AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Building and Sustaining an Effective Compliance Program in Today’s Health Care Environment
Compliance officers and privacy leaders are facing a rapidly changing health care landscape, including new state laws, evolving federal guidance, and heightened expectations for data breach preparedness. Melissa Andrews, Senior Manager of Consulting Services, Clearwater, speaks with Roy Wyman, Partner, Bass Berry Sims, about what makes an effective compliance program, how organizations can overcome emerging challenges, and practical steps leaders can take to strengthen their compliance posture going into 2026 and beyond. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=DwGqmz6Knaw
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit ClearWaterscurity.com.
SPEAKER_01:Welcome to American Health Law Association's Speaking of Health Law Podcast. I'm Melissa Andrews, Senior Manager of Consulting Services at Clearwater, and I'm your host for today's discussion. As a compliance officer, I'm excited about today's discussion. Compliance officers and privacy leaders are caught in a rapid changing landscape. We have new state laws like Texas EHR law. We have evolving federal guidance and heightened expectations for data breach preparedness. We focus on building and maintaining effective compliance programs in today's healthcare environment, including the need for better visibility in how data flows into an organization, how it is used, and how it is shared. Joining me today is Roy Wyman, a partner of Bass Berry Sims. Roy brings deep experience advising healthcare organizations on compliance, privacy, and regulatory issues. Roy has agreed to let me pick his brain on what really makes an effective compliance program and how organizations can overcome emerging challenges and practical steps leaders can take to strengthen their compliance postures as we prepare for 2026 and beyond. Thank you for joining me today, Roy.
SPEAKER_02:It's a pleasure.
SPEAKER_01:So I'll just go ahead and jump in. So, Roy, what's driving the heightened focus on compliance programs today? Are you seeing this more from regulatory payers, board of directors? Where is this coming from?
SPEAKER_02:Everybody, it seems like. Boards of directors, for a while, this has now been on their list of things to worry about. But I think where we're really seeing some new pressure is from patients, customers, and plaintiffs' counsel that have figured out they can make money off of this stuff. And sometimes it's, you know, very serious claims around real uses of data in the healthcare space that are pretty problematic, all the way down to we're seeing now we'll have four, five, six clients receive the exact same letter from the exact same plaintiff or plaintiff's firm. So I think that's really what's changed is you've got a lot more engagement from potential plaintiffs, as well as a lot of new theories around liability that just weren't there in the past.
SPEAKER_01:Interesting. So I know the Department of Justice, the Office of Inspector General, and the US Cent and C guidelines each kind of emphasize what an organization, specifically a healthcare organization, needs to establish that effective compliance program. Can you kind of elaborate on the foundational elements that every healthcare organization should have in place to kind of ensure that they have that effective compliance program that the regulators are looking for?
SPEAKER_02:Yeah, happy to. And thank you so much for how you frame that. Because I think sometimes, especially for in-house counsel that maybe haven't dealt with compliance quite so much, there's this feeling like you're just sort of making it up as you go or winging it. And that is absolutely not the case. But sometimes because there isn't a specific statute maybe that lays out some of these things, uh, it can feel a little more squishy. But there absolutely are standards and guidelines for how a compliance program should be set up. And you named some of the really important ones. One that I go to a lot on kind of the bigger process that is not necessarily the substance of what you're going to look at, but just in general compliance programs, is the sentencing guidelines. Um, and it's scary to think that we're looking at sentencing guidelines, but you know, that's where it kind of comes from is corporations can be criminally liable for some of these things, as well as individuals in them. And so these sentencing guidelines lay out some things that uh entities really need to think about and make sure are in place in setting up a compliance program. One is just in general, having standards and processes in place. This is how we do these things. So, for example, we've got a new use case for data, or we've got a new way of billing. Who signs off on that? Is there a written document and policy doing, you know, handling that? Uh, second really important one is do you have high-level individuals involved in that process? Every level of responsibility down from the C-suite is kind of taking a step back of how seriously it would appear to a regulator that you're taking these issues. So you want high-level individuals involved with compliance. Uh, beyond that, you need a lot of training and education of individuals, particularly employees, and making sure that contractors are getting that sort of education, uh, communications, disclosures, make sure that there's a reporting. Things like hotlines are really great. Now, one that gets underrated but is critical to me are is having a sanctions policy. If you break our rules, if you break our policies, there are real ramifications. And we don't care what level of employee you are, we're going to apply those across the board. If you don't have that, you really don't have an effective compliance program. Um, one that we'll probably end up talking about quite a bit, my guess is that uh you really should be monitoring your compliance program, auditing it, figure out where your weaknesses are and looking at those, and then responding to violations, if there's any issues. And uh and the and I think the most critical one of all is regularly, usually every year, assessing what are our risks and what are we doing to mitigate those risks.
SPEAKER_01:So that's when you answered that next question of what is the one that you think is the most important, and you feel that's that risk review.
SPEAKER_02:I absolutely do because what that does is it creates a cadence and a culture of we know, oh, okay, it's you know, August. We know that there's going to be a new, you know, risk assessment or new policies coming out, or that's when we do our training. But the uh the folks within the organization start to learn about it, and that's how you identify okay, we're doing something new. What's the risk? Or there's a new regulation out, or there's a new attack vector uh that all the cool hackers are using these days. We better get on top of that. Those sorts of things that that make sure that you really have that culture of compliance.
SPEAKER_01:No, I I agree. And one thing that I think I've seen a lot of, and I'm sure you have too, is compliance really is an organizational function. It's not enough to just kind of have that narrow scope. Compliance really does need to be involved in the entire organization and what the strategic plan is as it builds and grows to be able to define the risk that you're talking about and wanting us to identify. Um, how are we starting to see an increase in the regulatory enforcement actions that highlight the importance of the organizational compliance programs? And kind of what are some of the gaps that you're seeing that are being identified in those enforcement actions?
SPEAKER_02:Yeah, um, I'm seeing a lot of the usual suspects, you know, anti-kickback, you've got false claims, all of those things. Um, my favorite thing to talk about though is IT. Uh, what what's your information? What's your data? And we're really looking at that and your systems. And I'm not just because I'm a privacy and data wonk, which I am, I admit, but also because when you look at some of these other things, oftentimes what leads to the problems isn't that somebody just doesn't get it, it's not a lack of education. Sometimes it's just bad programming, bad software. And so you'll have FDA rules around prescribing, you'll have rules around the anti-kickback statute or whatever, but for whatever reason, things slip through the cracks. And so keeping a hold of your data is and security are really important. And I'm seeing a lot of actions where folks did not monitor their uses of data or understand where it is sufficiently, and that and that just creates a world of hurt, really.
SPEAKER_01:Yeah, I'm seeing it a lot also in reference to the False Claims Act, where organizations are making these claims that they know where their data is, they know who's using this, they know where that's going, they're making these false claims to the federal government, and now they're getting hit with a false claims act violation because of those false statements, which is not something you hear about a lot, but it's been picking up quite a bit. So, yeah, um, let's talk about the data mapping and all of that data that we're talking about. Can you explain a little bit about what data mapping is and why it's important to an organization?
SPEAKER_02:Yeah, and and I think your last, you know, last point that you just made is really critical in this, in that um more and more regulations are saying not only do you need to know where all that is, but you need to have somebody at a high level certify certain things around that. And so the traditional sort of what we call a spaghetti chart of, you know, here's all the servers, here's all the monitors, we know where all of the equipment is, therefore we're okay, is not a data map. What we're really talking about, a data map is substantively knowing here are the categories of data that we collect. You know, we may have PHI, we have employee records, we have marketing, we have, you know, our subcontractors list, we've got all of this data and we know exactly the types of data that we're collecting. And so for each of the categories, where do we collect that? Is it from the individual? Is it from a data broker? Is it from a client? Is it from a vendor? Where do we collect it? How do we collect it? Uh, and you know, as we get into this further, once you kind of know that, then you can look at things like okay, do we have contracts where we need them? All of that. But the data map itself is going to show all of those assets and those processes. So we've got the information coming in, it's stored on these servers. We know what we do with the data. What are all of our use cases for each category of data? Where is each category of data stored? Where is it used? How do we manage it? And then with whom do we disclose it? Uh, and those disclosures are a big part of it, too, so that at each step of it, we know all of the different types of processing around it. And I think this is really critical to understand, and and it's a lot to swallow for some folks who haven't done this in the past. Like, oh my goodness, are you serious? But it really is critical because uh whatever you're doing, if you, for example, have a privacy notice, and almost all of the folks listening to this will have a privacy notice on their website, and it is not accurate, that becomes an FTC violation because you have made a material statement or omission uh that just simply isn't true. And that will get you in a world of hurt very quickly.
SPEAKER_01:You make a very good point. A lot of times when I'll go into organizations to review their compliance program, one of the questions that I do ask is do you have a data inventory and do you map that data? Um, and a lot of people don't know the difference between the two. They will hand me this document, be like, these are all the systems that we have that may have PHI or data in it. And I'm like, that's great, but so just to kind of clarify things because those terms are so similar, can you explain the difference between what a data map is and what a data inventory is?
SPEAKER_02:Sure, and how I would think of that is uh a data inventory is going to list out uh the data that you've got and and maybe where it is. Whereas a data map is really following each of those so that we understand uh, for example, the use cases involved. So it's one thing to know that uh this data is on server X. It's another to know how you collected that and whether you can then go back in. And if I've just got an inventory, I don't necessarily know what contract and what contract provisions I need to have around that data. But a full data map is gonna let you put your arms around where not only where the data is, but who can access it, uh to whom it's disclosed. And then you can track your compliance. So it's not just inventory, but it's also systems and the broader picture.
SPEAKER_01:That makes sense. Um so a lot of times when we talk about data and technology, people focus in on that cybersecurity, um, which I think every organization that's one of their top risks is cybersecurity. Um but as a compliance officer, sometimes we forget to include the things that are more technical and those kinds of aspects, like what you were just describing: the where is the information going? How did we get that information? What's the purpose of the information? When you're talking to compliance officers, what is kind of the main thing that you tell them? This is why, as a compliance officer, you really should care about all of these things that we're talking about.
SPEAKER_02:Yeah. So if you've got data or use cases out there that you don't know about, that is your number one risk because there's no way to control for it. On the other hand of it, uh other hand, the other flip side of it is whatever is measured, is transformed, is improved. So the more that you can understand the data, the more you can improve your processes so that you don't have things like missing business associate agreements. So you don't have data that's getting out in ways you didn't know. Uh, I've seen examples with clients where, you know, they simply did not know that there was there was a certain level of documents going out or information going out, even PHI being sent out to third parties that nobody had any idea about because somebody thought it was a good idea. And so it's critical to have those processes in place to make sure that you can monitor that. But you can't monitor it if you don't know it's there. And so that's really what I'm pushing is just know what's there.
SPEAKER_01:Yeah, and I'm gonna jump to something you had just kind of pointed out in the you have these third-party vendors, you're sending data to them, and sometimes compliance professionals are not always involved in that contracting process and what goes where. And then we hear about these major breaches. Um, you know, the anthem breach, the change breach, you know, all of these things that happen. Can you kind of point out why in those types of situations, it's really important for compliance professionals to understand that data mapping process and where that data came from and who has it?
SPEAKER_02:Well, I can give you rather than talking about um the breaches that happen, let me or the the downside, let me kind of give you some examples because more than once I have gone through the data mapping exercise with a client, and they go from not really knowing where their data is to having a really good idea of it. And in some cases, I've had clients that then got hit with ransomware, where maybe you know, a shared file or whatever got hit, and they've called me up and said, you know, Roy, I really don't need anything. I just wanted you to know we got hit with a ransom note that said, we have this server under control. They sent what they call proof of life. You know, they sent some files from that showing that they had it. And the client said, we had done a data map. We knew there was absolutely nothing valuable on that server. So we told them to go away and never talk to us again. Uh but if they had had that ransomware hit, say a month earlier, before their data map was complete, they would have been completely lost. And they would have ended up shutting down systems, setting up firewalls that they didn't need, doing all kinds of things and potentially paying ransoms and notice to uh individuals that just simply weren't required because they didn't know what they didn't know. And so having that data map in the event of uh an incident is critically important. In addition, it tells you what systems really need deeper protection. You know, we're no longer in a world where you have one set of security protocols for your entire set of data. That's wasteful. And uh you're you're misspending resources. So you find where is our real critical data, our very sensitive data, and we build deeper security around that uh than we would with some of our other. So it saves you money, it saves you headache, and it keeps you from having a lot of false positives where you're sending out notices that you really don't need to send.
SPEAKER_01:That's actually pretty great. Um, very rarely does compliance ever get to say, we're gonna reduce the cost of something, we're gonna save you money. So that is a really great example of paying a little bit more attention on the front end can really save you on the back end because these days it's not an if it's gonna happen, it's a when it's gonna happen. You're eventually gonna get hit with something. Um, and to not have to notify thousands of patients to be able to confidently defend yourself to that regulator by saying, Look, we have our data map that shows they didn't get anything. That's a pretty good defensibility. Um, and then of course, to be able to save the money and not have to have this massive security on all of your systems.
SPEAKER_02:Right.
SPEAKER_01:So I know speaking of all of those systems, you know, we're in the world of cloud, you know, adoption and everything. We have all these third-party vendors that store our data, that create our data, that do all kinds of things for us. Um and they have, I mean, they're great, they make life easier for us, but they also are a huge vulnerability to us. Um how can or how should compliance programs um handle those risks effectively when it comes to handling those data and paying attention to where all of that data, who has it and what are they doing with it?
SPEAKER_02:Yeah, that's a great question. And and it's kind of a tough one in a way. And there's some nuance to it that you wouldn't expect. Like uh, you know, the obvious answer is just, you know, contract the heck out of it, monitor them, know everything they're doing. Unfortunately, the world isn't quite that simple. And for some of these larger, you know, uh you can go all you want to AWS and say we're gonna audit you every year, and they're gonna tell you, okay, here's a list of other vendors you can use because you're not gonna use us. So uh it's just not as simple as just watching over them. Plus, that's a huge use of resources, and most of the clients that I work with simply don't have the resources to monitor every single vendor. So you put your emphasis on areas where there's gonna be some payback. Um, and I think that's on the front end. So having a strong vendor assessment process at the very start, uh, you know, having a security questionnaire for them to complete, or if they have some sort of certification really looking at that. So that could be, you know, NIST or something like that. Um, taking a strong look at that and identifying any risks on the front side. Then for any risks that are identified, you know, sometimes you can just say, no, that's too big a risk, we'll use somebody else. But a lot of the time you're gonna say, you know, that's within kind of standard, we get it. You know, maybe it's a younger company. Uh, we're gonna monitor that. So then you build into the contract. We want you to report to us uh your progress on these steps during this, and so we can keep an eye on that, but you can trust them to that degree. Uh, I think it's important to note here that for most of the regulations we're talking about, there is no responsibility to go in and audit them every, you know, so often. In other words, if they violate the law, they're liable for that. And you may be liable to the extent that you lose data and all of that. But you don't have to go to the extent where you are second-guessing everything they do. You have some ability to trust that, you know, to a reasonable extent that they're doing what they're gonna do. And then you have them report back on the things that, you know, didn't look so great and really start pushing them for things like certification. So you have those third-party auditors that are looking at them, that you can then see, yes, they've been certified. You can show you've done your due diligence on it. And then the big thing really is I would say uh get contracts in place that have strong representations and warranties, don't have a lot of limitations of liability provisions that are you know too much, really negotiate the heck out of it to make sure that you're protected. And um, and the other thing I'll say too, and and this is kind of a new thing for most folks, is making sure you've got language in the contracts that say you will participate and help us on our data processing impact assessments, our protection assessments. So when we assess the risks to our own organization, you're gonna give us the data that we need to do that. You're gonna help us with our cybersecurity audits. Uh, if we have, you know, ISO certification or whatever kind of certification, you will respond to our third-party auditors on those. So those sorts of contract provisions that really give you some ease that your vendors know what they're doing and that they're complying with the law.
SPEAKER_01:That is a great piece of advice. Um that's very insightful. Um, so it wouldn't be a conversation if we didn't bring up AI. Um it's kind of everywhere, and I've seen it everywhere in healthcare. Um, everything from AI scribes to, you know, the Chat GPT and the co-pilots and all of those things that help you do the work for you. Um, I've seen health plans that are using it to determine eligibility and all of those types of things. Um I've also seen where they will sometimes request to use our data to train their tool, you know, as a party vendor so they can get better. And I've seen those kind of clauses sneak into contracts and business associate agreements and all of those kind of things. Um I'm just kind of curious from your standpoint, because the Department of Justice has even called it out and said they're paying attention to it, what do you view to be some of those higher risks that organizations should be doing to pay closer attention to it? And then what can they do to kind of mitigate some of those risks?
SPEAKER_02:Yeah. Um, and maybe you should talk about this sort of from highest level down. So at the highest level, uh, you bring up a great point about training of AI. Everybody, you know, loves the output, they love to be able to use AI for things like chatbots. The reality, though, is that those AI do not come from nowhere. Uh that they are trained on somebody's data. And if you don't know otherwise, it's probably being trained on yours. Now, I will also say though, that um there are real risks in allowing AI to use information, especially anything like PHI, employee information, any of that, in order to train their systems. Because once it's in that AI training database, it's sort of there. You don't know what they're going to do with it. And um, there are some risks of disclosure, of um violation of regulations, all of that. So, strong recommendation is if you can enter into an agreement with an AI provider that will say, we will not use your data for training our AI or any future systems. And uh sometimes that's under the guise of training. Sometimes it will be discussed as use of derivative data, data taken from the data that you gave us. Whatever the terms are, you need to have really uh a close look at that by somebody who specializes in AI, saying, okay, yes, we understand the IP ramifications, who's gonna own that data? Uh, and we understand how it's gonna be accessed and used and who how that training AI is gonna happen. Um, and then stepping down a little bit from that broader area is how are we actually using that within our organization? Uh, you know, is it a large language model, LLM AI? Is it a chatbot? Who's accessing it? Who's using it? How are they relying on it? Because there are a lot of regulations out there now that are really aiming at this. Uh, Colorado has a statute specifically around AI. Uh, if you're a global EU AI regulations, but I'll also notice California just last month came out with uh regulations around automated decision-making technology. And even though they didn't say, okay, this is AI, it pulls in all AI and it pulls in a lot of other things as well, where it's like payers making decisions around what to cover, what health care is going to be provided. Those sorts of decisions are ones that uh substantively could you know be pulled in. You know, you know, there's some questions around is that going to be protected because it's PHI under HIPAA? Um, that's other conversations. But I would say for entities looking at these kinds of systems, just assume that if there isn't a regulation on it now, there will be shortly, and start building in those processes so that at the Individual level, they understand what's appropriate use of this from the marketing department, from other departments, as well as just individual users, so that we don't get overly reliant on it. And I like to think of this as you know, there's lots of cases where if you are just relying on the technology, you're okay. If you're just relying on humans, you're okay. But when you get a blend of technology and human use, that's where a lot of times you have the biggest disasters. And there are cases of this in trains, in planes, in automobiles, and all the other movies out there, uh, you know, where just the technology and human users don't interact well because they're, you know, coming at it from different places with different languages. So at every level, think about how is AI going to impact us and what can we do to mitigate some of those risks.
SPEAKER_01:Yeah, those are great points. Um, you did bring up something that I want to kind of jump on, is you talked about the state regulations. I have noticed a huge uptick in states coming in and kind of stepping up and making these different regulations and different enforcement actions, everything on, you know, to your point, AI. I've seen how you can use uh individual data, how they classify all the different data, Texas just broaden their, you know, two cents on these regulations. Um you mentioned Colorado, California always does, um, Florida does. How have you seen kind of in this world of where a lot of businesses are in multiple states, some of them are in multiple countries? How do when it comes to dealing with data kind of handle that patchwork of the different states and the different laws and the different regs?
SPEAKER_02:Um clumsily. It is rough. Uh, and so uh we have clients on the entire spectrum. I've I've got some clients where they've basically decided we're gonna take the worst of every statute, kind of build that into our compliance program. And a lot of times these are global companies where they'll say, we're gonna comply with GDPR, we're gonna comply with the big US states, we're gonna comply with a few other statutes, maybe if they're big in Canada, PIPITA or something like that. And and basically have one compliance program across the board. And there may be a weird, quirky law somewhere that we're not gonna quite hit, but that's a risk we're willing to take. And so they have one size fits all sort of compliance program. At the other end, and sometimes companies that are just as big or bigger will say, no, we're going to have a separate compliance kind of process for each state and each country that we're in, and really uh provide what's required by the law, but it's not going to be a one size fits all. And it's um getting harder and harder and harder to kind of meet all of the requirements for all of them. But I think you have to start with a baseline. So, you know, if you were there for HIPAA, you're there for you know, Graham Leech Wiley or whatever it is, and then you're there for California and Colorado and Virginia, you've got a good base, you can build from that. If you don't have any of those, we can kind of start you out with it. And then, but you have to stay aware of each law that's coming out, each new regulatory guidance, so that you make sure that you're building in the new pieces of it. Like I mentioned, the California regulations. Anybody subject to CCPA, they're gonna have to pay attention to this and put some new processes in place. And so it does really become an ongoing process. And that's uh again emphasizing that need for a regular iteration of okay, every year we look at our risk, every year we set up new processes, but also have the flexibility of, oh my goodness, we've got a new one. We don't have 12 months, we've got until the end of the year. Let's get on it.
SPEAKER_01:Yeah, that's it's a lot. It's a lot to take in. Um, that's why it's great to have resources to be able to kind of use uh to reach out to to kind of get that type of guidance. Um as a compliance officer, we are not decision makers. We kind of look at the totality of the organization, we identify risk, and we kind of work with the resources that we have. We provide guidance and we do all of those kind of fun things. Um, so if you were advising a compliance officer of, let's say, um, a mid-sized healthcare organization that does not have all the resources in the world, we're gonna speak realistically here. Um, where would you recommend the compliance officer focus their energy and their budget first?
SPEAKER_02:Yeah. Um that's a great question. And let me just note too, I think it it's valuable to point out, I always use sort of a return on investment approach to things. So um I if you've got a problem that would cost a million dollars to fix, and there's a 10% chance of it happening, uh, then you want to invest$100,000 or less. You don't want to invest a million dollars to fix a$100,000 problem. With that said, there are certain things that are just sort of baseline fixed costs. There's nothing you're gonna have to do, there's nothing you can do about it. So you're just gonna have to do that. And the ones that I would say suggest is really again building into that infrastructure of a regular rhythm of risk assessment and management. That's the first place I would look so that you know what you need to know and where are your risks. Uh, next, I would look at what sort of standards or certification can I get to make sure that I'm complying. So if I am a covered entity or a business associate, baseline you got to have HIPAA and meet the HIPAA security standards, the privacy standards. And then I'd be looking at things like ISO, NIST, high trust, even internal audits, but that are pegged to those standards are going to be helpful. Um and then maybe even number one I would put on here is know what's going on. So have a process so that anytime marketing comes up with a great new idea, they run it by compliance and legal. So you know, okay, legal's looked at this, they've blessed it. Now we have built in a process for compliance to monitor it so that it works the way that we heard it was going to work. And part of that is investing in the those data processing impact assessments, knowing what's going to happen, what are the risks, how are we mitigating it. And then compliance can do something like an audit function of really watching and monitoring that those use cases are being carried out in a way, and uh big emphasis on education and training for those that are touching that data.
SPEAKER_01:Yeah, so looking in your crystal ball into the future, um with this administration and maybe a little bit beyond, how do you see compliance programs and the compliance function kind of evolving, changing, growing?
SPEAKER_02:Yeah, I I think we're going to see more automation in businesses overall and in compliance as well. And that is going to create some of that disconnect I was talking about before between the automation and the humans and that human agency involved there. So I think one of the areas where I'm going to see, I believe, a lot more pressure and points of potential failure is around marketing tools. Uh, and we're already starting to see it now. Uh tracking technology, cookies, uh, clear gifts, those sorts of things. Um and uh, you know, apps and the SDKs that are involved with those apps are ones that have been great ways to drive new business, but are undergoing a huge amount of scrutiny right now, including a ton of lawsuits by plaintiffs. Uh, and so you're gonna have more pressure uh on marketing to try and find new ways to drive the same amount of business. And that could lead to taking bigger risks. But my hope is it's gonna lead to greater creativity and new ways of doing it that don't drive so much concern around privacy and security. Um, I think there's gonna be a lot more regulatory requirements around monitoring, monitoring third parties and vendors. Um and I think um you're gonna see a lot more regulations coming out with private rights of action. And I think that that always gets everyone's attention because you've just ratcheted from okay, you're gonna pay X dollars per violation to you've got potentially a class action, thousands, even millions of individuals in there, and you have no idea what sort of cap is on that. And we're looking at liability now for some you know larger tech companies in the billions. So it really does just blow it all up. So I think you know, the things that I would put in um as things to do is engage your client, engage marketing, engage IT, engage the C-suite, let them know what's going on and make sure that you're getting input from them. Uh educate your folks and monitor, monitor the heck out of what's going on to make sure that the information you've got stays relevant and is uh up to date.
SPEAKER_01:That's great. Um thank you so much for sharing your insights with me today. Um, I think we covered a lot. Um and I think you ended there with some really great kind of takeaways that I think compliance officers uh should really be paying attention to, some things that we don't always get a chance to pay attention to. Um anything else, you know, as we round out um our conversation that you really wanted to kind of point out or last-minute recommendations?
SPEAKER_02:Uh take advantage of the resources out there. Um AHLA is a fantastic source. So I would say, you know, look to them, you know, listservs, uh, their regular meetings, all of that is great. And I don't say that just because they're you know the one doing this, but you know, I really use them a lot. Uh on privacy and security specifically, I would look at you know, International Association of Privacy Professionals, IAPP is a great resource. Their website has great resources. Uh for state laws. Uh, actually, um, Basperi and Sims, my law firm, we have a map that shows all of the relevant state laws. So you can go there, click on a state, and it will have all of our client alerts.
SPEAKER_01:Wonderful. Well, thank you so much again, Roy. I really appreciated this conversation with you. And of course, thank you to AHLA for allowing us to have this conversation. Um, again, I'm Melissa Andrews with Clearwater, and thank you guys so much.
SPEAKER_00:Thank you. If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit American Health Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.