AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
Assessing Cybersecurity and Data Privacy Risk in Health Care Transactions
Andrew Mahler, Vice President of Privacy and Compliance Services, Clearwater, speaks with Jordan Cohen, Partner, Akerman LLP, about managing cybersecurity and data privacy risk during the due diligence process for health care transactions. They discuss the five key indicators of a mature cybersecurity and HIPAA compliance program, whether due diligence differs based on health care sector, how entities involved on both sides of a transaction can mitigate risk and build confidence during the due diligence process, the role of state law, and the impact of artificial intelligence. Sponsored by Clearwater.
AHLA's Health Law Daily Podcast Is Here!
AHLA’s popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
<silence>
Speaker 2:Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks, and a tech enabled 24 7 365 security operations center with managed threat detection and response capabilities. For more information, visit clearwater security.com.
Speaker 3:Welcome everyone. Uh, this is Andrew Moler , vice President of Privacy and Compliance , uh, at Clearwater , uh, security, where we help healthcare organizations , uh, move to a more secure compliant and resilient state. Uh, so let's just dive in. Um, experts are predicting investment in healthcare technology and services , uh, companies to be robust in 2025. Uh, but growing concerns over cybersecurity and data , uh, privacy data protection practices , uh, could serve as a roadblock to suc , uh, successful transaction. Uh, cybersecurity and data privacy, as we know, have not , uh, just emerged as significant considerations, but , uh, now really are commanding center stage in healthcare transactions and illuminating the need for thorough due diligence to safeguard , uh, both the business value , uh, and reputation. So, I'm pleased to discuss this. Uh, really important and frankly, timely topic , uh, with Jordan Cohen. He is a partner in , uh, Akerman's healthcare practice and the leader of the firm's digital health team , uh, Jordan advises clients on transactions involving healthcare providers and other healthcare related platforms about how to assess and manage cybersecurity and data privacy risk during the due diligence process. Jordan, it's, it's really great to speak with you. Um, and if you don't mind, we can just dive right in.
Speaker 4:Great to speak with you, Andrew. That sounds great.
Speaker 3:Yeah. Thanks, Jordan. Um, so let's just sort of start kind of at the beginning and, and set the stage here. Um, how, how would you say some of these major cyber attacks and data privacy incidents of 2024 , uh, impacting , uh, healthcare organizations, thinking about, you know, going through the due diligence process and, you know, how , how do those issues really inform , uh, those discussions?
Speaker 4:Well, I think more than any other incident, the change healthcare breach demonstrated to the entire healthcare industry, just how far reaching the knock on effects of security incidents can be. I mean, it crippled the industry so badly that the federal government had to step in and provide support, financial support to healthcare providers , uh, in order for them to, to, to stay as a going concern. And so , uh, the attack, while somewhat sophisticated, was more or less a run of the mill ransomware attack that leveraged a remote access portal that didn't have multifactor authentication. And that lack of multifactor authentication led to a huge , uh, amount of information that was leaked. Health insurance details, medical record information, billing and payment data, and personal identifiers of various sorts, including social security numbers and, and other information. And so, in terms of diligence, I think that reinforced the importance of implementing a variety of security controls, including multifactor authentication and others. And so HIPAA regulated entities and other healthcare entities that need to implement those reasonable security controls. And , um, that has really informed and, and refocused attention , um, on the evolving threat landscape.
Speaker 3:Yeah, it, I mean, you know, everybody has been talking about change. I mean, even, I went to my doctor recently and he even brought up the change healthcare attack and the way it, it affected , um, you know, his clinic and, and the hospital. And I , I think there's just been , uh, just as you sort of are indicating just such a shift in how we're thinking about these kinds of cyber attacks that can really , um, impact, you know, organizations, but just the supply chain itself. Um,
Speaker 4:Absolutely. It's not just a breach, right? It's, it's not just a disclosure of identifying information, it's actually affecting the ability to, to furnish healthcare services at all.
Speaker 3:That's right. And I think just an interesting note too, I know this isn't exactly what we're here to talk about, but, you know, there've been a couple recent , um, OCR uh, uh, settle , uh, civil monetary penalty announcements and, and resolution agreements. And one of those just very recently, several weeks ago, called out lack of multifactor authentication specifically, which , um, you know, of course that's been a part of, of OCR enforcement actions in the past. But , um, you know , at least, at least in our review, my review it , it's never been called out quite as , as clearly and specifically. So I , you know, I , I think that's just a component of change and, and the , the incident and everything else that we're here to talk about, but I think probably worth , uh, worth mentioning. So , um, you know, just moving on a bit , um, you know, so we've sort of thinking through, you know, this, this change attack and , uh, and , and other sort of incidents that, that are occurring. So not, not just change, which is just, is the big one. Um, what are some of the key things that, that you would recommend , uh, that, that we're looking for when we're assessing the maturity of, of a target cybersecurity and, and privacy capabilities? So, what, you know, what are things that, that you're really wanting to see , um, in place? And then what are some things that are, that are just red flags to you?
Speaker 4:So when I'm conducting buy-side due diligence , uh, especially for HIPAA regulated entity, there are really five factors that I, that I look at in terms of gauging their , uh, the maturity of their cybersecurity program and HIPAA compliance program. First of all, are there individuals that are responsible for HIPAA compliance? Depending on the type of regulated entity, the target may need to have a security and privacy officer. And so it's, it's a red flag. Uh, if , if a , if an acquisition target , uh, has not identified , uh, the individuals that are responsible for that compliance, and it can be an in indicator that there isn't an infrastructure in place to receive reports about various HIPAA related issues like security incidents. And secondly, we look at policies and procedures. So HIPAA has, especially the security rule , has a lot of detailed requirements about the policies and procedures that need to be in place. And what we don't want to see is an off the shelf set of security policies and procedures that are downloaded off the internet or that are just plain vanilla. We, we want them to be detailed. We want them to be customized to the systems that are stored or transmitting electronic PHI and that that takes time. And so when we see those detailed policies and procedures that are tailored to the, to the target , um, that, that's heartening to see. And then are they followed , uh, are they communicated to the rest of the workforce? Uh, just having the policies and procedures on a shelf or more likely these days on a, on a network drive is, is of little help. So we , we want to see evidence that they've actually been communicated and are available to, to the workforce. And going along with that training is, is another core aspect that we look for when we're diligencing a , a healthcare entity. Um , the policies need to be implemented, and one way is through training individuals about those policies and procedures. And it also helps to give individuals a basic understanding of HIPAA and other data security requirements. And so one of the things that we sometimes see is that , uh, the target entity is , certain individuals may not have a clear understanding of what PHI is and how broad it is. Uh , many don't realize that mere names, and in certain cases, mere zip codes can be considered PHI. And so if you aren't trained on those types of concepts, you could have serious issues. For example, you know, without understanding what PHI is a covered entity or with permission, a business associate could engage in, in de-identification of PHI without properly de-identifying the data. And that could, of course, lead to a , a breach of PHI . So yeah,
Speaker 3:There's a risk there.
Speaker 4:Yeah, exactly. So that training and, and implementing the policies and procedures , uh, is important. And we actually will often ask for evidence of training. We wanna see the training materials. We also wanna see that , uh, they are tracking completion of, of that training. And so we will request that. And oftentimes, you know, these days that can be done through cloud BLA based platforms, which make tracking that training , uh, pretty easy. And so the fourth factor that we look at are, is breach and incident logs and breach analysis. So all HIPAA regulated entities should have a process , uh, including maintaining a log of security incidents. And so this, this is actually counterintuitive , uh, in the sense that I, I get more comfortable if a target has a log that confirms that it has experienced some breaches. I mean, these days it's unusual for a healthcare entity not to have some, some breach, even if it's just a small issue about, you know, mailing something to the wrong person or something like that. And so , uh, when we see spreadsheets or other materials that are tracking those and analyzing them , uh, that's really good to see . Um, and of course, if there are breaches on there, we would hopefully see , uh, the, the analyses that analyze the four factors and determine whether it's a breach or not. And then we can dig into has notification been appropriately provided to individuals , um, OCR and in certain certain circumstances, the , the media.
Speaker 3:Yeah. And I think, you know, to , to sort to your earlier point about, you know, sometimes not seeing a log of incidents or , um, you know, even policies around how incidents are, are managed and tracked and assessed. You know, we frequently talk with, you know, organizations on both sides of the acquisition process as , as I know you do as well. And , um, I , I think probably too often I hear, you know, again, both sides of the conversation here, I hear organizations say, you know, well, we, we don't wanna share this, or we, we haven't really had any incidents, or we didn't really have anything in place, and now we need to have something in place. And it , it's sort of frankly embarrassing that, you know, we do or we don't have a log. And , um, you know, we, we do still see unfortunately, some of that pushback. And, but I think probably to the point that you're, you're making and not just to, you know, underscore it even more , um, breaches are just, I mean, at this point, it's a part of everyday life. And if you're not, you know, if you don't have a log, if you're not tracking them, if you don't have a policy, you know, how can we feel comfortable that, you know, you , you, you're actually, you know, seeing what's in your networks, you're seeing what you're , you know, workforce and your staff are doing. Um, you know, we , we may not have a , have a lot of comfort in, in the , uh, target's ability to, to really manage this successfully.
Speaker 4:Yeah, absolutely. And, and the risk there is that, you know, if the deal closes , uh, the buyer could essentially be walking into a breach , uh, and, you know, they're looking at their systems , uh, after the closing. That's right. And they identify some suspicious network activity. And it turns out that, that , that there's something that needs to be reported, and at that point, it , it can, it can often be , uh, you know , too late to, to negotiate that a that's a good point. So, yeah, on the, the fifth factor that we look at is, last but not least , uh, the security risk analysis. And I think many healthcare entities misunderstand what it is , uh, under hipaa. Both covered entities and business associates are required to conduct a thorough assessment of potential risks and vulnerabilities to not only the security of their systems, but also to the integrity of their systems and the availability of electronic PHI. And they need to introduce security measures to reduce those risks and vulnerabilities to a reasonable and appropriate level, which is the risk management side. And so what we like to see, and what we're looking for and requesting , uh, during diligence is either a spreadsheet or a report that identifies the systems involved with electronic PHI and an identification of the risks to those systems. And that requires some real work in terms of gauging the likelihood of various threats and how they can exploit the vulnerabilities in the various systems. And certainly you've got more complicated systems that becomes a , a more involved process of going through and accounting for those threats and vulnerabilities. And we would love to see something in a, a risk register format or some type of grid , uh, really looking at looking at those risks analytically rating them, and then showing the, the risk management side what actions were taken to , uh, mitigate those risks. And, and not every risk is gonna be mitigated. I think some targets get , uh, a little bit defensive or they're hesitant to share assessments because there are certain risks that, that aren't mitigated, but that, that can be appropriate and that can be reasonable in certain circumstances. Uh, but we need, we need to see that follow through , uh, from the risks that that should be identified. And the other point I'd mentioned on the risk analysis side, is what we really like to see is a risk analysis and risk management program that is like the rest of the HIPAA compliance program, a living and breathing thing that evolves and over time as their systems evolve . So if there's new software that's introduced into the system that has a connection to EPHI, the risk analysis should be updated to analyze the risks to those new systems.
Speaker 3:I , I , I mean, I think these five points, I, I , I really think these are extremely helpful, Jordan , um, and really appreciate the level of detail that you're going into here. And, and hopefully this is helpful for, you know, the , those of you listening , um, I , you know, I know from my own experience , um, you know, it , we do frequently see, you know, template policies and procedures, sort of the fill in the blank , um, you know, your name at the top sort of policies and, and you know, we'll also see , um, you know, training that doesn't really, you know, go into really much detail around , um, cybersecurity issues, privacy issues, compliance issues. And , um, and I think, you know, there's a probably a good reason for some of that, which is that, you know, a lot of these targets , um, they may be smaller, they may be, you know, startups, they may have, you know, just a smaller number of staff , uh, to really do this kind of thoughtful work. But I, I would say, and, and I imagine this is probably what you've seen too, that, you know, when it's, when it's crunch time, it's, it's too late in many cases mm-hmm <affirmative> . To really be able to show , um, you know, here's all the thoughtful work that we've done to, to really try to manage our risk mm-hmm <affirmative> . And some of these things are, are a little bit more complicated that you've mentioned, but others are, are , are very simple. And, and, you know, I , I think just encouraging , uh, organizations to think about, you know, if you've never had a, a designated privacy or security officer , um, start thinking about, you know, who, who those people should be and, and do you need to have , uh, one designated now or do you wanna start thinking about that for a future state? You know, if maybe you're not a HIPAA cover , you know, a covered entity or business associate and, you know, just encouraging folks to really start trying to think ahead to the extent that, that you can. And , um, but I , I think you've made some, some really excellent points here, Jordan.
Speaker 4:Yeah. It , it , it will , um, it's one thing if you're missing a policy and procedure and before the diligence process kicks off, you have to get that in place. It , it's another thing if you don't have something like a risk analysis or you've got no policies and procedures. Yeah . I mean , you really can't rush those. Uh , that's right.
Speaker 3:No , it's , it's , I mean, yeah, it's, it's a great point. I mean, regulators are more and more often looking for, for real details and policies and procedures and , um, looking to see how they're implemented. So I think really excellent point. And I think maybe just, you know, moving on a bit, but I think staying within the same, you know, discussion, you know, do you feel like due diligence and the , the process and the factors that you've outlined, does , does any of this differ , uh, in your experience depending on , uh, you know, the, I guess the context in which the, that healthcare that, that target operates? So, you know, do you see sort of different approaches depending on , uh, that, that sort of healthcare sector context?
Speaker 4:I think the answer is yes and no. So no, in the sense that for hipaa, there are core security requirements that apply across the board to all HIPAA regulated entities, including what we've , what we've discussed, policies and procedures, risk analysis, et cetera. So regardless of the deal , if we determine that HIPAA is applicable on the security side, we're going to request those materials. We're gonna dig in, we're gonna ask questions about that. But the answer is yes, it can differ depending on the type of industry. Some industries have inherently more complexity related to their PHI, so a hospital system is going to be much different than a small physician practice. So we see complexity very widely across acquisition targets, which can lead to different levels and scope of, of due diligence. It can also vary based on the type of information , uh, those regulated entities that have biometric information, maybe subject to a patchwork of state privacy laws that they have to comply with, which can get really complicated , uh, when you have a, a large platform that may be be operating in a number of states or across across the country. And I'd say the third way can vary is just based on the, the type , the other types of laws that can apply. So in addition to state privacy laws that can be implicated, we see government contractors in the healthcare industry, they may have to comply not only with hipaa, but also with complex Department of Defense privacy rules that can be extremely byzantine, even compared to hipaa. And what we've seen in the last couple of years is that some entities are, are regulated , uh, and have faced , uh, actions from the FTC. We've seen mobile apps , uh, that have been penalized for violating the FTC Act for deceptive trade practices related to their use and disclosure of health information, even in cases where they may not be directly regulated by hipaa. And we've also seen the FTC , um, use the health breach , uh, notification law in, in recent years as well. So , uh, yeah, it, it can definitely vary depending on the, the , the , the complexity of the, the target and , uh, the , the types of information and the clients that they're serving.
Speaker 3:Yeah. And we've, you know, we've talked a bit about the, you know, the , the perspective , uh, in a sense from , uh, from, you know, maybe the seller and some of the risks that exist . So, you know, wanting to make sure that you have, you know, your, your policies, your training, you know , uh, risk analysis and, and incident response. Um, do , do you see any strategies that, you know, buyers can employ , uh, you know, at least that have been successful in, you know, making some attempts to mitigate or, or shift risks during the, the due diligence process?
Speaker 4:Well , I think the first way of doing it is the diligence process itself and having a thorough diligence , uh, process that involves both document requests as well as having a call with the target's management. I mean, I think in some ways that's even more important or just as important as the document requests, because by talking about their compliance with them over the phone, you really get a sense of how they've implemented it, who's responsible, and whether they can, so to speak, talk the talk , uh, and are familiar with their, with their requirements with , in terms of a deal perspective , uh, and mitigating risk and shifting risk. Uh, you know, one way is to require a seller to take certain actions prior to the deal closing. So in some, some cases, we've seen buyers that have required a risk analysis prior to closing, and it's, yeah , it's, it can be certainly involved and it's obviously not gonna make the , the target happy, and we don't like to do that. But some deals are structured in a way that may make that possible. A lot of deals have , uh, a bifurcated sign and close, so there's a significant period sometimes between signing the definitive agreement and the closing. That can happen for other reasons. Like if the , if the target is holding state licenses and there's gonna be a change of control, there can often be an approval or notice process before the equity can can change hands. And so in that case, there may be time , uh, to require a target entity to, to put in place , uh, a risk analysis policies and procedures, et cetera.
Speaker 3:Yeah, we're, I mean, we're seeing , uh, more and more of that , um, these days. I mean, I , I think, you know, five or six years ago, it , it was , um, you know, we would see it every now and then, and probably not enough in my opinion. And, and now we're, you know, almost, almost every conversation that we're having in the space , um, there's some discussion about, you know, has there been a risk analysis? You know, what do we know about, you know, the, the target or what do we know about, you know, the, the entity that we're about to become a part of? And, and , um, yeah, I , I think that's a , a very good point.
Speaker 4:And you , you can also ask for an indemnity. I mean, again, not something that typically makes the , uh, the target entity , uh, happy, but in certain circumstances, if there is a material breach that's been identified or security incident that's being investigated, or if we think something wasn't done properly, you , you could ask for an indemnification to cover the losses associated with that. And, you know , that can be implemented in a number of different ways. You can hold back a portion , uh, of the purchase price or, or implement other ways of, of , uh, having an indemnity , uh, try to shift the, the risk of, of those , uh, you know , things that have, that have come up during diligence. One increasingly common way of, of mitigating or shifting the risk , uh, is the, the purchase of representations and warranties, insurance ly referred to as RWI , uh, that's not just in the security sense rep and warranties insurance can cover all of the representations in a deal , uh, that were not surfaced during due diligence. It doesn't cover risks that are known that's gonna be excluded under the insurance policy. Uh, but in the insurers, they're , they're , they're gonna conduct their own due diligence on the buyer in terms of, you know, how much they, they , uh, analyzed the, the target systems. But if there's a , a sense that there could be something kinda lurking underneath the surface , uh, you , you can get , uh, more comfortable if, if that risk is, is insured. Uh, so we're seeing that quite a bit these days. That has become common , uh, on , on a lot of deals, especially ones that are somewhat larger.
Speaker 3:Yeah. And, and what about, you know, just curious, what about the, the reverse of that? So, you know, we've, we've talked about, you know, how, you know, how a buyer can become more comfortable. Um, you know, besides some of the things that you, you sort of spelled out earlier. Um, what are some recommendations that you have, you know, for a company that's seeking , uh, investment or to be acquired by another entity? How , how can they build confidence? You know, let's, let's say maybe they, they may have policies, they may not, they may have done a risk analysis, they may not, but, but what are some strategies that, you know, you've seen work well or you'd recommend , um, you know, on the other side of this point ?
Speaker 4:Yeah, I mean, the , the best way is to, to put in place , uh, you know, the elements of a, you know, mature program before the diligence process kicks off so that you're not racing to try and get something like a risk analysis or policies or procedures in place. So if you're expecting investment , uh, you should pressure test , uh, your compliance related efforts, and that could be done internally , uh, or it can be done with the assistance of regulatory counsel or, or, or outside consultants. Um, but, you know, pressure testing that with knowledgeable individuals is going to pay dividends in the long run. I mean, certainly if the , if a risk analysis hasn't been done, that should, that should be completed, and hopefully with enough time to address any material risks that, that were identified, policies and procedures, like the risk analysis, they can take a bit of time to tailor to the business. So getting started with a review of the policies and procedures , uh, beforehand can , can also pay dividends. Um, and ensuring a smooth line of communication with buyers when diligence kicks off can really instill confidence in the buyer. So sometimes the target doesn't want to bring everybody in the company under the tent of the potential acquisition for various reasons, but if you can bring in the compliance officer privacy and security officers so that you're not playing telephone through them , and that they can answer questions, including on a call , uh, you know, between the buyer and seller during the diligence process , uh, you know, that can also show that the the seller is on top of things and that there's nothing to really worry about.
Speaker 3:Yeah. I think that that, I mean, really, really makes, makes a lot of sense. And, you know, I think what , again, what, what I think you're describing, if I can reflect some of this back, is, you know, a, a truly thoughtful approach to, you know, building out your , um, your, I would say overall compliance program based around risks and, and that you can show, you know, the acquiring entity, the buyer, you know, here's, here's the things that we've been doing, or here are the things that we're thinking about, or, you know, here are the risks that have been identified and mitigated or, or even, you know, here are risks that we've identified and here's the plan. Mm-hmm <affirmative> . Um , you know, we're not gonna be able to mitigate these or address these within two months or within a month, but the plan is in place and we, we've got a strategy here , um mm-hmm <affirmative> .
Speaker 4:Yeah. Yeah , absolutely. And it doesn't have to be a scary undertaking. That's right. Yeah . And it can vary depending on the , on the size of the, the target. So a smaller target doesn't necessarily have to have a hundred page policy and procedure document for hipa , then we, in fact, we like to see something <laugh> . Yeah. That's , that's more tailored. But if you're talking about a , a , you know, a huge acquisition target that's got multiple different systems that, that storing PHI that's engaging in various , uh, activities related to that PHI like de-identification, like mm-hmm . Um , you know , other activities that can introduce risk , then we , we , we want to see more detailed policies and procedures and, and I mean, HIPAA allows that type of flexibility for all its, its faults. That's right . Yeah . It , it has provided a pretty flexible system for individuals and entities across the board of various sizes and scopes to, to comply. And so , um, it , it can be tailored appropriately.
Speaker 3:Yeah. I mean, key , the key phrase that we, we re reiterate often is, you know, reasonable and appropriate mm-hmm <affirmative> . And, you know, those are two important words. And, and you certainly want to have conversations with council about, you know, what those mean for your organization and, and what, you know, reasonable and appropriate may mean. But it , you know, I think back to your point, it's reasonable and appropriate, you know, measures are gonna look differently from, you know, a , a small, you know, startup , a health IT company versus a , a multi-state health system. Yeah.
Speaker 4:Um , yeah . But I, I think what we've seen is, I mean, we see it in, in HIPAA itself with the spec , you know, there's the required specifications, but then there are addressable specifications. So the regulators do realize, and they baked into the rule itself that not everything is going to be reasonable and appropriate. What's interesting to watch is how HIPAA is gonna evolve in terms of what it's expecting from, from organizations. Uh, yeah , first thing that comes to mind is encryption. I back when hipaa, you know, first you came out, encryption was much more challenging than it is now. And so a lot of acquisition targets could reasonably say that, Hey, this is, it's too much for us to encrypt our data now. I mean, encryption is, is far easier to implement. It's much cheaper. And so when organizations have to have to think about whether some things that maybe were not reasonable historically , uh, are reasonable now, another example would be that two factor authentication that we talked about. I mean , for systems that have a lot of PHI , uh, you know, those access routes going into those systems, I think I would expect OCR and, and others to start viewing those as, even if they keep them as addressable , um, they , they're going to be reasonable and appropriate for, for many, many entities that are out there.
Speaker 3:Yeah. And I, I , I mean, I think, again, thinking about the two-factor, multi-factor authentication, I mean, in addition to having these things in place, we're, we're seeing, you know, certainly through some enforcement actions , um, you know, also just seeing it frankly from our interactions with organizations across the company that they, or across the , the country that, you know, they may have MFA in place , um, but somebody didn't pay attention to their phone and, and they, they went ahead and clicked through, or, you know, they saw something that looked like it was , uh, you know , legitimate , uh, source coming through multi-factor authentication and, and clicked on it, and it wasn't. And so I think , uh, again, just underscoring the importance of, you know, having these things in place, having policies around it, but also training and informing your staff about the expectations around this is really, really vital. Absolute . And I think, you know, as we sort of start closing here, a couple things that I've, I'd like to hone in on and, and have you talk a bit about , um, as we think about, you know, I I would, I would almost say sort of the future to a certain extent is, can , can, can you talk a bit about, you know, state law and then also , um, artificial intelligence? And I think maybe specifically just starting with state law, I mean, you know, we've talked a lot about hipaa, obviously that's, that's the elephant , uh, in , in the room or really takes up, you know, a lot of space in these conversations. But, you know, can you talk a bit about the role of state law , um, you know, as we talk about all of the, the new data protection laws that are coming out, some of the new cybersecurity requirements that states are, are, are putting out into place, you know, what's that role? And , and can you talk maybe a bit about that interplay between state and and federal , uh, requirements?
Speaker 4:Yeah, it's , it's a great question. And as I'm sure our listeners know, there is no federal privacy law. And so that, that applies that across the board. And you've got HIPAA applying to health information, but there's really no, no federal privacy law. And so that vacuum of protection has led , uh, many states to implement their own privacy laws, some of which can be very robust. I mean , we've seen, there's the typical data breach laws at the state level, which have been around for some time. Uh, but we're seeing more targeted laws. As I mentioned before, biometric data is one that is a, a frequent , um, uh, target of, of state regulation. And so it's a very dynamic area. States are, are implementing them seemingly every month. There's a new state , uh, law governing some type of information. And , uh, there are also states that require regulated entities to take certain compliance related measures. So Massachusetts, for example, requires a written information security program to be in place. Uh, the New York Department of Financial Services has similar state level requirements, which can apply to insurers and certain other healthcare entities. And so this is something that I think some acquisition targets , uh, aren't following and haven't made part of their compliance program is, is state law. I think a , a lot of times during buy-side due diligence we're , we're really not seeing policies and procedures or training on the state laws that are applicable to, to the organization. And that can be, that can be challenging, especially for organizations that operate in a lot of states. They can have their work cut out for them to comply , uh, across all of those various state laws.
Speaker 3:Yeah, no , that's , uh, yeah, I think you're exactly right. And we, we, you know, we'll see organizations that will say, you know, well, we don't have any PHI, so we, we , we don't have any policies and we don't have a privacy or security officer. And , um, and we're okay, right. And , uh, they might be, you know, is the answer. But , uh, but I think , uh, probably a better answer is, well, let's, let's dive into the details around the type of data you're collecting and what you're doing with the data. And, and, and then in addition to that, yeah, you , you may, regardless of the type of data, you may have certain, you know, state level , uh, incident reporting requirements and, and , uh, requirements around securing your data. So I think that's a really great point. Um, and then, you know, finally, I , I think we probably couldn't end , uh, you know, a conversation like this without talking a bit about , uh, AI and, and the role that that's playing in , uh, in the conversation here. And , uh, just curious, you know, in closing here, you know, how have you seen AI being used in, you know, the acquisition process impact, you know, maybe specifically targets, you know, of the acquisition process. How , how does that, you know, impact the , the process overall if it does?
Speaker 4:Yeah, so I'm sure our listeners can appreciate how valuable data is to AI applications and tools. I mean, there's a tremendous amount of data that's needed to train AI platforms. And so many organizations, including healthcare organizations, use individually identifiable health information for training. Uh, but it's critical that they have the legal right to do so, both under the law and contractually. So some organizations use de-identify data for training AI algorithms, but , uh, de-identification can be much easier said than done. Uh , especially if you don't wanna remove, you know , all of the identifiers and you have to use the, the so-called expert method of de-identification under, under hipaa. And so, you know, on the buy side , you know , regulatory due diligence, you know , we're going to, you know , drill down on, you know , whether the data that's being used to train these , uh, AI algorithms , um, is being done correctly , uh, especially if the data originates from another entity. And 'cause that can involve not only a regulatory analysis , uh, but also a contractual analysis with the customers. So if an acquisition target has access to a third party's data and they've been manipulating that data or using it for training purposes, we're gonna look pretty deep deeply at those contractual arrangements , uh, to determine if they have the rights to, to use that data in , in that way. Because, you know, as the buyer, we don't want , uh, to learn after the fact that yeah, we built this whole platform on , uh, you know, this AI technology only to have a third party come in and say, you know what? You did not have the appropriate permission to, to use that data. Um, and, and , and we're gonna have to find a, a solution to that. So , uh, understanding the , the type of data that you're using, how you're using it in ai, if you're sending out data to third parties, perhaps you're using an API of open AI or, or some other third party , uh, LLM, understanding what their rights are to the data as well. Because if you're a buyer , um, you wanna understand ha has the target , uh, you know, given any rights over that data to third parties and, and understand how those third parties can use it, can they license or sell the data or manipulate it in any other way? So , uh, the , the , the whole ai , um, industry is, is, is really , uh, is really introducing a number of, of very complex challenges with respect to, to buy side due diligence.
Speaker 3:Yeah, and I'll , I'll give a plug to our , uh, our friends over at nist. Um, you know, there have , uh, they've been doing a lot of work over the past couple years and have released , um, several different iterations at this point of, of some frameworks around artificial intelligence. And , um, you know, it's, I think specifically honing in on, on generative ai, but just encourage folks if, you know, in addition to, you know, talking with council and, and having, you know, meaningful conversations around , uh, this, you know, if you haven't looked at, you know, the NIST frameworks around AI encourage you to do that, and you can find it on their website. And it's , um, something that can be very helpful in , you know, assessing yourself and, and your organization and , um, really taking a deeper dive into, into some of these questions. And , um, Jordan, I really appreciate it. Uh , it's been great talking with you and really hope to do this again at some point soon. But , uh, thanks again .
Speaker 4:It's been a pleasure.
Speaker 2:Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA's speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.