Interpreting OCR’s Risk Analysis Enforcement Initiative and How the Regulatory Environment Is Evolving Artwork

AHLA's Speaking of Health Law

The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.

All Episodes

AHLA's Speaking of Health Law

Interpreting OCR’s Risk Analysis Enforcement Initiative and How the Regulatory Environment Is Evolving

January 21, 2025 • American Health Law Association

The Department of Health and Human Services Office for Civil Rights (OCR) has made risk analysis a top priority in its enforcement of Health Insurance Portability and Accountability Act (HIPAA) compliance. Dawn Morgenstern, Senior Director of Consulting Services and Chief Privacy Officer, Clearwater, speaks with Betsy Hodge, Partner, Akerman LLP, about OCR’s risk analysis enforcement initiative. They discuss what’s driving the initiative, key enforcement actions, and steps health care organizations can take to ensure they meet regulatory requirements regarding risk analysis. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.

AHLA's Health Law Daily Podcast Is Here!

AHLA’s popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.

Speaker 1: 0:00

Speaker 2: 0:04

Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks, and a tech enabled 24 7 365 security operations center with managed threat detection and response capabilities. For more information, visit clearwater security.com.

Speaker 3: 0:52

Welcome everyone. I'm Dawn Morgan Stern , senior Director of Consulting Services and Chief Privacy Officer with Clearwater, where I advise and support our healthcare clients on how to move their organizations to a more secure, compliant and resilient state. With me today is Betsy Hodge, a partner from the law firm of Akerman and Chair of ALA's Health IT Practice Group. Betsy, thank you, Don . It's great to be able to speak with you again. I know. And so, and I also wanna thank Clearwater , um, for this opportunity today, and also the A HLA , um, Don , as you mentioned, I am chair of the Health Information and Technology Practice Group, and I encourage everyone listening to get involved with our group. Uh , when I am not doing my A HLA duties, I am a partner in Akerman's Healthcare Practice Group. I'm based in West Palm Beach, Florida, and I , uh, advise clients on data privacy, security, compliance, and I'm also a member of our digital health team. So doing all things , um, digital. So with that , um, I , I don't think people need to hear about my bio anymore, but <laugh> , um, let's get down to our conversation. Yeah. So in this episode of speaking of health law , uh, we'll be discussing the risk analysis enforcement initiative, what's driving that and steps healthcare organizations can take , uh, to ensure that they meet the re regulatory requirements with that. So, what we thought we would do is, before we dive into the risk analysis enforcement initiative, we wanted to provide you with a recap of the OCR enforcement actions, especially in light of some of the more , uh, recent ones. Uh, so as we look at that, we're gonna be focusing especially around those enforcement actions that involved , uh, EPHI and the risk analysis. Uh, one thing we did want to just highlight going into this is that speaking at the Safeguarding Health Information 2024 Summit, the Office for Civil Rights Director, Melanie Fontes Rainier remarked and quote , oftentimes when we start to investigate and look under the covers, it was the case that HIPAA was not being followed. And basic things like risk analysis or risk management aren't being performed, therefore making your organization being any organization an attractive target. So with that, again, as I mentioned, we've seen a lot of recent enforcement actions. There's been a high frequency , uh, violations , uh, with significant impact for failing to conduct comprehensive risk analyses. And that has prompted OCR to make risk analysis. Its top priority, and we've heard that in several public , um, speaking engagements by representatives from OCR. Um, and I think if you look at any of their enforcement actions , um, you'll see that this is , uh, predominantly the case. And we've looked at a total of 15 enforcement actions this year alone, five were right of access, four were impermissible disclosures, four were ransomware. One was compromised email accounts, and one was impermissible access. But what's interesting about those 15 is that eight of them are civil monetary penalties. So, Betsy, what do you, when you see those numbers, are there any in particular that stand out, especially with the, the high number of CMPs we've seen? Well, Don, I think you just , um, said it, the high number of CMP cases, especially within this year , um, I think there had , you know, this is probably like double what we've seen over the history , um, of , uh, HIPAA enforcement. And I think it's interesting in these CMP cases that we are, it appears that the organizations are pushing back on , um, OCR R'S assertions about whether there are in fact violations. Um, whereas I think in the early days of HIPAA enforcement, when we would see a CMP case, it was where the organization failed to respond to OCR R'S outreach. Um, both initially and in some of the early cases, even when OCR , um, you know, would send a letter of opportunity , um, or would send , um, um, the notice that they were going to impose , uh, penalties. Um, yeah, I've noticed a , in a lot of them , um, especially in the , uh, notices , uh, that also go into great detail around the fact pattern, that in many of those cases it went a LJ and that it was found that they didn't, the covered entity or business associate didn't necessarily , uh, provide an affirmative defense in, in the cases. Um, do you think that is, I think that tells a lot about, back to what you said about how, you know, it's very , it , we're seeing a very different trend in the CMPs than we did originally where it was just outright, they don't even respond to OCR, but now it seems like there really, there's a case for participation and , and working through that process, your thoughts? No, I, I would agree with that, Don . And I think there may also be a shift in thinking among covered entities and business associates about , uh, how to view a civil monetary penalty. Again, going back to the early days where I think there may have been , um, entering into having a civil monetary penalty assessed against you was , uh, viewed less favorably than entering into a resolution agreement. Whereas , um, now I think some organiza , at least some organizations may be viewing it as a cost benefit analysis and assessing that , um, the cost of the penalty , um, is worth not being the cost of being under a corrective action plan and , um, the , um, legal fees associated with that as well. Because as you well know , um, in a resolution agreement, the check that gets stroked to the government, that is usually the smallest financial component. <laugh> . Yeah. And the expense under the corrective action plan , um, it can be quite significant. Um, so organizations may be , um, you know, doing that , uh, cost benefit analysis, and in some of the cases, they may also be viewing, you know, looking at the fact that they have taken before as they're working with OCR to try to , um, informally resolve things. They're taking all the steps that OCR would require of them, right. That have implemented the required policies and procedures and, you know, may not be able to settle for an amount that both sides can agree to. And so they may, you know, be making that may be factoring into their calculation as well. And I , we've done everything Exactly. I was gonna say, I agree with you because I know a lot of times dealing with entities that are looking at this from an investigation perspective, they come to us and they say, look, we've had an incident. We need to make sure that we're doing everything we need to be doing. So I think in a lot of cases, you're absolutely right that before that letter, even that first investigation letter ever gets delivered to the, to the , um, entity, they're already taking a number of steps to mitigate what occurred and remediate any activities out of that. Um, just knowing full well that either the control failed or training was needed, or whatever, they, whatever they do, they usually go through a gamut of, of, of corrective actions within their own organization before OCR gets to the, gets to the door with the letter. So, and in fact, that appears to be the case in the Gulf Coast Pain Consultants , um, civil monetary penalty case , um, that was just , uh, announced what December 4th , um, where it appears that , um, the covered entity, you know, did implement all of the policies after the incident that OCR would've, you know, was requesting , um, or had identified as a failure. Um, you know , and those were implemented in advance of getting the letter of opportunity from OCR , um, right . And so, you know, it's, you know, in that situation , um, you know, it may not, at that point, I'm not sure what a corrective action plan would accomplish. Yeah, it would've, you've already definitely , um, remediated that. So Yeah, that is, that is an interesting point because a lot of organizations I don't think recognize even, you know , they, they may go out and hire a third party to help them with pieces, and that's one cost, but what about all the internal costs of all the time and energy , um, to, and they've already expended a large amount of that during the actual investigation or of the incident. So, yeah , definitely. Uh, are there any other , uh, 'cause we were talking about this earlier, and you were mentioning that there were some other interesting cases around some of the, the fact patterns , uh, that OCR , uh, outlined , uh, in particular , um, I think, I'm trying to remember. Was it the real Hondo Community Mental Health Center case? Yes . Right. And you had some interesting thoughts on that one as well, so, well, and I know you have some thoughts on this , on this, <laugh> . Yes . Well , I just <laugh> Well, and this one, I mean, it's according, you know, to the , um, um, fax as presented by OCR, you know, Rio Hondo is a community mental health center in , uh, Los Angeles, and this is a right of access case where a , um, uh, the complainant on , um, March 18th, 2020. So Covid Pandemic. Yes. Like the very beginning exactly when shutting down, in fact, on the day after the , um, individual requested their records, the governor of California issued a stay at home order mm-hmm <affirmative> . Um , and so, you know, the staff of the organization, they were not in the building. They every , you know, everybody quickly shifted to remote work. Um, and then in May, you know, some people started returning to the facility and there appears to be I , yeah. And what I like about this case is that, you know, back when they did start to return to the facility, they didn't forget about all those access requests that they had received during the interim time period. They actually, according to the fact pattern, reached out to those individuals to let them know that they were back in the office and that they could get copies of their records. I think the challenge here was that the person came in, they were only stayed in the facility for a short period of time, and they left without taking their records with them. And it seems to me that where it started to go into the challenge of Right, to access wasn't so much what happened during the Covid shutdown, but what happened after it. Right. Because it does appear there were some breakdowns in communication internally. Um, but I , I think it is interesting, you know, to think, for us to think back to, you know, what we were doing in March, April and May of 2020, and how different we were all operating during that timeframe. Exactly. Um, you know, and even after that, it took a while for, you know, some organizations, and I think some of it may have been, you know, dependent on what state you're in and what covid safeguards you were still having to operate under. You know, it , it , you know, it took a while for folks to get back, you know, on normal footing or new normal footing , um, with respect to operations. Um, you know, but that, you know, that one was , um, interesting. And just to go back to the Gulf Coast Pain Consultants case, I did wanna mention that in that case , um, the organization did get credit for having recognized security practices in place when , um, OCR was determining the amount of the civil monetary penalty. And I think that's another trend we're seeing this year, where those, we are seeing , um, OCR actually putting into practice , um, you know , award . It's still a pricey tag though, <laugh> . No, it is. I I agree. <laugh> , but , but it would've been more, could have been a lot worse. Exactly. Yes . AB could have been a lot worse . Yes . And there are , you know, a couple other , um, organizations that entered into civil monetary penalties that got credit for having those rec being able to demonstrate that they had recognized security practices in place for the 12 months , um, you know, proceeding the incident. And I think there was, in one case, the organization was not able to , um, demonstrate that to OCR satisfaction, so they did not , um, get credit, but yeah . You know, I would , but that goes back to what another point we were , uh, we've talked about before is, you know, looking at a lot of these organizations that are adopting recognized security practices. So whatever framework they're choosing, whether that's 4 0 5 D-H-I-C-P , whether it's NCSF 2.0, whatever that framework is that, you know, it would appear based on that, that it's not a, it , that it's a , that it in the letters when they're asking organizations to show what they've done for their recognized security practices, that that is driving the needle on some of that stuff. I would, I would think so. If you were , um, you know, on the fence about whether to adopt a recognized security practice, you know, this is a carrot , um, you know, that, you know, hopefully is pushing organizations in the direction , um, you know, of adopting it. And I think seeing OCR show its work as it were in these civil monetary penalty cases mm-hmm <affirmative>. You know , show that yes, we did take into account that this organization had the , um, recognized security practices in place. I think that may also push the needle and encourage more folks to , um, you know, if they haven't already to adopt , um, those practices. Yeah. But I think ultimately, when you look back over even just this last year of the 15 or so, every last one, except for the right of access , um, and the , um, the impermissible disclosures , um, has been the result of, of either not conducting or not having a thorough and accurate risk analysis, which is its own small component that is part of almost, you know, the recognized security practices, if you think about it. Um, it's not the end all of being in compliance with the HIPAA security rule. It's a component of it. So, I don't know, do you wanna shift gears a little bit and talk more about the risk analysis? Um, sure. And you know, what we're, you know, we know that the security rule has been with , uh, OMB now , um, and we're waiting with bated breath <laugh> to see what'll happen. I'm predicting what, either right after Christmas normally <laugh>? Yes. Or, or maybe like right before maybe the 23rd <laugh>. Um, I was thinking like the 28th, so we're taking bets . Sure , yeah. Okay. Um, yeah . But , uh, we do know that it is there, it's interesting though, because in the recent , uh, conference, the Safeguarding Health Information Conference, that OCR , uh, and NIST did, you know, they had a whole session that was supposed to be around what we can expect from the security rule update. And I thought it was , uh, somewhat ironic though that the first statement was, unfortunately, we're not gonna describe the updates to the proposed security rule. So I think everybody just went, oh , rats, <laugh> . But , um, have you heard anything more? Um , I haven't heard anything , um, on my side as far as when we could even expect that, or is there a possibility that maybe that won't occur? You know, especially with, we're seeing the change with the administration coming up and whether or not, you know, that's gonna push through or not. I have not heard anything more either. And once we saw it that , um, the proposed rule had gone to , um, OMB, I think people were anticipating December. Um, but that was pre-election. Um, and so I, it's unclear what , um, you know, what the timeline is now. Um, and you know, it's possible that if it's not, if the proposed rule is not issued before, before inauguration day , um, the incoming administration, you know Yeah . Could potentially pull it. Um, or, you know, if it , if the rule gets issued before then, and again, it's a proposed rule, it's not a final rule. Right , exactly. So we could be sitting here like the privacy rule from <laugh> . Yes. From actually the end of the first Trump administration 20 , was it 20? Uh , what was it? <laugh> ? I can't even remember now. It's been 20 , was it 2021? Like January? That's what I was thinking. 2021. Yeah . January, I think. Yeah . So hopefully we won't get in that same boat. I mean, I think that that organizations are really looking for some guidance, some more guardrails as to what to expect. And I think in our experience, we see individuals, organizations grapple with what is a risk analysis. And we know from a lot of the, the training that , um, was put out a year ago as well as a lot of the conferences we're seeing, there's just this real push for accurate, thorough enterprise and what that means to organizations. And do they really fully understand what that means? What are your thoughts when it comes to how organizations are interpreting that? I , I think they're struggling. And I think the fact that OCR recently declared that they are , uh, launching a risk analysis initiative , um, shows that there is a , I don't know if it's a disconnect necessarily between o r's expectations and what covered entities and business associates understanding is. Um, and I think it's , um, unfortunately not helped by the fact that OCR has said , um, that in fact, I think at the conference in October, they said, well , we're not going, or we can't tell you the elements of a right satisfactory or a sufficient risk analysis. We can't give you an example. Um, you know, but they did. And , um, they did in the training talk about, you know, risk analysis that were conducted to meet the requirements of basic meaningful use, interoperability, attestation, or using a prior P-C-I-D-S-S assessment. And so at least they've been in, at least they're giving some idea of what is not considered a risk analysis, which I think really helps drive that because when we're looking across that , um, and looking at, you know, what, in those types of assessments, they're limited in scope. And I think it sends a message that OCR is looking for that, that very big enterprise wide scope everywhere where your EPHI is living. Yeah. And I think, yeah , they , um, I believe it was Nick Hesters at the conference who made that point repeatedly <laugh> . Um, and I didn't , so I was, you know, writing it down repeatedly because if he , uh, is going to take the time to mention it, several, you know, more than once , um, obviously it's on his mind. And , um, you know, he said that they OCR R'S expectation is that the risk analysis shows that you understand your environment. Yep . Um, which to your point means you understand everywhere in your organization where EPHI lives, you know, how it's coming into the organization, how it's going out, where it lives, you know, how it moves through the organization and what systems, you know, contain that EPHI. Um, it goes back to like the trend within the NIST CSF 2.0 where so much then shifted to governance and understanding where that data lives and resides, and even the data types. Um, you know, talk about microsegmentation, you know, keeping that data segregated so that, you know, you're better protecting your network. Um, just a litany of different things. But I think also the other thing that was interesting was that they were talking about , um, that conducting the non-technical gap or compliance assessments, while those are requirements under hipaa, that's not risk analysis. That's the technical and the non-technical evaluation. And I thought it was interesting that he did, he did mention that in the webinar about, you know, he had a specific question at the end that , uh, was asked about , uh, penetration testing and whether that was part of the risk analysis. And I wrote it down and quoted it, and he said, the answer is no, <laugh>, but it's another requirement under the technical testing. So , um, again, people thinking that risk analysis is one thing when it's actually another thing. Right. Right. And I think that misunderstanding about risk analysis versus a gap analysis mm-hmm . I mean , that has existed since the security rule came out. Um , <laugh> , where <laugh> , you know, a lot of organizations , um, you know, especially those that did not have as robust , um, you know, an information security, information governance team , um, you know, did not fully appreciate the difference. And , uh, while both are, as you said, both are required, they serve different purposes. Right. So, yeah. I also thought it was , um, interesting too , um, when he was also talking about the lack of comprehensiveness in a lot of that, or the limited scope that , um, you know, providing OCR with a summary report is not gonna cut it either. Um, when they're doing an investigation and looking at the risk analysis, they wanna really be able to see its thoroughness and comprehensiveness. And I think that when, when the organization shows them something that is comprehensive, it also really sets the stage for, back to your point about does the organization know its own environment? And that can tell a lot, I think. Right. I think in my experience, OCR has always wanted covered entities and business associates to be able to show their work. Mm-hmm <affirmative> . Not just the high level , as you said, like executive summary of Right . Your risk analysis or , you know, or whatever other documentation you have, but really , um, show that you've done the work and understand your organization , um, and where the threats are. And you also know you can also show that you are managing those identified risks. Now do we wanna talk a little bit about , um, the audit , uh, protocols and what we were seeing with the agency information collection request just briefly before we then kind of touch on some recommendations around risk analysis? Sure. Is that, that was a hot topic this year, and I know a lot of organizations assumed that that meant there was gonna be some sort of change to the audit protocols, even though the whole point of the request , uh, the col the information collection request was to go back to the previous audits and determine, you know, the success of those audits and whether they helped those entities to drive better compliance. Um, and they had some recommendations. OIG had some recommendations also too around that, that I thought were interesting. Um, expanding the scope of the audits to assess compliance with physical and technical safeguards. Um, documenting and implementing standards and guidance for ensuring that deficiencies identified during the audits are corrected in a timely manner. That was an interesting one. I'll let you , uh, finish up on that one. Um, and then defining the criteria for determining whether a compliance issue identified during the audit would result in OCR initiating a compliance review. And then finally defining the metrics for monitoring the effectiveness of the audits. So what's , uh, what's your take on , um, what potentially is gonna be the outcome, if any, of that initiative given OCR R'S response to the OIG regarding the resources that OCR has available to, for not just an audit program, but for handling all of the complaints Yeah . That come in. All the investigations mean 25,000, they got this year alone, <laugh>, that's , that's right. And not, not to mention , um, you know, all the investigations that they're required to do for every large breach that gets reported. Um, I, I think the odds of, oh, and then the rulemaking that they've engaged in this year, <laugh> , there's that too. Um, so given all of that, I , um, don't think that we will be seeing a resumption of the audit program anytime soon. And it probably, if we do see it, I don't think it will be in, take the form that the OIG is recommending. Um, and then also with the change , I just don't think they have the bandwidth. Yeah. They don't have the bandwidth. And I also don't think in the incoming administration there is going to be the appetite to put that kind of , um, burden on Yeah. Covered entities and business associates. Um , so, and, and I mean, I think it's worth remembering that the audits that OCR did in 2016 and 20 going into 2017, they were supposed to be for educational purposes, one, to educate OCR about what's happening , um, in the wild as it were. And then for OCR to , from the , the results of the audits develop best practices to share with covered entities and business associates, the audits were not intended to be , um, punitive , um, in nature . Yeah . Um, you know, but again, you know, to your point, I don't see them , um, getting additional staffing to be able to, you know, run an audit program , um, on top of all of their other , everything else. Yeah . Everything else. And I thought it was , um, interesting , um, in OCR R'S response to the OIG , uh, where they said that effectively they have basically, they have a hundred investigators now. So that's two per state. I was gonna say. Yeah. I mean, even though it's probably, that's , it's spread across eight offices, that's still not <laugh> that, that that's , that's not a lot <laugh> . And , um, you know, and there was one very large breach this year , um, that is probably taking up , um, oh yes. A significant number , uh, of resources. So yeah , I would imagine , um, I , you know , um, you know, it's possible OCR would follow up with those , um, that , um, organizations that were in , um, the initial audit pool mm-hmm . Um, just for , um, their feedback. But I, you know, wouldn't see Yeah . I , I given how things have , have unfolded since , um, right. And the fact that, that it really was only designed to be a follow up of, from those previous 2016 17 , um, audits. Um, I think that in itself is telling, I mean, I think to your point, you know, go back and see what's, you know, where, where things can maybe someday be , uh, better. Uh , 'cause I know even just going through the audit protocols , uh, which we do in the normal course of a lot of what we do, I mean, there's a lot of little things in there that probably , um, could be better, not defined, but , um, be better , uh, be a better , uh, gauge of how well the organization has , um, implemented that particular safeguard. So yeah, I think there's a lot of opportunities there. Um, but to your point, it just seems like they, there's no way they have the bandwidth for that. There's too much going on, especially with that particular large breach that's probably eating up a lot of resources and time. And so when we think about , um, when we think about , uh, recommendations, so to, to help entities understand what's expected of them for the risk analysis initiative , um, you know, some of the things that , um, that stand out to me, and especially in the work that we do, is, number one, organizations need to consider EPHI in all forms , um, of electronic media, not one particular system or another. Um, hard drives, CDs, DVDs, removable media, USBs, that kind of stuff. Mobile device storage , um, any types of , uh, you know, transmission mechanisms over the internet, the wifi . Um, so that's one thing that I think organizations struggle with and they need to start to get a better handle around. And I think that will then help them, help support them in their identification of all of their EPHI. Um, and that could even maybe take the, take the be part of how they're mapping their data flows too, when they bring on a new system or application, understanding what data that system is gonna have access to, whether it's storing it, transmitting it, whatever, you know, to really start to better develop what their data flows look like to help them understand where that information is going and maybe where it shouldn't be going in , in that , like , you know, as , um, especially on the provider side as they move into, say, remote patient monitoring solutions mm-hmm <affirmative> . Things like that. And that , you know, data going outside your organization or coming into your organization in ways that perhaps it had not before. Um, you know, those are things you should be considering. And to your point, what, not just how the data's flowing, but what data is what it is . Yeah. What what it is. Um, and, you know, thinking not just about new ways, new systems that you're bringing on, but think about your legacy systems <laugh> since a lot , <crosstalk> Oh yeah, we were talking about that earlier. Don't forget those legacy EHRs. <laugh>, yes. Yes. Or, you know , um, legacy device systems since a lot of medical devices run on , um, you know, really old systems that are , um, you know, not able to be brought up to current standards, you know , um, you know, think about, don't forget about those. Um, and , um, you know , well and tied internet of things. Yeah. Tied into that same concept is also being able to identify what potential vulnerabilities they have. And you talked about medical device , that's a big, huge one where there's a lot of opportunities for vulnerabilities that can't be remediated because of the technology or lack of technology , uh, for the device. So that's an interesting Yeah. Yeah. You know, what kind of compensating controls are you able to put , um, in place? And then the , um, like remote patient monitoring solutions raised some interesting situations because some of that data is now with patients <laugh> , you know, in their homes. Right. You know , coming into , um, it , it , so it that raised , which is a little different from say, you know, health system to health system transmission or , um, you know, doctor's office to , um, you know , um, the hospital. You know, it's just some different things , um, that you need to consider. But again, you need to have a holistic view of , um, your EPHI and, and, and what those threats and the vulnerabilities are so that, that you could better determine what is the likelihood. I mean, and these are key tenets to the nine elements that OCR lists for risk analysis is understanding the threats, the vulnerabilities, and the likelihood of those occurring in order for the organization to be able to, you know, determine whether is that a critical, is that a high, medium or low? Do you know, what do I do to, to, to then, like you said, either mitigate or put compensating controls in place. Um, 'cause definitely, you know, you have to understand what those, those threats and vulnerabilities are in the environment. Right . And I think, or outside the environment acting in. Yeah . Right. And I think you also need, and I think again, Nick Hester made this point at the conference that you need to think about the, the confidentiality, which I think, yes , the big organizations have always thought about confidentiality, but then thinking about the integrity and the availability mm-hmm <affirmative> . Of your EPHI as well. And I think , um, organizations maybe have not been thinking of confidentiality, I think has been the primary focus historically. Right . And now I think organizations are also thinking about in integrity and threats to the integrity and, and to the availability of the data as well. Yeah. I , I see a lot, I see a lot more trends into data loss prevention tools and not just within an email system to be able to say, oh, that's a social security number. We're not gonna send that email. But even across, you know, systems and applications and how data is being stored internally , um, I see, I see a lot of organizations moving and migrating in that direction . And I think also recognizing that, while of course we're concerned with the privacy of data , um, but I think HIPAA is also focused on patient safety mm-hmm <affirmative> . Um , which gets into the integrity of the data and the availability of the data. Uh , and so I think ideas around what HIPAA encompasses are , um, evolving and the scope is expanding. So , um, we need to think about the risk analysis. And so it's even more important to understand your environment because you can't, if you don't know what you have, how are you going to protect it , protect , know what the threats are and how, how you protect it. So. Exactly. Exactly. Um , of course it sounds a lot ea it's sounds easy, but sounds easy, but it's not. It's, it's not . And the other thing that's interesting too, and I'll just make my one final thought on that too, is that, you know, when you're thinking about risk analysis, it's not a one and done . It's an ongoing process that you continually have to update based on environmental and operational changes. So where many organizations fall into that, that mindset that, oh, we just need to do our risk analysis for this year , um, and then next year we'll do our risk analysis. And that may work for a gap or a non-technical assessment, but your environment or an organization's environment is constantly changing based on those threats and those vulnerabilities. And so as part of your risk analysis, you should be continually assessing those and making any updates to, you know, how that system is scored from a criticality perspective , um, based on that. Um, and so I think that would be my final thought is, you know, make sure that it's not a one and done , make sure that it's accurate and thorough enterprise wide and is ongoing. Your thoughts, your final thoughts on No, I, I agree with you wholeheartedly. And as you were explaining all of that, I'm thinking about organizations like rolling out, you know, remote patient monitoring or rolling out AI solutions and the speed with which these new solutions are being implemented means you can't wait three years, two years, or even a year to do your next risk analysis. Um, you know, everything is speeding up, including the cadence with which you need to at least revisit your risk analysis. Exactly. And AI is a whole nother conversation. <laugh>, yes. <laugh> different podcast <laugh> . Right? Different podcast. All right . Uh, well that really wraps it up for Betsy and I today. We thank you all for joining us and look forward to seeing you on future podcasts. And again, thank you A HLA for hosting this and , uh, bringing us together. And if I could put in a plug for the A HLA HI practice group has an OCR enforcement tracker on , um, our, our page on the A HLA site. I encourage you all to check that out. And we also have a , a state ag enforcement tracker and , um, a , a couple others. So , um, we hope that's a useful resource for A-H-L-L-A-H-L-A members and encourage you to check them out so you can learn from others. Yes. Don't be afraid to learn from others , <laugh> . Oh, no. That's what we all do. And , um, so thank you Dawn and Clearwater and a HLA for this opportunity today.

Speaker 2: 46:20

Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA's speaking of health law, wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.