AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
Building a Strong HIPAA Compliance and Data Privacy Program for Business Associates
Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Kezia Cook Robinson, Compliance and Privacy Officer, Uber Health, about building a strong HIPAA compliance and data privacy program for health care entities and business associates. The speakers discuss how Uber technology addresses social determinants of health, such as transportation issues. They also talk about the cybersecurity and risk management standards that business associates face and best practices for designing effective compliance programs, covered entities’ expectations of vendors, and HHS Office for Civil Rights enforcement. Sponsored by Clearwater.
New Health Law Daily Podcast Coming in January 2025
Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Hello and welcome everyone. My name is John Moore. I'm Chief Risk Officer and Senior Vice President of Consulting Services at Clearwater. And today I am fortunate to have here with me Kaza Koch Robinson. Kaza serves as the compliance and privacy officer for Uber Health and has been with the company since November of 2018. She's a member of the State Bar of California and has earned certification in healthcare compliance from H C C A and in US Privacy Law and Regulations from I A P P. She's more than 15 years of healthcare industry experience, including 10 years with the Department of Health and Human Services Office for civil Rights. Hello, Kaza and, uh, happy to be here today to talk with you.
Speaker 3:Hi. Hi everyone. I just wanna say thank you to you and also to, uh, the American Health Law Association for having me. Um, again, as John Moore said, I am kasiah and, um, I, I'm actually registered in-house council. I'm a member of the Arkansas in Georgia Bar. So, um, but I am registering house counsel in the, um, in the state of California. Um, and as John mentioned, I have been, uh, in the healthcare, um, industry, um, for, you know, over 15 years, for almost 20 years actually. So I'm delighted to be here and, um, and talk shop with John.
Speaker 2:Excellent. So, cause I, I don't think it would come as any shock to anyone here if I, if I started out by saying, and it, it appears as if we are now inextricably linked with technology and it's become embedded in all aspects of our lives here in the United States. And, and that certainly includes healthcare. Um, and I can remember it seems like not that long ago when the way you found a physician was by word of mouth. And, and now, uh, the go-to way to find a physician is to certainly use Google or another search engine. And, and we see folks, uh, you know, researching healthcare providers, researching physicians, researching, uh, treatment options online, certainly, uh, scheduling appointments, uh, even in some cases now through telehealth. Uh, getting treatment through online means, uh, you know, this probably shouldn't come as too much of a surprise. It's been the policy here in the United States for over a decade to try to facilitate the exchange and use of electronic health information to improve care and hopefully reduce the cost associated with that. And, and, uh, I, you know, having worked at O C R, uh, I'm sure that, that it would come as no surprise to you and, and many others that very early on in those policy decisions, there was an understanding that, uh, there was a risk to patients and to, uh, the organizations that serve, uh, that deliver care around E P H I or electronic protected health information from, uh, breaches of the confidentiality, integrity and availability of that information. Uh, we've seen over the last few years in particular, you know, breaches of 500 records or more to the office for civil rights increasing in a clip of about 25% a year, uh, in the last couple years. Interestingly, in particular, uh, the largest breaches involved, third party organizations or business associates won the, in 2019, the American Medical Collection Agency. And, and last year Blackboard, which we're still, uh, trying to sort out the, the long-term impacts of that breach from last year. Um, you know, it's been since 2010 that business associates have been required to comply with the HIPAA security rule. And, and nevertheless, it seems like, uh, just in the last few years in particular, that healthcare providers are taking more of an interest in, uh, understanding the risk to them and to their patients, uh, from the business associates with whom they exchange information. And it's in that environment that, that Uber decided to get into the healthcare business. So, ca can you tell us about, you know, kind of the Uber's decision to get into healthcare and, and what Uber Health, uh, how Uber Health serves the market, and some of the things that, that you had to do as an organization in order to address all of these requirements for a business associate?
Speaker 3:Yes. So, you know, Uber Health, um, just like any other technology company, I believe that there is like a, like a chart or a mandate to how can you use your, your, your technology expertise to improve, um, you know, healthcare or to improve, um, people's lives. And, you know, and healthcare is just a natural progression and to, you know, what can you do in terms of technology to help improve people's lives. Um, and so Uber Health was actually really pretty, pretty much birthed out of that. It started off as, you know, um, helping people get back and forth to, to their appointments for, um, getting, um, flu shots. And, and, and, and what happened is there was an opportunity to see how, um, we were able to use this digital technology to improve health outcomes, um, for people. And Uber Health actually, it leverages Uber's platform. And so what we're doing is that, um, we are addressing, uh, one of the, the social determinants of the health, which is transportation. So we're using Uber's platform to remove transportation as a barrier, um, to care by enabling healthcare organizations, you know, for examples, hospitals and clinics and, um, even other types of entities and organizations including like clinic, like including like clinical trials. We're helping, um, they're using our technology to arrange rides on behalf of their patients, um, and our members. And so they're, they're able to do that with and through our, either a web-based interface or an a p I. The, the one thing I would like to say about Uber Health is that how Uber Health helps to overcome, um, you know, the, the social determinant of, of, of health or addressing the social, the social determinant of health relating to transportation as a barriers that, you know, a patient or a member, there's no need to have a smartphone or an Uber account because it is the organization, like the health plan or the doctor's office or the hospital that is arranging the ride on behalf of the person or the individual.
Speaker 2:I, I think that's really important. I think it's, uh, it's obvious, well, maybe it's not obvious. I think it'd be relatively obvious to most folks that there's a, certainly a benefit to the, to the, uh, community at large by the service provided by Uber helping folks who might not otherwise be able to get to their appointments getting there. I think sometimes it's overlooked the benefits to the healthcare industry as a whole in terms of, uh, in terms of the healthcare providers not having to, uh, deal with missed appointments and some of the, the inefficiencies that come as a result of that. So, so certainly I think targeted towards those dual objectives of improving care and reducing cost, which is, which is really, I think from an industry-wide perspective, a a great thing and, and an ongoing goal for us here in the us. So when, when Uber decided to, to make, uh, the move into healthcare, what did that mean to you from a compliance perspective?
Speaker 3:Well, um, actually that meant that I needed to understand exactly what we were doing, um, in terms of, you know, what, what was the business objectives. Um, and I do know that one of the objectives really was to be able to use our technology to, um, address social determinants of health, um, and, and address how we can leverage our technology to, you know, remove, uh, transportation as a barrier to care. Um, so in terms of compliance, however, understanding what the business objective or one of the business objectives, understanding that, and then taking that into consideration where you're looking at, you know, who and what entities are our potential partnerships. Like, you know, what entities will we be, um, partnering with in order to, um, you know, leverage our, uh, resources in, in terms of our technology. Um, and so of course, when you talk about hospitals and you talk about clinics, for the most part, they are covered entities under hipaa. So you have to start thinking about in terms of compliance, you know, we would be considered, for the most part, a business associate because of the fact that we are, and we have re relationships and partnerships with covered entities. And because they are the ones leveraging our technology, they are providing, um, some type of identifiers to Uber Health. And so you have to start thinking about that holistically. So you're looking at, okay, business objectives, you're looking at, you know, what entities are we potentially partnering with and what their obligations look like. And then you're looking at, as part of business objectives, at the end of the day, if you're trying to do the right thing and you're wanting to leverage your technology in order to make a difference in someone's life, you also want to, as an obligation, as responsibilities, you know, as part of your obligations responsibilities, not only do you want to alleviate compliance pain points for your customers, but you also want to make sure that you're able to mitigate potential risk that, um, you know, that that may, that may come as a result of working in the health industry and working with these types of entities. And so you, you know, you go in and one of the things that HIPAA says, and you know, you should always, you know, hipaa, one thing about hipaa, I know a lot of people think it's still, you know, it's, it's scary,<laugh>,<laugh>. But if you look at the basic principles of, of HIPAA in terms of wanting to make sure that there, you know, that there's like this uniform standards to ensure that people, individuals have access to their information to encourage the use of electronic health records for portability purposes, so that people that they are able to take and use their information for their own treatment and, and, and care, and to, uh, you know, make sure that there are established standards. Then as it relates or as it relates to protecting, as you said earlier, the confidentiality, integrity and availability of that data. So you, when you look at hipaa, it says that, Hey, you should have a security management process that should be probably a baseline infrastructure, um, in terms of compliance. How do you, how do, how do you develop, how do you design that security management process? Well, it talks about having a risk analysis. It talks about having a risk management plan. Well, you cannot only use that in terms of complying with hipaa, but any other types of regulations that you may need to comply with because of your relationships and our partnerships with, with potential customers. And so that was a baseline, to be honest with you. How can we become com, you know, how can we ensure that we are, um, addressing and complying with the overall spirit of the law relate and or laws and regulations that, um, regulate our customers. Um, so that was how it was initially designed and planned.
Speaker 2:I, I think that's a great insight. And in particular, I, I think too, too often folks think of, uh, compliance in particular HIPAA compliance as something you that's outside of, or in addition to whatever we're doing as a, as a business or separate from whatever we're doing as a business. And, and you, when I, at the beginning of your response, you said, well, first I needed to understand the business model. And I, I think that's such a, a tremendous insight, uh, that many folks overlook. We, we often, uh, talk particularly with business associates and, and those in the health it, digital health space about, um, the need for, to understand the business model itself and the implications for that from a compliance and security perspective. And, you know, as you're, as you probably are aware, uh, organizations are, um, increasingly, at least this was, this was my supposition in the beginning, is that organizations, particularly providers, are less and less inclined to, uh, engage with or partner with organizations that do not have their, uh, compliance and security ducks in a row. Uh, so maybe I should ask you, that's obviously my observation, and I think I have at least some anecdotal evidence to, to demonstrate that. But in your experience with cyber attacks growing in the midst of the pandemic and third parties, accounting for a, a greater and greater both percentage of the breaches, but also perhaps more importantly, the volume of records that have been, uh, exposed, have you seen healthcare providers thinking evolve a, uh, around, uh, what their expectations are for vendors and your ability to meet the HIPAA compliance and, and just general cybersecurity around E P H I?
Speaker 3:Yes. Um, you know, honestly covered entities, they actually understand, um, their obligations relating to protecting health information in terms of how to meet those obligations. You know, it varies. Um, and it also depends on a lot of factors like maturity of the covered entity resources. Um, but that does not take away from the fact that covered entities do and must ensure that anytime that they are disclosing or transmitting, um, P H I, and in this case we're talking about electronic protective health information, um, to a, a third party or, you know, to a business associate, um, that, that they, they, they, they want to ensure, and they wanna make sure that that third party has in place the, the reasonable and appropriate as the term saying under hipaa, uh, controls, um, security controls. And a lot of times, you know, again, because of maybe let's say maturity, like because of a lack of resources, most covering entities, they're, they're trying to find a way to make sure that these third parties do have their ducks in the row in terms of, um, security, in terms of controls, in terms of protecting their patient's information. Because at the end of the day, um, these covered entities, they rely on, um, third parties to help them meet their healthcare operations. And, you know, and, and, and there has to be some level of trust. And I, and, and my, to be honest with you, my perspective, my stance on this level of trust, it really starts with the business associate, the vendor assessing. To your point, you know, when I said that, okay, we had to look at our business objectives, we had to look at who we were partnering with, we had to look at all these things, because at the end of the day, it is a partnership between the covered entity and the third party. Um, and we cannot, as the business associate or as a third party, we cannot take for granted and or try to use as an excuse if the covered entity is, is, is not able to monitor our compliance. Because to your point, since 2010, we have our own obligations to comply under the HIPAA security rule. Um, and, you know, and we have to comply with some parts of the HIPAA privacy rule. But however, as a business associate, as a vendor, and as a third party that is partnering with covered entities in which we are part of our business model is accepting or receiving electronic protected health information, we have an obligation as well under the HIPAA security rule. So in terms of that, building upon that partnership, making sure that you as the business associate, when I say you, I'm talking about me, not by us<laugh><laugh>, but just making sure that as a business associate, that we're also complying. I mean, there's, there, there's that independent factor there that is not just a covered entity. Um, and then in terms of the relationship, that relationship is then, I like to say codified, but it's not really, I mean, the, the legal basis of the relationship is then captured in the business associate agreement, um, and in, in terms of capturing what we are doing to protect that information. Um, and it, yeah, it is a partnership. And one of the things that I, I believe that HIPAA did when it, um, you know, when after high tech, it extended the obligations of compliance under the security rule in terms of making sure that there are controls in place to protect the confidentiality, integrity, availability of, of patient information, was to ensure that the covered entity, in terms of, you know, the, there's a high, there's a cost to compliance. It could be, um, you know, people resources. It's, it's a cost that there's a shared cost in terms of compliance between the covered entity and the business associate. So after, you know, after 2010, I don't think that it's really just on the covered entity to ensure that third parties that they are contracting with are in compliance with, with, with hipaa. The other thing is, um, you know, at, when vendors think about going into the healthcare industry, they have to do that assessment themselves as well. Um, and so, and you know, the, the one thing I can say for our cover entities is making sure that they monitor, um, the business associate's compliance with that business associate agreement. That's part of our obligation. Now, that's a, that, that is part of their obligation as a cover ta
Speaker 2:Mm-hmm.<affirmative>, I, I, I really like what you, you said, I mean, I, when I talk to, uh, or with business associate type folks, and, and, and a lot of those are technology, but not, not all of'em are technology. We, and we talk about, uh, their obligations. I think what, what you were pointing to their obligations into the HIPAA security rule and potentially obligations and their privacy as well. And, and, and we talk about, um, the contractual obligations they're gonna have when they sign that business associate agreement. And we talk about, you know, the growing, uh, interest that, and, and to your point, I think there's different levels of sophistication from the provider market, uh, in terms of what they're looking for from, uh, understanding and managing third party risk. And there's, you know, different levels of sophistication in that. Uh, but you know, what, what we, or at least what I often say to folks is, look, you're, you're gonna need to do these things anyway. If you're gonna make that investment, uh, why don't you, you, instead of just making the investment and clicking the compliance box, why don't we turn that into something that can differentiate us in the market? Why don't we tell a story about how, uh, this is important to us, um, and that we're developing that reasonable and appropriate, uh, program and how that can differentiate us. And I, I look to, to what Uber did and, and, you know, built with compliance was a key message for Uber from the time that it entered the, the, uh, medical transportation market. Can you tell us what led the company to place such a great emphasis on its ability to provide a HIPAA secure environment?
Speaker 3:Again, I, it went back to, to wanting to use its technology. Uber wanted to use, um, it's, it's technology to, you know, to, to help, um, and to address social determinants of health. You know, they, they saw an opportunity to, you know, to use the agility to speed and the mm-hmm.<affirmative> in our technology to make an impact, to make a difference. Um, and so when you have it as, as your objective, and then when your principles in terms of, you know, the overall, um, the, you know, Uber has its own, you know, code of ethics, its own principles. Sure. And when those principles include doing the right thing, um, then it, you know, it's natural to say, Hey, we want to do this right? And in order to do this right, we have to, you know, understand what the risks are in terms of, you know, um, in terms of our obligations and, and, and, and in terms of the obligations of our partners and, and, and do it, right,<laugh>. Yeah. Um, so that's what that means about, about wanting to, to build it, um, and do and do the right thing. Um, because that, that is one of our, that's one of our principles. That's one of the things that's one of our values. We wanna do the right thing, period. Um, and you know, and we do understand, and, and, and, and I think Uber, they performed that, you know, one of the things that we did is that we did perform that risk assessment, that risk analysis of our products and services relating to, um, what we're offering to our partners, um, you know, our Uber Health partners. And we, we, we, we, we wanted to understand just what risk, you know, what are their risks, what are our risks, and, and then be able to help mitigate that through, um, you know, through the design and through updates, including updates, you know, not just the design of the product, but even when you're having to update it with new features and our new services. I mean, everything that we do, we do it, it is, we're patient-centric as well as, um, customer obsessed. I mean, those are all our key values. We're customer obsessed. We do the right thing. I mean, and it's inherent in how we're building out our and how, and, you know, how we're, uh, wanting to continue to do, um, to provide these services and, and, and to really, um, do the right thing in this space.
Speaker 2:It's a, it's a good message. I think oftentimes, uh, organizations don't fully understand all the stakeholders in the, in play for cybersecurity and compliance purposes. Uh, you mentioned, you know, obviously your partners and the, the obligations to certain extent that you have to them, uh, to protect the information that they're sharing with you to facilitate the business. Certainly. Um, there's, you know, Ubers investors, uh, that, you know, stockholders and things that, that have an expectation that Uber's going to manage your risk, right? That, uh, that you're not gonna unnecessarily place the equity and, and future revenue of the organization, uh, at risk. There's, um, ocr your former employee, you know, obviously the regulator has a, has a role in all of this as well. But, but ultimately it's the, the patients or the, the riders in, in your case, who are, uh, having trusting in the organization. And I think we, we have an obligation to them certainly as well. So there's a lot of, um, more stakeholders perhaps than we typically think about, involved in, in guiding us to do the right thing from a cybersecurity and compliance perspective. So let me, let me kind of, I mentioned your former employer of the Office for Civil Rights. So let me, let me ask you a couple questions. Cer certainly about, uh, kind of their role in an interpretation of this. They've obviously stated numerous times the importance of an enterprise risk analysis. They've issued guidance. They've, uh, as recently as last year said that, or pointed out that a lot of organizations weren't doing it and referred to it as low-hanging fruit for compliance purposes. There was the, um, the audit results that were published that conducted a number of years ago that, uh, showed that many organizations weren't, uh, doing the risk analysis as required under the HIPAA requirements. Do you think has the, the, the quality or the need for business associates to, to, uh, do the risk analysis and, and certainly their, your partner's expectation to that you do the risk analysis, uh, to the level, uh, required for HIPAA compliance? Is that changing? Is that something that you see?
Speaker 3:Oh, no. I mean, uh, I think I mentioned this before about our obligation as a business associate to comply with the HIPAA security rule. And part of that compliance is performing that HIPAA risk analysis to understand exactly, you know, what data that you're, you know, as a business associate, the data that you're holding, processing, retaining, as well as the different assets that are collecting and or processing this information. Um, we have the same obligations now as our covered entities, as we cover entities, as our partners, um, in this space, in the healthcare industry, space vendors or business associates have the same obligations under the HIPAA security rule. Um, and so, um, in terms of enforcement, I, you know, I've been following a lot of the enforcement cases, and I think it's really just the message that O C R is trying to provide. And that is, at the end of the day, it is about protecting people's information. It is about, and part of that too, as you, um, see, you know, there has been recent even policymaking in terms of what it, what does it mean to make sure that you have controls in place to protect that information. And it's not just even about protecting information, it's about protecting the integrity of the information. You know, again, going back to the, you know, it's, it is hipaa, it's the, you know, health insurance portability and accountability act. It's portability of the information. Yeah. And it's protecting the integrity as well. So when we talk about confidentiality, a lot of times we get, we get hung up on the confidentiality, but it's not even about that. It's about the integrity and availability that's all about, that's all about having, giving people, individuals, and patients control over their information. The control that these covered entities and that business associates in terms of processing this information so that we can provide these services to individuals at the end of the day, is about the individual and making sure that the individual's information is, is protected, but it's also accurate and complete. Um, and, and I believe that that's probably why, and I, again, I, um, I can't speak on behalf of the office for civil rights mm-hmm.<affirmative>, but in terms of looking at enforcement trends, in terms of looking at recent, um, policy and, and, you know, um, and, you know, just where we are headed in terms of regulations that are passing, like O C R, um, and O N C passing the interoperability rules. It's really about being able to share the information, but also making sure that when you share this information, that each party's understand their obligations to protecting it, to ensuring the accuracy and thoroughness as far as, you know, when you're sharing it, that you're, you're, um, providing all of the information. And then the other entity is, is really truly protecting and, and ensuring the accuracy as far as the, um, availability so that when a person is requesting their information, they can have access to. And I believe if you think about it, it is all coming together in terms of enforcement, you know, they were focusing on, you know, there, you know, OCR r focusing on enforcement in terms of just complying with hipaa. Yeah. Because, because, you know, it's really about ensuring that people have access to their information, that their information is accurate and complete, and that that information is protected in terms of when these organizations are providing treatment. And they are, you know, in terms of their own operations, having to use their, having to use individuals information for their own operations. Um, so no, they're, it is the same, to be honest with you. It's the same, the same requirements, the same obligations, because at the end of the day, it's two that are, that are sharing information, but at the end, but, but the person or the individual at the end of that information is who we're all trying to protect.
Speaker 2:It's a very, very good point. I, I mentioned, you know, that, that it's for over a decade now, the sort of federal policy has been to encourage the secure and efficient exchange of information with the objective of better care and, and reduce costs. And I, I, to your point, I think we're getting to the point, uh, particularly with the new interoperability, uh, requirements. We're, we're gonna find out whether or not, uh, that objective is, is possible, which is interesting subject in and of itself. I, you know, we, what we've seen, and certainly what I've seen in crossing the industry is that, uh, there's, there's certain organizations that just for one reason or another, uh, aren't going to do all the things that they're required to do from a compliance perspective. There's other organizations that are gonna, for example, gonna do the risk analysis, but it's simply a compliance exercise. They're looking to check that box, and they don't really do anything, um, with the outcome of that analysis. And then there's the, the third group, and I think where OCR certainly would like people to be, and I think where the industry and society as a whole would benefit from is, is organizations that are doing the risk analysis. And, and yes, they're doing it because it's a compliance requirement, but they're also doing it for the purpose it's intended, which is to understand, to your point, uh, the risk to the confidentiality, integrity and availability of electronically protected health information. And one of the things that, that my consultant said to me, having worked with Uber Health, is that I know Uber certainly falls into that ladder category. They're an organization that was in, incredibly engaged in the process of the risk analysis and risk management. And, and it's clear that, uh, you know, you have an effective cyber risk management HIPAA compliance program within the organization. Uh, could you tell us a little bit about, uh, how, uh, the risk analysis enables you to make better, to better understand and prioritize your response to risk? And, and how does that process work from a governance perspective within Uber Health?
Speaker 3:Yes. Um, you know, I think it begins with, to your point, it's a risk analysis, but the most important aspect of the risk analysis is that it helps feed into your risk management plan. Um, and I, and I, and, and you know, I, one of the things I heard you say about entities or in, or in, or organizations right now is that they may perform the, the risk analysis to kind of check the box in terms of compliance, but that may just be it. However, the most important important part of the, the, the risk meant, the risk analysis is really being able to design that security management program, that security management process, um, that ties into the cybersecurity, um, you know, management or cybersecurity processes, cyber cybersecurity program as well. All of that's, um, interrelated, but really is that risk management plan and, and making sure that you are able to articulate, um, you know, top down what the risk look like, um, in terms of, you know, collecting, you know, creating, receiving, maintaining, collecting, um, patient information. What does that, that look like? What does that look like for the organization? What are the risk, what, you know, and that also helps improve your overall, you know, um, mitigation processes in terms of how you are adopting the controls necessary to mitigate those risks. Um, and, and I, and, and I think that's where we, I wanna say that's where we are. That's where we are trying to make the difference in terms of really truly looking at how we can mitigate risk from the risk assessment aspect, the risk analysis, identifying what those risks look like to the organization, articulating those risks to our stakeholders, both internal and external, and then making sure that we are having and applying reasonable and appropriate controls, um, in order to mitigate that. Um, and I believe it's at that risk management point and that, that, that, that risk management, active risk management, not just reactive, but proactive and active risk management, that means that it involves all stakeholders. It involves everyday aerations of looking at what you're doing. So that risk analysis, yes, it gives you that point in time, but that's why they say you should have, you know, at least annual risk analysis or, you know, at least do risk analysis when there's been operational and or environmental changes, uh, to your operations or to your technology. Um, but all of that, that is, that's part of that active proactive risk management, which is, which risk management is really the cornerstone of compliance.
Speaker 2:Yeah. I, I think that, uh, and this, I see this, I think more frequently and in organizations are just trying to click the compliance box. They'll do the risk analysis, but then, uh, things don't happen in the risk management plan. And I think part of that is, to your point, is that to, to that's where the rubber meets the road to a certain extent, where, uh, successfully understanding, evaluating, treating risk, uh, to the extent that we're mitigating, implementing, uh, mitigating safeguards that requires more than just the, the compliance or the security group to carry out. There's, you know, oftentimes you're going to need to be engaging with business owners with it, uh, with HR depend, you know, depending on what the mitigating controls are that an organization needs to implement, that requires, uh, quite a bit more interaction and, and inter and exchange between different parts of the organization. And if you're just treating this as a, uh, compliance exercise, I think a lot of times organizations, uh, don't have the, the leadership or governance in place to facilitate the risk management activity. And, and I think, you know, to your point, again, it's, it's, if you don't do that, then what was the point of it all?<laugh>, you know, to what, what good does it do me to understand my risks if I'm not going to make informed decisions, uh, based on that? Uh,
Speaker 3:Absolutely. I like that informed decisions. I absolutely, yes,<laugh>,<laugh>. Yeah. I like that. Informed decisions. Yeah. Yeah. From the top down.
Speaker 2:Yep. It's, it's really is. Well, uh, because I, it's been, it's been great talking with you, and I could probably sit here and talk to you all afternoon if they let me. Um, but unfortunately, uh, we were unable to do that. But before we go, I, you have so many things you could probably offer to, uh, organizations that are, um, trying to enter the healthcare space for the first time, or maybe they're a startup, uh, you know, and, and plan to start up in the healthcare space as a business associate, maybe having similar customers to, uh, to you or partners to you at Uber, the providers out there. Can you share some other maybe learnings or best practices or advice for tech companies or other business associates that might be entering healthcare and, and how they can, uh, be compliant and, and also grow their presence in the industry?
Speaker 3:Yes. I think the, um, one of the things as you were speaking, I was just kind of thinking of, you know, what has been our, you know, what, what, what's been my motivation in terms of, you know, working with others, um, within Uber and across the industry to make sure that we are achieving our business objectives and achieving what we start off, you know, start out doing. Um, and, you know, one of the things that I can say is really, truly understanding your company's values. And it's not just really about understanding or researching and assessing what your obligations look like under applicable laws based on the industry, but it's also looking at your company's values and how can you, um, bake those companies, val, your company's values into the overall processes, um, into, um, achieving, um, the business objectives of what you're trying to do in terms of, you know, um, your technology and, and also using your company's values in terms of, you know, overall, when you're looking at the healthcare industry, it is, you know, one of the, it's like the highest regulated or one of the most highly, highly, uh, highly regulated industries. Um, um, and you know, again, it is, it is a team effort, but everyone has to have, because it is a team effort, there has to be a central way of looking at things, a centralized way of approaching things and starting with your company's values that gives you, that gives everyone who is necessary in order to be able to make that impact with your services. It gives everyone a centralized, um, viewpoint of how to approach it. Um, and then everyone has the same shared values so that as you're at the table and you're designing and implementing what's necessary, um, again, having that centralized, having those centralized values will help, um, you know, will help keep everyone centered on what's important. Um, and I think that that's one of the lessons that I've, that I've learned is really being able to communicate that as well as, um, utilize that in terms of, you know, my communication across the board as well. And, and, and, you know, in working with the different groups, like you just said, product managers and engineers and it mm-hmm.<affirmative>,<laugh>, being able to say, Hey, we all have the same goals. We all have the same values and goals in mind, um, to achieve what we're trying to do here.
Speaker 2:Uh, I think that's wonderful advice, not just for, uh, folks who are entering the healthcare industry, but certainly for anybody out in the audience who's, who is operating in, in a compliance role, uh, within any organization anywhere. I, I think that, um, well, I think, you know, oftentimes folks who are in compliance roles can be seen as, uh, individuals who are trying to limit progress in some way or slowing down progress in some way. And, and I think that that, uh, how you've linked that role to the corporate, uh, values and, and how, uh, everyone's marching to that sort of same, um, well, core values as in this case, is really important and, and can be highly effective in changing the conversation in a way that, that's going to further link compliance with, um, the overall organizational goals. That's, uh, a really, I think, a, a great, great thought to end and our conversation today on, so thank you very much, Kaza. It's been, it's been great talking to you and, and, uh, really enjoyed it. I, I think there's some, uh, again, some, some real key messages that, that you've provided for folks today, whether that's, uh, you know, the need for compliance, but also, um, that it's a lot more than just that, uh, you know, linking that to corporate goals and objectives and, and corporate values. It's a, it's a really great message that, uh, you delivered.
Speaker 3:Thank you. I appreciate it.