AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
HIPAA and Hybrid Entities: How Costco Developed an Effective Program as a Retail Organization
Wes Morris, Senior Director, Consulting Services, Clearwater, speaks with Gary Swearingen, Counsel, Costco, about the unique challenges that Costco faces as a hybrid covered entity. They discuss the hybrid entity model and how it differs from traditional health care covered entities; Costco’s history as a hybrid entity and how it currently operates; and how Costco navigates issues related to privacy, security, breach notification, risk management, and external party reviews. Sponsored by Clearwater.
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Support for a HLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, IRM Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Hello, I'm your host, Wes Morris with Clearwater Compliance. Joining me today is Gary Swearengen, Council for Costco. And, uh, Gary, you and I have worked together for quite some time now. We've, we've had a number of different opportunities to spend time together thinking about this subject and talking about all these things. The thing is, is this, is that Costco has sort of a unique, uh, place, not unique, but certainly much more limited than a lot of organizations do within the HIPAA space, and that is that of being a hybrid entity. So we thought that today would be a perfect opportunity for us to talk about this idea of the hybrid entity and, and how Costco has done things, and that it might be useful to our listeners to think about and, and consider some of the challenges that go into, uh, this particular model. So, um, start us off. Would you, would you tell us a little bit about yourself and how you came to be, uh, counsel for Costco in this?
Speaker 3:Sure. Yeah. Uh, so again, uh, I've been practicing, uh, 26 years or so. Um, when I was in, uh, my private firm, uh, in 2003, we needed the HIPAA expert. So I read the rule and became the HIPAA expert, of course. So I do have, uh, a lot of familiarity, uh, with hipaa. At that time. We, uh, we represented kind of unique entities, um, uh, employee health monitoring programs, uh, and those, uh, we, we didn't represent hospitals and the, and the kind of the ordinary, uh, entity. So it's always been a little different. Um, and then, uh, I came to Costco in, uh, 2014. Um, and again, I had a HIPAA background, but by that time I certainly wasn't an expert. I hadn't, uh, done much in, uh, HIPAA biosphere for, for several years. Uh, my, uh, former companies were not health related at all. Uh, but I was, uh, tasked with representing the, uh, pharmacy, the hearing aid center, uh, the optical center and the hip abortion of the employee benefits plan, uh, among other things.
Speaker 2:Okay. Okay. And, and you and I have done lots of work together over the years looking at those different programs. We'll get into'em in a, in a little more detail here in a few minutes. Um, so you mentioned the pharmacy hearing aid, optical and, uh, the employee benefits plan, which is an arisa plan. Am I correct?
Speaker 3:That is correct. We're self-insured.
Speaker 2:Okay. Yeah. Um, in, in addition, uh, later on you've developed another business that has HIPAA perspectives or requirements within it, and that's your, uh, Costco Health Solutions. Can you tell us a little bit about, uh, Costco Health Solutions
Speaker 3:Way? Yeah, so, so Costco Health Solutions is a pharmacy benefit manager. Uh, so you, the rules, they're not a covered entity, uh, but they are a, uh, a business associate of covered entities, including a business associate of Costco itself, uh, in the health plan. And they're similar to a third party administer administrator function. Uh, we only service self-insured plans. Um, and so we work closely with the TPAs of the larger plans and, uh, well, well of all the plans, uh, and particularly manage pharmacy benefits, um, for self-insured entities.
Speaker 2:So was this something that, uh, was created initially to support Costco's pharmacies and then expand it? Or was that always the plan from the beginning was to make it, uh, expanded to self-insured plans?
Speaker 3:Uh, so it was really twofold. Uh, one was to provide it, Costco is a lot of business members mm-hmm.<affirmative>, uh, small to medium to some large business members. So it was a service offering to those business members, uh, as well as frankly, to support our pharmacy operations. You know, we think we have a pretty good, uh, uh, pharmacy package for small employers and, you know, some of the PBMs on the market, you know, that they were more concerned about market share and making sure the plants had coverage, you know, everywhere. Mm-hmm.<affirmative>, uh, and we don't have Costcos everywhere. Uh, we only have, you know, 580 locations now. Uh, and so it was a way to, you know, form a pharmacy benefit service for employee plans and to put, help them, uh, save the money that Costco pharmacies, uh, can do. And, and we've expanded, you know, since then, you know, we have arrangements with, with others, so we can provide a full nationwide network of pharmacies. Not all Costco pharmacies, but, um, you know, in our view, Costco pharmacies still provide a, a pretty good benefit.
Speaker 2:Of course, of course. It's funny that you say they're not everywhere, because in my region I'm in Idaho and I know of least five within driving distance of me, but, but as I think about it, none of them are in my town. So I guess you're right, they're not quite everywhere yet, but a lot of locations around the country and some even extra, uh, us. Right. Uh, you've got locations overseas.
Speaker 3:Yeah, we're in, uh, southern countries now. Internationals are fastest expanding, uh, group. Of course, we don't have HIPAA in other countries, and so that's a good thing for
Speaker 2:Me. Then, then you have other requirements that you have to meet if you're in Canada, whatever the rules are there under, uh, PDA or other areas, uh, if you're in Europe, uh, et cetera. Right. So<laugh>, that's kind of interesting. Um, but within the US you do function as, uh, as a HIPAA covered entity for your, uh, lines of business, the pharmacy optical hearing, correct?
Speaker 3:That's correct, yes.
Speaker 2:And, and do you treat the, um, uh, the, the group health plan, the benefits plan portion as its own covered entity, or do you roll it into the same entity as, as pharmacy optical hearing in the, in the retail side?
Speaker 3:So we, we generally keep them separate. Uh, we have a separate, uh, privacy policies for the hearing centers, uh, and then we have separate policies for the employee benefits plan. Uh, so we, we try to keep that, that separate, uh, consistent but separate. Um, you know, cuz in essence the health centers are a customer of the farm of the benefit plan. Um, you know, that's not a HIPAA issue, but, but as of a concern to make sure that we are providing the, you know, the best and, um, most patient service for the employee benefit plan.
Speaker 2:Yeah, that makes sense to me. So going back to this idea of, of a, uh, hybrid covered entity, what does that mean in the HIPAA parlance? How does one get to be a hybrid covered entity?
Speaker 3:So, hybrid entity, you can choose to be a hybrid entity. Uh, a company like ours, you know, currently we have 250,000 employees. Um, and, you know, lots of, uh, uh, sales, really, a very small percentage of that is in an area that HIPAA covers. Uh, and so the idea of Costco as Costco as a whole, as a covered entity and training everybody on HIPAA that would never touch it, uh, really is not a, not an efficient process and it's not a good process either, either. So the regulations allow us to, to choose to be a hybrid entity. And what that means is, is the portions of the business that relate and are covered by HIPAA can be their own covered entity, and the remainder of the company is not a covered entity.
Speaker 2:Right. So the idea, Oh, I was just gonna say, so the idea is this, is that somebody who's checking me out at the front, uh, is not going to be it, it wouldn't need to have the training that somebody who's checking me out at the pharmacy would, uh, as as an example.
Speaker 3:Yes. That's, that's the prime example, yes. Mm-hmm.
Speaker 2:<affirmative>. Yeah. Um, so what did you have to do to choose or designate yourself as a hybrid entity? Were there formal and legal steps that had to be taken?
Speaker 3:You know, that was, uh, the initial selections was before my time. Uh, but my general understanding of the process is, is, you know, we elect, uh, in our privacy policies to designate ourselves as a covered entity. Uh, so our privacy policy, uh, does that designates, uh, which portions of the business are within this covered entity, uh, as well as which members of the HIPAA workforce or which, which employees are members of the HIPAA workforce. And that's all designated in the, in the privacy policy. Uh, mostly that, that's important for the supporting roles that, that we have for, for the covered entity, it's obvious that the pharmacy staff are within it, but you know, we also have IT finance, um, and others within, and lawyers within the, uh, work workforce.
Speaker 2:Yeah. You would also have in maybe in some of the warehouses, the people who are administering, uh, onboarding a new hire training or making sure that people are actually getting trained on the things they need. Would those, would there be a role for that as well? Or am I overstating it?
Speaker 3:So probably not the training people. Mm-hmm.<affirmative>, uh, because, uh, the health centers handle all HIPAA training, uh, themselves, um, there is, uh, there is overlap within the warehouses. Uh, in the onboarding process, you're right, uh, the people who, who are onboarding employees into the pharmacies, cuz we do have background checks and things like that that aren't necessarily required by hipaa, but, but are related. And then we have, uh, upper, upper warehouse management is within the, the workforce. Um, our locations are really managed, uh, somewhat, uh, independently mm-hmm.<affirmative>, uh, so the warehouse manager is, is in charge of, of the health center employees. Uh, there are exceptions to that, uh, mostly around the professional judgment of the, uh, of the professionals. Uh, they're not allowed to interfere with that, uh, but they do the standard HR functions and occasionally those functions would require access to, uh, health information. So they are part of the, part of the workforce.
Speaker 2:Ok. Um, at one time you had the, um, the, each of your health centered components, optical hearing pharmacy sort of broken out into their own. They, they each had a privacy official that oversaw them. You changed that a few years ago, right? Why was that?
Speaker 3:We did, uh, so, so since the inception in, in 2003, uh, we had, uh, one privacy officer for hearing an optical, uh, because those businesses were aligned. Uh, we had one privacy op officer for the pharmacy and we had one privacy officer for, for employee benefits. Um, and that was, that was largely because those entities tend to self-manage themselves in a lot of different areas. And so it made sense for HIPAA as well. Um, but as, as we grew, uh, and uh, over the years, it became apparent that we would benefit from consistency across the organizations. Uh, so that was, that was the primary impetus for, for finally deciding to go with a centralized one privacy officer. Uh, it also coincided with other US privacy efforts cuz we, we, uh, because of the California rules and other rules, we actually had a privacy office, uh, that was staffed and could manage all of the requirements of, of the, uh, HIPAA privacy officers, you know, back in, back in 2003. Uh, there wasn't much privacy regulation in the US except for hipaa. And so, you know, the idea of centralizing it didn't make as much sense as, as it does now.
Speaker 2:Yeah, yeah. You know, and we've always said that HIPAA is the floor, uh, but that, uh, laws like state laws that give the, the patient or member more rights or that put more restrictions on the covered entity. Can that, so in essence exceed HIPAA would then be the minimum standard to be met in that particular location. Does that create any challenges for you and your lines of business to be in, say, California versus Washington versus Idaho, for example?
Speaker 3:Yeah. The way we run our business, it's not a whole lot. Okay. There are only a few areas where we need to be concerned about state law. Um, we don't, uh, we don't charge patients for their medical records, so we don't really worry about state laws that limit, uh, the amount of money you can charge, uh, a patient. Uh, the real area of differences in data breach, um, data breach reporting. Uh, some states exclude, you know, hipaa, uh, in general. Uh, but some states do impose a higher standard and, you know, we incorporate those into our data breach plan that luckily we've not had to exercise
Speaker 2:<laugh> keep her fingers crossed for that. Yeah. Um, so yeah, you, I think it's important to note you have the plan, you've considered the, the requirements, you're ready to manage them if necessary. Yeah.
Speaker 3:And test it. We detest it annually. So,
Speaker 2:And test tested annually, do you do that with like a table top or do you send a case through from a pharmacy to, to, to weed its way through? How do you do that to, to test that kind of a plan? What's the easiest way or the most effective way, do you
Speaker 3:Think? Yeah, so on this, it's, it's a, it's a table top, uh, exercise. Uh, you know, we do have, uh, hippa uh, breaches occasionally, but we don't, we don't run the, uh, the, the i, what I call is paper based breaches through the instant response plan because it's really geared towards something more, uh, widespread. Uh, so the, the privacy office and the health centers still handle, you know, somebody getting, uh, the wrong receipt, uh, that has PHI on it. Uh, we don't run those through the incident response, but certainly anything that, that, uh, looks as if it might be a, an issue, um, runs through the incident response team. So they do tabletop exercises and we've had, uh, enough, um, uh, false alarms, I'll call them, uh, that they get some, get some exercise in that and running through investigating. Uh, we just haven't had anything on the reporting side.
Speaker 2:That's always a good thing,<laugh>. Um, so when you think about, um, all of these different components, uh, that, that, that have to be considered and managed so far, we've really talked about it from the perspective of privacy and breach notification. Um, what happens on the security side of the house? Are they likewise broken up in these different functional ways that privacy is, like the group health plan has a privacy officer and all of that? Or how is the security handled for, for an organization as big as Costco knowing that we need to be careful not to start, uh, opening the doors to someone being able to look too deeply into
Speaker 3:That? Yeah, Right. So we've always had, uh, one security officer, uh, our networks and, and this is one of the challenges for a hybrid entity. Uh, you, for proficiency purposes, we have one, uh, IT department. Um, we have one security department, uh, that bandages, uh, everything company wide. We have IT professionals designated to the health centers, but those, you know, they, they build the systems and improve the systems. But on the security side, we're really one company. Um, and so, you know, we have the same policies and procedures for the most part, uh, for the health centers and benefits as we do the rest of the company. Um, and, you know, the way our security works, you are, that that is certainly, uh, meets all of the HIPAA requirements. Uh, as most your listeners know, you know, the HIPAA requirements are not, are not really prescriptive, Right. So it gives a lot of flexibility.
Speaker 2:Right. And as long as you're doing the quote unquote, the reasonable and appropriate thing, then you're, you're doing something that is meaningful and supported and all of that. Yeah, I, um, very much. Um, one of the things that we haven't really touched on before is this, is that because of, of your business, you're gonna have a huge range of vendors supporting your organization. Some of those vendors are gonna be, uh, people who are just simply selling a product, uh, or, or whatever, Uh, others are going to be involved in a, in a much more detailed way. How do you look at risk management with all of these vendors? How, how have you built your program to manage this huge range of organizations and companies and even individuals who may be trying to sell you a product or a service or perform a function for
Speaker 3:You? Yeah. Uh, so, uh, on the, on the health center and benefit side, of course we have our business associate agreements, but those are really insufficient. Uh, you know, we cannot to not to fill, try to fill the business associate with everything we need because, you know, we get too much pushback. And so we use the business associate agreement in conjunction with them, more fulsome master services agreement with, you know, all of the security requirements we expect them to have. Uh, so that's the contractual side of things. Mm-hmm.<affirmative>. Um, in addition, we have a vendor risk management process that, uh, that any vendor with health information or, or any personal information, uh, is assessed, uh, annually. Uh, so we, there's a questionnaire and we do, we review, uh, various third party attestations, uh, from them, uh, as well as requiring, uh, penetration testing and other things like that. So it's a pretty robust, uh, process. Uh, it, it, you know, it's certainly had to ramp up over time, uh, but we think we're in a good spot right now.
Speaker 2:Yeah. So you assess those who are holding personally identifiable information of any sort on an annual basis, that then leads me to assume that, that somewhere along the line you tier, uh, vendors by those who aren't holding that kind of information. Does that change the frequency of your reviews?
Speaker 3:Uh, it does. We, we have, we have tier, um, you know, the, the aspirational view is we're gonna assess everybody. Uh, but you know, that's not always practical. So, so we have, uh, you know, kind of the tier one every year, Uh, and then we have those that have no relationship to health data or personal information, uh, but might have, uh, some other sort of IT access. Uh, those are on a different, different schedule.
Speaker 2:Right, Right. And, and the reason that I ask about that is, is, is that I, I find that the approach you're using just makes really good business sense and, and really good security and privacy sense too. You've, you've decided how, uh, an organization that you're looking at should be assessed, uh, based upon what they do and what they have, um, and, and what risk it might create for your organization if there were a compromise, those kinds of things. Uh, so let's go back around on, uh, we were talking a little bit about privacy and, and breach. So when, when something happens at a local pharmacy level, can it be ever, or, or a local warehouse level, let me say it that way, can it ever be resolved at that level? Or does it, if it's, if it's got privacy or security connotations, must it rise all the way up to the privacy or security officers at corporate level?
Speaker 3:So a little bit of both. Some things are resolved, uh, at the local level, uh, meaning the patient walks away happy. But, uh, we always investigate. Um, uh, sometimes the investigation is really, you know, fairly easy. You know, we did this and this is what we did, Uh, but it always rises to, uh, the privacy office, uh, to determine whether further investigation is required. Uh, Right. Whether it's a breach with a capital B,<laugh>
Speaker 2:B, Yes.
Speaker 3:And yeah, and, uh, to, to notify the, the party of the decision.
Speaker 2:So even if the matter is, appears to be generally resulted at the local level, it is still gonna rise up for oversight and visible. It will
Speaker 3:Some point. Yeah. Makes sense. Yeah. And the, you know, so the, the pharmacy is a bit easier because, you know, if to give somebody the wrong bag of medicine, that's not only a hip issue, that's a health and safety issue. So, so we have, uh, you know, we have peer review processes that review all of those to find out what happened. Uh, and so tho those are easily elevated. Some of the optical stuff, for example, uh, you know, somebody comes back in and says they have the wrong receipt, that would be easy for a warehouse to simply say, Oh, it's done. But, uh, I think our people do a really good job of understanding the importance and escalating that so we can do a full, a full review.
Speaker 2:Right. Yeah. Good. I already knew these things, which is why I wanted to ask them. I, I just felt like it was an opportunity to share that little piece with, with our listeners that maybe somebody would say, Oh, I hadn't considered that approach, or whatever the case might be. Good. Uh, I mentioned at the outset that you and I have quite a history together. Um, I came to Clearwater in 2013. You came to Costco in 2014, and I think it was probably around then that we met, uh, I think it was, we actually did some work together to, uh, conduct compliance assessments and risk analysis work with you. Um, talk about the value or your thoughts around, maybe not the value, but your thoughts around having an external party perform some of these reviews and analyses for you on a routine or recurring basis.
Speaker 3:Right. So I think that, you know, for us it was an instrumental value. It was, it was something we had to do. Uh, you know, Costco's a company that everyone's been around forever. Mm-hmm.<affirmative>, uh, and so because of that, I mean, our, our, in 2014, we had the same privacy officers we had in 2003<laugh>. Uh, as a consequence, we don't always write things down. Uh, and that's the real value of having the third party come in. And it says, particularly on the privacy and breach side, you know, we thought we were generally doing the right things, but, you know, our policies and procedures were clearly deficient. And now that the statute of limitations has run on us, I can say that<laugh>, um, uh, and so, you know, it was quite, it was quite an effort to, to identify, uh, what we were missing. We, of course, had a privacy policy mm-hmm.<affirmative>, um, that met all the requirements, uh, but we didn't have the policies around that, and we really hadn't, uh, uh, changed it over time as the business evolved. Uh, so, you know, it was a little, it was a lot of touch, and it's good for, uh, uh, a third set of eyes to look at it and say, you know, uh, you say you're doing this, but you're not doing that anymore. Uh, and you really need to, to document it. Right. Um, the same thing to, uh, uh, less extent on the security side. You know, we had a good security profile, but, but we didn't have, uh, you know, all of the security policies and procedures. Um, we, we certainly do now, uh, one of the challenges on the, on the security side is that, um, other areas don't act, require all of the documentation that HIPAA does. And so we had occasional issues where, you know, the, the policy writers want to write a nice clear policy that people understand, and then you gotta stick something in it that's HIPAA specific that really is outta place, even though you're following the technical requirements.
Speaker 2:Right, Right. Yeah. Yeah. Um, I, I, I think the, uh, the key here is, is, is is that you choose to have a third party perform these reviews, um, as validation or that third set of eyes to find those nuances that someone else might not, uh, have picked up on. Uh, and, and as you said, I I, I really like the point that you made there about the fact that, uh, the same privacy office officers and and team were in place 12 years after it all started, or 11 years after it all started. And so we get, we can become complacent. Yeah. Any of us can. And, and while this is not an advertisement for Clearwater, I'm just making the point that having a third party review seems to be, uh, to have a value there to maybe break some of that complacency that can occur after a long time managing the same program, same environment, and, and not necessarily catching the, um, the nuances and the changes that occur unless you're staying right at the forefront of the industry and hearing what's going on and, and those kinds of things. Um,
Speaker 3:And, and over time the assessments have definitely changed. Uh, eos one of your favorite terms is we got big rocks and we have something else. And, you know, last two assessments, we, we don't really have big rocks anymore to move. We have, uh, we have small things that, that can improve us, uh, and improve our, uh, uh, our program.
Speaker 2:Yes, absolutely. Um, small improvements to really tighten the final, the, the final details up. Um, rather than, than, Oh my goodness, we've got big problems and big challenges to solve. Yeah. Yeah. Yeah. Um, well, uh, I have certainly appreciated the relationship and the, and the work that we've done together over time. And I, and I hope that we continue to do that in the future as well. Um, one of the things that you have chosen to do is not just have someone look at your program from the perspective of headquarters and privacy and security officers and policies and procedures. You also have third parties go out into warehouses. What happens when you do that? What, what more do you pick up on that you might not pick up on if you're just doing this at the policy and documentation and headquarters level?
Speaker 3:So, so what we find out, find out is, uh, a couple things. Uh, one, whether they know about the policies, uh, and are following them. And so that, that leads to, it's primarily a training issue. Uh, you can't assess a training program until you look at who's being trained. Um, and then we still find, um, you know, changes that we've made a few years ago that aren't fully, uh, integrated in the warehouses. And so that helps in that regard. Um, as well as occasionally we, we find something that, that a warehouse is doing that is better, uh, and that we should really look at, uh, look at, uh, co company wide. We have, Costco has a longstanding program to audit each warehouse, and we have, um, uh, regional supervisors that walk through warehouses frequently, and the, uh, the health centers folks walk through, uh, you know, frequently, at least once a year. Uh, and, but there's some things we just, again, that, that third set of eyes going through and really looking at it specifically. Um, sometimes, you know, health privacy is always important, uh, but you know, if you're looking at somebody's optical prescription, sometimes people just go, you know, it's not really that important. Uh, but it's a regulatory requirement. And so, so, you know, it may not be in the top of mind of one of the regional supervisors going through, uh, to look at that, to look in the garbage can. Uh, but uh, when the, when the experts come in, they see all that,
Speaker 2:Right? Yeah. Yeah. Well then the other side of that coin is, is, is that what's important, you and me in privacy is very different than what's important to someone else. None of us really know what somebody else's life and challenges is life, do we?
Speaker 3:Yeah, exactly.
Speaker 2:You know, there have been situations over the years where as, as a privacy or security officer, someone's brought a complaint or an issue to me, and, and my initial thought is, is, well, why is this a big deal? But then when you start to dig into what, what this person's s concern is, you gain a whole new perspective for why they're concerned about it. Uh, so that's always good. Yeah.
Speaker 3:Yeah. And we, and we try to try to work to the, to the highest standard, uh, Yeah. And not have to deal with those issues where, where we fell down on, uh, on something that somebody thinks is, you know, is very important. We've, we've had, we've had those situations that, um, you know, this is, this is a big deal personally, you know, I applaud HHS and OCR over the past couple of years for really focusing on some of these smaller issues, you know, access to records mm-hmm.<affirmative> and the, the smaller issues instead of the big breaches. Cuz you know, some of those smaller issues are really egregious, uh, as opposed to a breach, which, you know, is a, is a failure of SY systems. Right.
Speaker 2:Yeah, I I I I like the way you say that. Um, and I agree with you, you know, it's breach tends to get the outsize level of publicity, uh, because, well, in, in the case of over 500, it ends up on the, what is colloquially called the wall of shame on the, on the breach reporting system. And so anyone can go and see and look at that. Um, but, uh, there are many other issues that, especially I, uh, I applaud the, the point that you make about the access initiative, uh, that is, you know, some of those cases within access were, were very small in terms of the outcomes and the penalties, but the problems that were uncovered, uh, by the investigation, um, were, were interesting to know about and highlight and try to help other people understand them so that other organizations don't have that same problem. Well, Gary, this has been a great conversation. I've really appreciated it. Uh, if there was anything that you wanted to wrap up with the, to sort of close out this topic, what would it be? What, what would you say to wrap up for us?
Speaker 3:You know, I think to, to wrap up, well, being a hybrid entity solves a lot of problems. Uh, it's hard, uh, you know, it's hard to separate out things and keep, keep the walls in place so you don't, you don't intermix. So it takes, it takes a little bit of vigilance, um, uh, not so much on the privacy side. That's particularly on the security side to, to make sure that, you know, we're still maintaining that, that separation. Cuz you know, once, once you don't maintain the separation, you're not a covered entity anymore. In all 257,000 employees are c in the workforce.
Speaker 2:Yeah. Yeah.<laugh>, that's a very good point. You've gotta make sure that you have done a good job of building the walls and, and determining what's important to be on each side of the wall. But then I think your, your key point there is, is that you've got to maintain them in a reasonable way. Yeah. Um, I appreciate very much the time that you've spent with us this morning. Um, I, and I hope that our listeners enjoy this one as well. So I'll wrap up by saying, on behalf of Gary Swearing and Costco and myself and Clearwater, we thank you for listening to this episode and hope that you have a great day.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about HLA and the educational resources available to the health law community, visit American health law.org.