information, um, to have when maybe there's a, a later breach that's a larger breach, or you're later of being investigated to be able to look back at those materials and show like, Hey, here's my documentation of my risk assessment. Here are the exceptions that I relied on. Here was my, um, rationale for not notifying, or if I did notify, here's how I did it and who was notified and why. Um, so I think that's a critical piece of just making sure that documentation is there. Um, and it just comes up so often in my practice that I think it's, it's worth stressing and then also not forgetting about state law, right? You've got, you know, we're all, you know, over and over, hipaa, hipaa, hipaa, but you've also got 50 state laws to think about. So when you have a potential breach, really starting your HIPAA analysis, but at the same time, starting that state law analysis, um, every state defines breach differently. Some, you know, specifically carve out any, um, PHI and defer to hipaa. Other states, um, will cover healthcare data. They may, what a breach is under HIPAA may be different than what a breach is under a state law. There may be different notification timelines, different entities that have to be notified. So making sure that when you're doing that breach analysis, you're not just starting like, okay, we're gonna do our HIPAA analysis, that's gonna take us two weeks, and then we're going to then turn to our state law analysis and oops, this is a, this is a reportable breach under state law, and now we're really behind, and now we've really got pressed to get, um, our notifications out in time. So I think both of those things around just, you know, making sure you have that thorough, reasonable, um, breach analysis is so important. Um, and just one of those things that I think stresses, again, you know, it's great to have the policies and procedures, um, but they can't just be sitting on the shelf, right? You have to be actually implementing them and, um, you know, putting your actions and all the great work you're doing down on paper, so you can prove later that, hey, we've been, we've been doing the right thing and we've been taking the right steps.

Speaker 2:

Yeah. And, and you know, something that you mentioned there that, that I have often found interesting, you talked about state law, um, and, and that's critical. Uh, but one of the things that you also have to consider even with HIPAA, is the jurisdiction of the, the, where the, the, um, people whose information was breached are residing. Mm-hmm.<affirmative>. So if you're not in a tricor state, kind of a situation where you have people in, you know, Ohio and people in Indiana, and people in, you know, another state that are all being served by your, uh, facility, then you have to, you have to really think carefully about where these people are in terms of which states apply to what degree, uh, and where you're gonna have to make notice, uh, you know, to the different, uh, bodies, including the media in some Totally. What, what are your thoughts there? How do you go about making sure that you've considered this most fully when you start dealing with various jurisdictions?

Speaker 3:

Yeah, I mean, it can get complicated quickly. And I think, again, just making sure that you're moving up your state law analysis up into your priority space, um, because I think it's, so often it's kind of looked at like as a secondary thing. Um, and especially what you're talking about, if you're dealing with a large brief where you've got people traveling in, you've got people crossing state lines, um, really drilling down on that. And I would recommend that if you are a security officer, a compliance officer, or, um, in-house counsel or otherwise, you know, that should be research that's already done, right? Like right. I strongly suggest to my clients, like, you should have ready to go a breach questionnaire, which is soon as you receive that hotline complaint, you can go in, you've got your questions, you're gonna ask yourself, you write those down, you've got your template breach, um, assessment memo. So it's got all the standard stuff in there. So you just go in and plug in the fax. You've got your chart that has the state laws that are most likely applicable to your organization. And so all of that shouldn't be something that needs to be created on the fly. Um, so really thinking about like, Hey, if we do have a breach, it's most likely that we're going to be dealing with, you know, these five states or, you know, whatever your population looks like. So having that ready to go, so, you know, right away, okay, I know this state we're in it's state law is not applicable to healthcare information, so I'm good to go. So, you know, having all that ready is super important because this is stressful, right? This is, it could be at times a bit chaotic when you, especially given a very large breach, and the amount of time that you have to investigate it, any of that work that you can do on the front end is just so crucial. Um, and making sure your organization is, it's gonna be smooth sailing, you can just open up the documents and you've got it ready to go. You don't have 20 hours of research that you have to do just to even start your analysis.

Speaker 2:

Yeah. I, and I think that that's a, a really important point. One of the things that I heard someone say a few years ago that sticks with me when it comes to a, a breach situation, it's not a matter of if it's a matter of when correct.<laugh>, it's going,

Speaker 3:

Yeah, no, great. Yep,

Speaker 2:

Mm-hmm.<affirmative>. And so being prepared at the front end is, is really crucial. Uh, I that I think that's the best, best advice anyone can get is be prepared for this before it happens rather than after. So let's shift, let's shift gears a little bit for a moment here. When, when you look at healthcare covered entities and their, and the business associates that, that support them, where do you think things go wrong? Um, we've talked about breach notification thus far, but talk about some of the other areas where things go wrong in their HIPAA compliance programs.

Speaker 3:

Yeah, I think that, I mean, security is a big piece of that. Just making sure that you have the right, um, security protocols and procedures in place to deal with the newest, um, cybersecurity risks. And I think what's interesting, um, and that I've seen again this year has been, there's been a lot of writing and things coming of it is, you know, there's been the new HHS proposed modifications to the HIPAA rules as part of the regulatory sprint coordinated care. And part of that was to promote value-based healthcare and encourage providers to engage in a greater degree of care coordination and allowing additional disclosures of certain information. And we're really looking forward to getting those changes and understanding what those are, because pretty much every covered entity, every business associate is going to need to change their policies and procedures, their forms, their business associate agreement. So, um, it's definitely something to kind of look out for. But around the same time that that proposed rule came out, um, there was a less publicized change to high tech, and this was under house bill, um, 7, 8, 9 8. And basically it said that hhs, you need to start considering more recognized cybersecurity practices. And that if you know covered entities and business associates are actually following recognized industry best practices, you need to consider that as part of how much you're gonna find them, whether you're gonna audit them, um, whether they're brief mitigation activities are sufficient. Um, and so that rule is just in January, and it's directing ajs to start considering these things. And the standards are published by, um, the entity, national instituted standards and technology myths. And, um, they have these, this publication of these cybersecurity practices, but it's really old. It's 13 years old, and they have asked in the summer their comments on how to improve, you know, what the recognized cybersecurity practices are. So that's another area where it's, it's, that's a potential change, right? To what we've been seeing in the HIPAA space. It's like, well, this is an old rule and nothing's really changing, but you still need to pay attention to it. But something like that is where, hey, these new cybersecurity practices and the best practices are constantly changing. So making sure you're looking at those, you're understanding what those are. And I think when we, we finally get this, um, new guidance, um, refreshed after 13 years is going to be really important for covered entities and business associates to, again, look back at their, at their security practices and make sure, you know, they're constantly working on those and what they should have had implemented a year ago, maybe a little bit different than what they need to implement today, given all the threats that there are. So I think, again, it's just kind of this staying on top of it, it, it, while the rules haven't changed, it's still a constantly evolving environment, um, which becomes more threatening, you know, every day practically. So healthcare providers just really want to make sure they're adjusting to any new standards. So they, if in the event that they unfortunately may have a catastrophic breach and they may have an OCR investigation, they're ready to go, they've got, you know, Hey, ocr, we have been following this new practice, like, here's all the great things we're doing. Here's why you should reduce our fines. Here's why you shouldn't audit audit us in the future. So I think just, you know, staying ahead of those best practices and making sure you're implementing those is really important.

Speaker 2:

So the two things I'm hearing in, in that commentary there is, is number one, that, uh, while these rules may have been around a long time, they are not static, they are in fact, iterative things are continuing

Speaker 3:

Right to change mm-hmm.<affirmative>.

Speaker 2:

Yeah. And then the second thing that I'm hearing, uh, and, and I love the fact that you brought up 78 98, um, because that really has caused quite a few organizations, some consternation, they don't quite understand what that means or what it's, what its real intent is. Um, but uh, yeah, it's, it's, it is essentially, if I understand it correctly, it's establishing the idea that if you are subscribing to and following reasonable practices with your security program, that it gives O C R and organizations like that, the leeway to be much more flexible. Would that be a good way to mm-hmm.<affirmative> wrap that?

Speaker 3:

Yeah, no, definitely. And I think, um, what always struck me is around the same time that that rule, and that was in January and I think it was also in January that, um, HHS lost a big appeal, um, against University of Texas in the Anderson Cancer Center, right? So this was like highly publicized at the time, but they, HHS had fined IND Anderson, I think it was like over 4 million mm-hmm.<affirmative> at as a HIPAA penalty for a lost and two lost USBs, which were not encrypted. Um, and that is grossly above what I've ever seen. And, you know, the court came down and said it was arbitrary and capricious and not consistent with other fines to other covered entities in similar situations. Um, and that the court stress that Anderson may not have had a perfect mechanism in place to encrypt E P H I, but it did have a mechanism in place. It was requiring its employees to encrypt USBs and laptops. The employees just failed to do it. So the court noted that it doesn't have to be bulletproof, but you need to have these best practices in place, right? So to me, they really tie together in that, you know, I think HHS is being way too aggressive on the MD Anderson case. And then you've got this new bill that's basically saying the same thing, like, Hey, you need to look at what are the recognized practices, and we need to allow our covered entities and business associates to be able to point back to those because it is constantly changing and there isn't a way to guarantee, you know, nothing's bulletproof. Um, and so that to me allows covered entities and business associates and their lawyers, right, to make, to make those arguments of, you know, it, unfortunately, it's not always gonna protect you from the breach occurring, but here's all that evidence, again, of all the things we're doing, and here's how it lines up with those recognized practices. And, you know, OCR r to just you're fine is way outta line compared to what we should be doing. So, um, I thought it was really interesting that those were happening around the same time. I don't know that they're officially tied together, but, um, they're closely linked in my mind of, you know, again, back to this idea of let's have, what are the recognized practices and how important it is, um, to make sure you're implementing those.

Speaker 2:

Excellent. Um, I, I, I think you dropped that up beautifully right there,<laugh>. Um, so<laugh>, so, so the, the, so the bottom line with the, with the NIST security standard guidance is, is that, you know, NIST is not a regulatory agency, but many of us in the healthcare industry have learned to rely on NIST as being the organization that does a really good job of putting this stuff into a framework and a methodology that we can follow and use. Because, you know, let's think about the difference between the NIST guidance and the actual security rule. For example, the security rule is written very agnostically. It doesn't, doesn't get into a lot of detail about the methodology to achieve something, but the NS guidance does help us to establish and, and get a better path to what we're trying to do to ensure we're being compliant with these rules. Would you agree with that?

Speaker 3:

Yeah, completely. And I think, you know, there's some healthcare companies that are able to engage great companies like Clearwater and understand kind of, you know, can get into that guy who's didn't really process it and use it. And then there are some smaller entities I think, that are completely ignoring those kind of things. Right? So again, just back to, you know, back to the basics, being aware of the guidance that's out there, making sure, you know, you're complying with that, making sure you understand it, I think is, is so critical.

Speaker 2:

Right. Right. Now, I, I want to shift to gears on us again for a moment. I, I, I noticed in my intro of you that you, you spend a lot of work, uh, uh, time working in healthcare transactions. The whole world of m and a is fascinating to me. What are some of the things that you see happening in m and a when it comes to HIPAA that you would say are best practices?

Speaker 3:

Yeah, so I do a lot, like you said, of m and a work, particularly with private equity, um, firms that are purchasing up healthcare providers, really across the spectrum. And what becomes evident to me in every one of those deals, right, is no one wants to buy a HIPAA breach. You want to make sure the company you're purchasing, um, is, well, we all know they can't be perfect in the HIPAA world. They need to be compliant. And the lawyers that are on those teams, the auditors, um, the compliance people that are on the, the team for the buyer or the seller, they're going to be looking at your hipaa, um, policies and procedures in your practices. And that's ultimately going to impact deal value, it's gonna impact the ability to get reps and warranty insurance. It's going to impact whether or not the deal happens at all. And I think so often targets are surprised by that. Um, and I think, you know, it's a, you know, HIPAA has been around for a long time, is, you know, one argument, but it's also the argument of, well, yeah, it's been around a long time, so you have no excuse<laugh>, you know, you have to have this stuff in place, and if you don't, it's going to be a red flag to us. And, um, I think just so often in the due diligence process that's, that's coming up of, you know, hey, there, there are some potential breaches here. We don't have a breach analysis. Um, no one has ever documented this, or, you know, uh, oh, OCR came in a couple of years ago. What did they say? Um, so I think it's, it's really critical, um, to a successful acquisition, um, successful sales to really have your HIPAA compliance in a great spot. And it, it adds a ton of value, um, to your company for, you know, investors to come in and say, wow, like, you really have it together here. You know, that gives a good, um, impression of the company and it makes the transaction that much smoother and that much cleaner. And many, many PE firms that I talked to, they've been hit on this issue before. Um, firms will note, they've had several acquisitions where maybe in the last year they had major HIPAA breaches shortly after an acquisition. Again, they don't wanna buy a HIPAA breach, right? They've had deals where, um, a HIPAA breach occurs in the middle of the deal, um, and the deal comes to its preaching halt, um, and either takes forever to close or it ultimately dies. So, you know, the HIPAA piece of transactions, again, it seems like, okay, this is kind of an old issue, but it is so critical, um, to a foundation of the business and can really, for your clients that are looking to sell, or if you're, um, looking to sell a company, it can add so much value, um, because it is going to impact, you know, your, your escrow, your rep and warranties, um, your rep and warranty insurance liability caps and all of that. So I think it's just a good reminder that this goes beyond just, um, looking at, okay, what are the financial ramifications if you have an investigation or a breach? Um, it's also has big financial consequences to the value of the underlying business. So that's just another reason to really, um, focus in. So I think just generally as a theme of all of this, it's, you know, getting back to the basics, refocusing your attention on the foundation of your HIPAA compliance practices is a great way to maintain momentum and mo maintain growth of a company.

Speaker 2:

So, so if we're still spelling HIPAA with two Ps, that would be problematic.

Speaker 3:

<laugh><laugh>. Yeah. That's my favorite way to know that. Like, oh man, this is gonna be rough right from the beginning,

Speaker 2:

<laugh>, I, I said that intentionally having done a few, uh, m and a, uh, due diligence projects myself, uh, that, yeah, what you've just said there is, is really the critical piece to all of that. Um, and, and I think of it much like, I think of this seven eight, this house Bill 7 8 98. It's about having a program that has been in place for some time. I think 7 8 98 says at least 12 months, right? Uh, if I recall that right? Yeah. Your program's been mm-hmm.<affirmative> in place. And, and the same thing applies with m and a. Uh, in many ways it's building a program three weeks before you're going to start the transaction is probably not going to do the job.

Speaker 3:

Totally. Yeah. I mean, I'm always requesting, Hey, I need six years worth of your HIPAA been for, right? Um, and it's going to be a huge red flag if you have got information for the past six months. And I mean, of course there, you know, you've gotta look at the business perspective, and there's gonna be times where it's a small physician group, right? Is many of them, or small dental practice, it's not gonna have super robust type of practices. Right? And that's, and that unfortunately is common. Um, so you're looking at the bigger picture, but still, especially with very sophisticated organizations that are selling for, you know, uh, tens, hundreds of millions of dollars, you're really, you need to have that great policies and procedures and practices in place, and you can bet that people are going to be looking at, are going to be looking at that multiple law firms, multiple auditors, um, everybody's gonna have their eyes on it. So, so being prepared for that, um, many years in advance is well worth any cost. Um, and you're gonna make that money back and the, and the value of the business going down down the road.

Speaker 2:

I agree very much. Well, um, so if you had to wrap all of this up and, and put a bow on on this today, getting back to the basics is of course, a a, um, a a a critical way to look at it. But is there anything that you would give as advice or guidance as, as a way of closing this out that you think would be critical and important for the listeners to hear from you today?

Speaker 3:

Yeah, I think just, you know, a reminder of refocusing that attention. I think our jobs in the healthcare space are incredibly overwhelming and stressful. And, uh, you know, we don't have to tell that to anyone on this, on this power listening to this podcast. And I think there's just so much going on and there's so many new rules and regulations. And so I think it's worth just taking that time, um, whether you have a set time on your calendar, there's, um, you know, maybe a set month that you're gonna, you know, focus on some of these tasks and really just get back looking at these, refocus your attention on the foundations of your HIPAA compliance practices, and the organization is going to, you know, really benefit from that time. So it's something really important to do, um, not only for our patients, but also for, for our

Speaker 2:

Businesses. And I think you hit on something very important there. At the end of the day, it's about our patients,

Speaker 3:

Right? Yes. We can't forget

Speaker 2:

That. We cannot forget that. Yes. So, yeah.

Speaker 3:

So yes, we're all patients. We all want our information protected, so

Speaker 2:

Absolutely. So important piece. Yeah, there you go. So it's really about us.<laugh>. All right.<laugh>

Speaker 3:

<laugh>, right. Gotta tie

Speaker 2:

It back. So when you, when you wrap all this up, then, um, some, some little thoughts that I had that I think tie to what you said is, number one is preparation, um, preparing in advance for whatever it is that you've got to do, whether it's building something new, uh, for a new practice, or whether it's getting ready to sell a practice or whatever it might be. Preparation is the key. Being prepared in, in your breach notification process, being prepared in your m and a process. Those are critical pieces, it seems like to me, paying attention to mm-hmm.<affirmative> the, uh, to the new guidance and the new directives. Uh, I know, you know, one that we haven't even really talked about yet is the proposed changes to the privacy rule, for goodness sakes. You know, there's a whole mm-hmm.<affirmative>, there's a whole podcast just on that one.<laugh>,

Speaker 3:

<laugh> for

Speaker 2:

Sure. Um, you know, so we've got house bill 78 98, we've got the N standards, we've got the changes possible to the privacy rule. All of those things are, are crucial state law, knowing what the rules are in the jurisdiction that you're working in, uh, and, and supporting, and where you have multiple jurisdictions and different rules and, and, and regulations that might apply and different time requirements to make notice can also mm-hmm.<affirmative> play, right? Mm-hmm.<affirmative>. And then finally, right. The last thing, the last thing that I heard from you was document, document, document. Have we got that right? Right. Have we really hit them one

Speaker 3:

That is, yeah, no, those are it, those, that's a great summary. I think. Um, yeah, that's, that's exactly right. And, you know, to your documentation point and to all the other points, it's, you know, you deserve credit, um, document it, show that you've done it right. Um, I think can be a huge step forward.

Speaker 2:

Well, I think that this has been a very useful time for us to sit in and talk through this today. Um, I, I appreciate the opportunity to hear someone else say things that I actually have said many times over as well,<laugh>, uh, because these are really the crucial things to make this all happen. And, uh, and I hope that the listeners, uh, to the podcast will, will be reminded themselves about the value of sticking with doing the things that are the basics that we know work and we know have to be in place. Mm-hmm.<affirmative>, uh, and, and just moving forward in an iterative way. I love that word iterative, moving forward in an iterative way to solve the challenges and the, and the issues that come up. Uh, Andrea, it's been a pleasure to spend this time with you today. And so let's wrap it up just by saying on behalf of Clearwater Compliance, uh, and myself and Andrea, uh, lenal was, uh, McGuire Wood, uh, we appreciate you listening to the podcast today, and we hope you have a great and wonderful fall. And with that, we'll say so long.

Speaker 3:

Thank you.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.