AHLA's Speaking of Health Law

Tools for Ensuring Appropriate Access to PHI: OCR’s Access Initiative, Enforcement Actions, and Other Considerations

AHLA Podcasts

Wes Morris, Managing Principal Consultant, Clearwater, speaks with Joy Easterwood, Johnson Pope Bokor Ruppel & Burns LLP, about the Office for Civil Rights (OCR)’s recently announced eighteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals' right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. Morris and Easterwood discuss the latest activity on this front and steps that health care organizations can take to ensure they are adhering to the regulations. Sponsored by Clearwater

New Health Law Daily Podcast Coming in January 2025

Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Good morning. I'm Wes Morris with Clearwater. Uh, I'm the managing principal consultant, and I am here today, uh, on the A H L A podcast to talk with Joy Easterwood of Johnson and Pope, uh, out of the Tampa Bay area. And our subject today is going to be the tools that people should be considering for managing access to, um, uh, protected health information and the rights of patients and individuals, uh, to receive that access. Um, joy, would you take a moment and introduce yourself and tell us, uh, tell the audience what you would like them to know about you?

Speaker 3:

Sure. Uh, first good morning. I'm, I'm happy to be here. Um, I'm Joy Easterwood. I'm an attorney with Johnson Pope. We're based out of Tampa, Florida. Um, I'm one of many healthcare attorneys and, um, I spend a lot of time in the, the HIPAA and the general data and privacy and security space. Um, I do a lot of advising on agreements for clients, making sure that they're compliant, um, with all healthcare regulations, but especially when we get into the health IT realm. And I help people on a day-to-day basis as far as setting up and implementing, uh, data privacy and security compliance programs, managing day-to-day questions, and of course the, the fun times and breach and incident response as well. Um, and before I went into private practice, I spent a number of years, um, in-house with a large health system where I was a, a council and a privacy officer. Um, so responsible for, again, implementing and, and really getting, um, privacy and security practices, um, into place and the living and breathing compliance program. Uh, and also in the health plan space as well before that, again, both as a, a privacy, um, officer and attorney. And so, you know, I, I love to speak on these topics and, um, spend time trying to help people think about the things and, and advise clients in ways that lead them to a space where they're pretty comfortable that they're compliance. Um, they understand what the current focus, uh, of, you know, privacy and security compliance is. Yeah. Not just with breaches, we and<laugh>, um, we can't forget about that and ransomware attacks, but there's a very large movement happening, right? It's been happening, um, related to balancing the concern of privacy with also recognizing that individuals have a right to access their information, uh, and that the Office for Civil Rights is, is taking that very seriously and has continued even through covid, um, to seek, you know, and, and force the guidance that they've issued on that topic.

Speaker 2:

Right, right. Yeah. Looking back over time, well, first of all, you and I have known each other for some time, uh, in some of those other earlier roles of yours. And, and so it's really a pleasure to be able to spend a little time with you this morning, uh, going over some of these topics. Um, so for, um, when we, when we look back, we know that access has been a long-term problem. Um, it's been one of the top five investigated issues in healthcare for pretty much the life of hipaa. Uh, it, it keeps showing up on the board every year. I think last year it was like number three, uh, of the most investigated issues. So, so obviously this is something that has been a long, long-term issue, but we really saw emphasis on it by the O C R starting in about September of 2018, I think it was, when they issued the first of what are now 18, uh, cases against, uh, uh, covered entities for failing to provide access. And I, I recall that that first case involved information that may not have been fully recognized and understood, uh, to be part of the designated record set. What are your thoughts around how we are addressing, uh, as one of the first tools in this bucket, how we're addressing the issue of the designated record set and understanding where our information actually should be residing and be, uh, captured from?

Speaker 3:

That's a great question, and also because today we're talking about tools, uh, to help our clients, right? Right. Um, comply with regulations and then guidance, and then more guidance that, um, there is an expectation that we comply with. And so one of the best sources, um, of that information and about how we can help our clients posture themselves best, um, with respect to, you know, ensuring that they're doing things that are meeting those regulatory expectations, is looking at the resolution agreements, um, that are available publicly on the OCR R'S website mm-hmm.<affirmative> and looking at the things that, um, the OCR wanted to see, um, covered entities adjust or implement to address the concern. And again, I think it's important to highlight because we all interact with clients that are really scared of breaches, right? So they've implemented these things, um, that might be overly restrictive and missing that, that part of the HIPAA rules, right? About making sure that individuals have a right to access their information. So we see, you know, unreasonable barriers. I mean, that's a term that's used a lot as well mm-hmm.<affirmative>. Um, but to your point, Wes, you know, you can't ensure that you're honoring individual's rights with respect to access to their designated records set, unless you know what that designated record set is, and you define it. So one of the things, um, you know, that I, I work closely with clients on when we update policies, right? Because we wanna be sure that people have a, uh, not just policies that are on the shelf, but that they can implement these things and a designated record set that, uh, brings everybody to the table, right? And you need clinical teams to be part of that, to understand, you know, outside of the electronic medical record, because we know<laugh>, you know, we know that's the electronic medical record. Clearly there's access rights around that. But are there other pieces maybe from historical systems or paper records? Um, um, because remember, you know, we're looking back as well, um, with respect to somebody's designated record set and really specifying, uh, in the policy or procedure some type of document that that workers or the workforce can use. Um, and follow with respect to, if I get a record request, um, here are the pieces of the designated records set that I need to be sure are part of this record. Because we see sometimes either a lack of understanding or disorganization, and so people send out records, maybe they're doing it within the timeframe that's required under HIPAA and state law, um, but they're missing parts of it, or they're telling somebody that, you know, you're not entitled to that document. Um, and so that policy, um, to your point, that encompasses all of those kind of outliers, right?<laugh> That need to be produced with the, the, you know, bulk record from what's now in the emr. Um, and then making sure that the people that are managing those requests on the front end know how to respond to individuals. So just telling people no is really a bad idea unless they've talked to the right people and made sure that they're compliant with the HIPAA rules. Um, and following, for example, you know, denial of access requirements mm-hmm.<affirmative>, um, those type of things. And that they're not telling somebody, they're not entitled to something when they actually are. Um, and so I think it's that policy to your point, and then that kind of coaching with our clients, you know, especially if your client's, the clinician, right? But it's other office staff that will manage those access requests, right? Hey, before<laugh> you tell somebody, no, let's sit down, look at the request and make sure, you know, we have all the parts of the record and that, um, we're, we're responding correctly.

Speaker 2:

Right? Right. Because when we think about that, that term designated record set, it's not just the clinical records, it is also things like billing records. It's any of those records that are used to make, uh, a decision about the individual, and that can get pretty wide ranging and be pretty varied from organization to organization. Would you agree with that?

Speaker 3:

I do. And, and I think that, you know, there's, there, there's the part that you've highlighted too, you know, any other documents that are used for decision making about the individual? So, you know, there are radiology images and reports, there are other types of monitoring things where a clinician then comes to a clinical decision about it. Um, you know, what's the process for getting those things into the record, especially if they're tied to a device, for example. Um, but clinical photography is another one that comes up a lot, right? If somebody's reviewing, um, an image and, and you know, it's hipaa, but that can also cause issues, um, with respect to litigation and subpoena requests. So it's really important to know, um, that we're not just talking about the electronic medical record, that that defined term is much broader, and that in a lot of states, there's also an expectation that, uh, under applicable licensure rules, you know, that clinicians are keeping a complete record as well. So it's multi-layered.

Speaker 2:

It, it, it really is. It really is. I've spent the last several months as part of a task force with, uh, uh, a hema, uh, the Electronic Records, health Records Association and emea, uh, exploring this subject of the designated records set and how it ties to another subject, and that is the CARES Act, uh, sorry, the CARES Act and information blocking, uh, requirements. And, uh, we have been, you know, preparing, uh, information to provide to O N C and O C R to help them to see where the problem is in the industry as well. So this is not just something that is happening in any one facility. This is a national level issue and conversation. I think that we're trying to ensure that the, the guidance and advice that we're giving the industry as a whole is consistent and helps them to better recognize and address these kinds of things, uh, most effectively. So, uh, uh, this, this, this conversation today just really continues to add to all of this. I think, um,

Speaker 3:

Yeah. Well, I'll just say on that point that, you know, it's not just about, you know, new ways to get in trouble, right? No. The goal behind everything is that patients, honestly, we all know whether you're clinical or not, that they have better outcomes. Um, if, if those that are treating them or managing their care have access to all of their records, you know, you wanna be sure that important information isn't left out. So, you know, a lot of people will talk about a lot about regulations upon regulations, but ultimately, um, in a lot of ways, the focus on this topic makes sense, uh, to try to have better outcomes for patients by making sure that their records are accessible, um, and complete for treating providers, um, and that they have insight into their own records so that they can better manage their own healthcare.

Speaker 2:

Right. Right. You know, one of the things that I have long seen as a concern in our industry, and, and I mean since I started doing this in 2003, uh, is, is the issue around, uh, organizations not understanding the difference between an authorization and an access request? Can you talk to that?

Speaker 3:

I will. And this is one of those things where, you know, I find that it's, it's not crystal clear. And, you know, I typically, if I see people that are commonly just requiring everybody to sign an authorization form, um, when they want access to their own records, it's not that they're not, um, trying to comply, right? Um, obviously I, I think that there's a thought that that is easier from an operational perspective, but when we're looking, um, at these types of things and, and helping clients become compliant, y you know, with respect to the access guidance, that's kind of one of the, the first things to look at. Um, and making sure that their policies are very clear, right? Um, that an individual, you know, you can require them to submit their request in writing. I think you wanna be sensitive to ensuring that doesn't bar access to anyone that's not able to do that. Um, but that's permissible. Um, but you're not supposed to require them to sign an authorization form. You don't wanna create an unreasonable bar barrier. So that creates kinda two different pathways, right? Mm-hmm.<affirmative>, um, where you're, you're coaching clients and helping them understand and train their staff that if it's the patient or the patient's personal representative that's requesting access to phi, it's specifically the designated records set, um, they need to be treated differently, both from a cost perspective and also, uh, with respect to how the access request is handled, treated differently than a third party that approaches and says, you know, I want Joy Easterwood medical records where you're using that authorization form. And that's kinda one of the easier things, right? That, that people can do, um, to show, you know, we're recognizing this guidance. And, you know, a another thing I wanna say about the guidance is, one of the great things about the privacy realm is that we have a lot of guidance mm-hmm.<affirmative>, Um, it's not even just written for lawyers. It's really written to help people understand what the expectations are. And I, I teach a, a technology and healthcare compliance class as well, and, um, you know, obviously HIPAA's a big part of that. And, you know, a large part of the reading that I assigned is all of the guidance from the Office for Civil Rights because it's helpful. And so, you know, making sure that policies yes, address each regulation, but also align with that guidance, um, answers so many common questions that clients have too. You know, um, we see a lot of people too, only sending things out encrypted, but you know, there's language in there that says that if somebody says, I want things in an unencrypted format, you should advise them of the risk, right? Um, but ultimately you wanna be really sensitive to barring<laugh> access and the ways that people are requesting access to their information. So, um, I know I just went on for a while there, Wes, but, um, I get it. I, I'm kinda nerdy. I get excited about these topics, right?

Speaker 2:

<laugh>, well, as you know, I'm kinda nerdy about this too. So<laugh>, we do well with that one. Um, yeah. So, you know, one of the things that you touched on there, uh, is that guidance. You know, when did the first real significant guidance come out? I think it was 2016, that O C R published on their webpage, an entire multi-page guide all around access. And for many people, that was a game-changing moment because they hadn't considered it in the light of that, in the way that OCR r sort of expressed it, then things like the difference between an access request and an authorized disclosure and, and fees and all kinds of other things. Now, some of this was later, uh, some elements were later, uh, overturned as a part of the Syoc B AZA case, but not all of it, you know, much of it still stands, and much of it then is now rolling into a whole new realm, which is, uh, this notice of proposed rule making around the privacy rule is really touching on all this. And I'd like to talk more about that notice proposed rulemaking as we get a little bit further in, uh, today. But for the moment, um, one of the things that you just said that really comes back to me, and that is the issue of personal representatives. Do you find that that organizations are struggling to truly identify the rules around personal representation and access? Or do you find that they have a good handle on it? Because I see it as a struggle?

Speaker 3:

Yeah. And, and I don't know that that's, that's a struggle that can easily be alleviated. I mean, sometimes I help clients, uh, by looking at court paperwork. You know, we have to both look at HIPAA and state law, right? With respect to minors and others, um, that have legal personal representatives. Um, and to your point, there's also a right to, um, direct access to a third party. Um, but I do think that those are more challenging rules, um, because you're looking at state laws as well. And so, you know, in some cases it's easier, the natural parent of a minor where, um, their rights have not been terminated, but in other cases, it's not as clear. Um, and, and court paperwork can change. And, and I think that some of those roles change over time, too, right? A, a court might make a decision later that changes who the personal representative or the legal guardian is, uh, for example, for a minor. And so that's one that I think, um, it's just naturally gonna be something that people need to pay close attention to. Obviously those are areas that, uh, different family members can have some controversy around, um, and obviously be very upset<laugh> if their records go to the wrong person. And so that's one of those things that, um, clients need to think about operationalizing as well and making sure that records, um, are up to date and that they're saving documentation that clearly indicates who, um, the personal representative is, if there is one. And, um, you know, one thing to your point on the guidance, you know, it's been updated too, so it's been kept current and it's available online. And so I think that was a great point, Wes, because, you know, it's not just resolution agreements. Um, if you look at the access guidance from the ocr, there's a summary of the OX case, um, and, you know, there's been a lot of talk and, and debate around charges for fees. And so we've talked a lot about access to records. Um, but the fees is something that I think we see a lot of. And again, it's one of those things that I, I, I think people are want to comply. Um, but, you know, we add in state laws as well, and we have to remember that, you know, HIPAA's a federal law. And so, um, the guidance even specifically calls it out, right? That right. You know, even if there's a state law<laugh> that says you can charge more than what we're saying, you know, we expect you to honor, um, the HIPAA requirements. And, you know, I'm in Florida, and so I, I see a lot of different things, and I think that, um, medical professionals often turn naturally to their licensure, their licensure board, and those rules related to what they can charge for records. And so they're unknowingly thinking, um, that they comply. But I will tell you that, um, both from the OCR guidance and the fact that a lot of licensure boards even say, you know, you can charge a fee, but we recommend that you don't charge individuals, um, or that's our preference, uh, for copies of their own records. And so, you know, I always tell people, now, do you really have to charge an individual or are you, uh, if it's, if it's me asking for my own records, you know, again, different than that third party request. And so, um, you know, we also wanna be sure that people aren't barred from getting copies of their records because they don't have the financial means, for example. And so, you know, a good way to, to move, remove one of the areas of risk of enforcement, um, it's just having a policy that allows people to get access to their own records without a charge. Um, and so I think that's something that, you know, as lawyers, we should always be exploring with our clients, um, because sometimes it's not even, they're not really, there's not that many requests, for example. And so there's not that large of an impact. Um, but that's one easy way, uh, to check off one of the boxes because it's strongly encouraged. Then you avoid all the confusion around what can we charge? Um, and you know, that your patients are getting access to their records without any barriers.

Speaker 2:

Yeah. That fees issue is, is certainly one that has been a problem over time. I, I remember one time asking for 30 pages of my record, and the fees they, uh, proposed to charge me were$65 for 30 pages, and most of those pages were, you know, short notes. So<laugh>, that can be a problem. Mm-hmm.<affirmative>, um, you know, now OCR basically said, Hey, if you, if you wanna avoid a lot of controversy here and the need to construct fees and do those things, you can go with this flat rate, uh, approach. I think it's$6 and 50 cents. Mm-hmm.<affirmative>, what are your thoughts around that flat rate as a way of recouping some basic costs, but not anything, uh, extreme.

Speaker 3:

And, and I think that's with respect to electronic records, but you know, I, I, I think that that's a business decision, right? Mm-hmm.<affirmative>, um, obviously it, it is easier to quantify is what I've seen when you're, you're going through the process with organizations, um, you know, how are we going to approach this and do our cost analysis and make sure that we're only including things in the fee that we're permitted to under hipaa? Um, but I do see people utilizing that option a lot. Um, and, and again, I think the analysis should start with, you know, what costs do you really incur, um, under the, the availability now of a lot of records being in your emr, but there are things that cost more and, and take more time, right? We talked about when things don't live in the electronic medical record, or people want things in different formats. And so, you know, I I think it's a business decision and that, you know, our job is to advise people, um, of what their options are, but that includes reminding them that, you know, both at a federal, and at least here in Florida at a state level, you know, the preference is, um, you know, that you're not charging the individual. If you do, let's be sure that you're, um, fitting within this guidance, um, whichever structure you choose to follow. And that's where things get tricky, right?

Speaker 2:

Right, right, right. Because you, you've got to consider the whole picture. It's not just a matter of, well, we can do X and that's the end of it. There's, there's a lot of, a lot of different factors that play into that. Um, you know, I think back, uh, to years and years back, in fact, now that really the very first significant big case, uh, in, in healthcare, the biggest fine for a long time, or, or a penalty at the time, was, uh, a case that involved a refusal to give people access, the 43 people access to their records by a healthcare company. Do you recall that case? Uh, Cignet Health?

Speaker 3:

Uh, honestly, not off the top of my head.

Speaker 2:

Well, that one was one that went all the way up the chain to OCR R and<laugh>, you know, a lot of difficulty around that one, but it, but it was, it was the original case that fought the battle of is this the provider's record or is this the patient's record? And that's where this all kind of starts in my mind, to try to shift that, that view. Um, but then when I look at the, at the more recent cases, what I'm seeing in those, those 18 that I've seen thus far and, and we've that have been published, I is a tendency, um, to violate the time requirements not getting things to people in the time that they should have, uh, as one of two issues. And I want to hit on that one first and then then go to the second issue. Um, we know that the time requirement is 30 days with the possibility of a 30 day extension. That does not mean 60 days, right? It, it means 30, but you can get the extension if you, if you need it, and if you follow the rules around that access. But we also know that in, in the notice of proposed rulemaking, they're suggesting reducing that to 15 days for electronic records. What are your thoughts? Uh, is 15 days a reasonable period to be able to provide somebody access to their electronic record?

Speaker 3:

Well, I think that in Florida, you know, um, and other states may have state law requirements as well, where if you receive a request for records, for example, and it's tied to a medical malpractice, uh, claim or action, um, you might have to produce things in a faster period of time anyways, right? At a state level. So again, we always have to consider state law as well when timing. But you know, a reminder is that you don't just have 30 days, right? You shouldn't be waiting until day 29 to compile the access request. It should be without delay and respond being responsive. Um, and so theoretically, uh, people should not be waiting 30 days right now, um, you know, 15 days where it gets complicated or maybe there's a lot of requests that come in and people end up in a bind. Um, you know, that can be challenging. I can foresee, obviously for, um, you know, especially a larger organizations that maybe get a lot of requests. And so, um, with that being said though, I mean, I have to take the opportunity to remind people<laugh> that, um, and the guidance I think hits on this too, making sure that you should be producing records as fast as possible. Um, you know, 30 days should, is really the cap. And so, um, I think, I'm sure that that 15 day, um, proposal is a tight timeframe that people are concerned about. I can see the concern, again, where you're dealing with a, a large request, a lot of records, for example. I mean, it all depends on how many records the person has, you know, for what period of time they're requesting. Um, and so some of those things can take longer and, and it, it's clear you'll still be entitled, um, to, to one extension. But, you know, hopefully, um, hopefully for some of the smaller organizations at least it won't be a, a huge impact. Um, but I think it, it definitely highlights the ongoing trend, uh, both under the Cures Act and hipaa, um, to move towards making health information accessible, uh, without delay to individuals

Speaker 2:

Individual. Um, as I, as I think through some of the issues that I've seen over the years, uh, in, in many of the organizations I've assisted, uh, one of the things that I've run into from time to time is a tendency to demand that the individual come in and produce identification, uh, or get a notary signed statement or those kinds of things in order to be given access to their record. Um, some thoughts around that.

Speaker 3:

Yeah, you actually read my mind. That's something I wanted to mention, um, because I do see that a lot. Uh, you know, I spend a lot of time, uh, you know, with larger organizations, but also the, uh, single provider offices. And, um, again, I think that they don't necessarily all have an in-house, you know, dedicated full-time privacy officer, right? Um, and, and they're not realizing that there's a lot of ways you can send that formal and receive it to request records, um, and that having somebody travel into the office, um, is not appropriate. It's not necessary. And, um, arguably it could be alleged to be in, uh, a barrier that somebody is having to their health information. It's funny, that actually happened to me when I was like 39 weeks pregnant waiting to, um, go into labor, and I needed a record, and someone wanted to have me like drive really far to their office, and I was like, I'm really pregnant,<laugh>. I tried to be nice about things. Um, but I think that's one of the more common AR areas, um, or misinterpreting that, you know, I can't send things out unencrypted, but I, I think you can provide a, a blank form right? To people in different ways and whatever, um, you can do to try to accommodate and, and be reasonable about helping people get access to their records, um, you wanna be sure you're doing, and I think that's a great point. I think people overlook it, and they're really, again, they're trying to comply with hipaa, right? I, they just get a little overcautious, um, kind of out of fear maybe that they're gonna get in trouble. Um, but, you know, having somebody drive into the office to request their, and pick up their records, uh, is definitely an area that you don't wanna be going into, um, you know, for hipaa, but also because it's also not the right thing to do by patients, right?

Speaker 2:

Right. Right. Uh, yeah, that, or, or, uh, demanding that, uh, they go and get a notarization, uh, which then in May, in some cases, uh, incur a cost, uh, to the individual, right? Uh, you know, there, there are a lot of ways that you can create a barrier. Um, so as, as you are advising your patients, or sorry, your clients, you're focused on, how do you reduce those barriers? That's what I'm hearing is, is, is consider the ways that the barriers can get in there and, and what you can do to reduce it. Yeah.

Speaker 3:

Yeah. And I think it's just developing, because I do see even places with those full-time in-house people, right? That, that have good knowledge and they look at the OCR guidance, but I think it's being sensitive to identifying areas where your office staff might be an engaging in a proc uh, practice, right? That's making it harder for people to get access to their records. Um, and, and being on the lookout for that, because again, it's, it's not a, in most cases, right? It's not a, um, intentional act. It's something that maybe a new person comes in and they don't understand the requirements. Um, but it's definitely an, an area that's specific and the access guidance. Um, and so you wanna be sensitive, and when you're doing overall privacy reviews, be looking for things that, um, you know, are potential barriers to people making sure, um, that all of the various items and and the access guidance are, are being honored,

Speaker 2:

Right? So having access to the access guidance is probably the first thing that you want to ensure that you have is, is that you've read it and understand what the intent here is, rather than simply what the HIPAA loss says. I've, I've often found that, you know, HIPAA says do X, but it's that guidance's those preambles to the, to the regulation, and it's the guidance that's been published since then that becomes really critical, uh, to giving context to all of this and, and helping people understand how to do this more effectively. Um, I've mentioned earlier, uh, that, uh, you know, we have the, the notice of proposed rulemaking around privacy, 75 pages of that guidance is all around access. We have the, the, uh, CARES act and the information blocking rule that is now in effect, uh, and we have the, the access and high interest from O C R. I think of all of this as kind of a perfect storm. The world is continuing to change that. We can't just, uh, say, well, HIPAA says therefore, or the, the KIZA says therefore that we've gotta consider all of this in context. And depending on what happens with the, uh, notice of proposed rulemaking, you know, we could see some significant changes to our practices and policies and procedures, and those kinds of things have to happen, uh, in the future as well. How do you see all of that as it's coming together in your world?

Speaker 3:

Yeah. And so I think that's on point for the audience today as well, because, you know, it's a A H L A, so we do, you know, we might see a client at one point in, in time, right? And assist them with preparing privacy policies. Um, and we had some big changes back in 2013, right? And, and there were a lot of steps that people had to take updating business associate agreements to come into compliance. Um, and, you know, we always have to consider state law as well. So where are you doing business? Where are your patients located? Right? As privacy lawyers, uh, from a breach perspective, but also a day-to-day operations. Um, things like personal representative, things like costs, um, making sure that you're complying and things like minors as well, making sure that you're complying with state law, hipaa, and now we have the Cures Act. And so, you know,<laugh>, um, I know that it can be overwhelming for some of our clients as well. You know, now there's this information blocking portal, uh, where somebody can submit a, a complaint, uh, related to not getting access to their information. Um, and so we have a lot of moving parts, and now we have the proposed changes to the propri, the privacy rule. And so that does mean, right, that when writing policies and providing them to our clients, we need to be communicating, um, about, uh, the Cures Act and the compliance deadlines that have already come to fruition. And then the pieces, and again, depending on who the client is, right? If they're an EMR vendor or another type of, um, they're, maybe they're a certified emr, or they're an H I E, but maybe they're a provider. And so, and then what type of provider, right? Are they a hospital? Um, asking all of those questions when you're preparing those documents and, and walking through them with your clients with a goal also of educating them, right? And helping them do things, um, in a compliant fashion on a day-to-day basis. And reminding them that there is a proposed rule out there. Um, you're giving them a present state right now, following up with them to update things when needed. And, and I have made changes, um, to the policies that I help prepare for our clients, uh, related to the CARES Act as well. And so, um, obviously everybody needs to be watching the final outcome of the privacy rule. And one thing we can prepare our clients for is, hey, we've been talking a lot about access, right? And working together, um, not just on protecting PHI from a privacy and security perspective, uh, and breach perspective, but also, uh, this access initiative and having detailed policies that people can pull out, right? And reference when things happen. Um, and now we need to be aware, um, of these other laws and changes as you go forward. And so trying to pull all those pieces together and simplify those in a manner that, um, the clients can understand, and in a lot of ways, the outcome of that is meaningful policies, right? Um, and so I think the most important part is letting our clients know that the move towards ensuring that people have access to their health information, um, it's only getting stronger, and it's something to continue to be prepared for, help make sure your workforce is aware of it, right? Again, because I think that we see, and we have so many things like ransomware attacks happening in large breaches, that the natural human tendency is to kinda lock all the doors right around all of your phi, but you really have to be aware of, um, the movement in the healthcare sector with respect to access to PHI under hipaa, um, as it is right now under the Cures Act, and also under, uh, whatever the final outcome will be, um, on the privacy rule, which, which we can expect definitely those access rights to only be strengthened,

Speaker 2:

Right? Right. Yeah, you, you hit on one where there's a bit of a nuance that I've, I've been thinking about of late, uh, and, and that is, uh, closing the door, um, firmly. And the case that I think of, uh, is, is a minor who has a right under state law to consent to a healthcare process or procedure. Reproductive care is usually one of the biggies. Um, and, and how in some facilities, when that person reaches the point in time at which that can occur, or when they have engaged in that kind of care, they slam the door to anyone else having access to that record except for the minor themself. It's a complex kind of an issue that we have to think through. The state law considerations are absolutely, uh, in play there. Uh, a lot of other factors like, uh, with the, with the information blocking side of things, if you slam the door so that only the minor now has access, what happens to the parental personal representative rights to all the other information, you know, there's a lot of factors in play. Um, so I think it's an interesting world to continue to work in<laugh>, and, and it's certainly not something that's going away anytime soon that, uh, but you hit on one point that I want to come back around to, and that is, you know, you talked about setting up the policies and procedures and making sure that the workforce is aware. That's the training component. And I think that's sometimes where we get lost in, in the world of HIPAA is this, is that I've seen many training programs that focus on this is hipaa, public law, 1 0 4, 1 0 1, you know, instituted in 1996 by, and that's just the wrong approach really, for training, because the training should be about the policies and procedures that organization and that individual have to follow. So I'll just kind of throw that out there as, uh, as a Wes' thought. Do you have any additional context you would add to that around training and,

Speaker 3:

And, yeah, and, and I think it's, there's a distinction, right? When you're an in-house lawyer, um, or privacy officer, you have a lot of ability to look at everything that you're doing and time it, right? Right. And those of us that are now in private practice, you know, um, we get to see what our clients want to share with us. Often we're in our own building, um, and not where the covered entity is. And so, um, anytime somebody says, oh yeah, we have HIPAA training<laugh>, right? Um, I really try to get them to, let me see it, right? Because, um, they get things from a lot of different places that it could be a document that was prepared before the 2013 changes mm-hmm.<affirmative>. Um, and then, you know, if we're working on policies with them, let's follow up with training, um, because hopefully you've made good adjustments in the policies and you want them to really be meaningful and training is the way to do it. And, um, you know, I still do, over the past year it's been more recorded or webinar, right? But, but going to the facility and sitting down with the workforce and, and I do training as well, like you do wes and, you know, you really see, uh, tailored training is very effective, and seeing people nod their heads, oh, you know, you see the light bulbs go off, and that's really how you can prevent, um, hopefully, um, ending up and in the news, hopefully, right? Um, and, and also making sure that you're, you're actually complying when you're wanting to. And so, um, you know, reminding people too to keep copies, uh, send reminders, and then save a copy so that you have that in your records and what the Hitler retention requirements are. But, you know, sometimes you see people that are training on the wrong things, right? That are clearly inconsistent, always require an authorization or, or they're not really sending the current message on the current state of things, um, in their training, and they're training on how to do things wrong instead of rights. I think as, as attorneys, whether in-house or the private sector, taking a look at training is a really critical piece. If you're doing some of that proactive work, um, with your clients, and if they're gonna do the training, that's great as well. But you know, hey, you might want to really hit on these important topics. And of course, things like phishing emails, um, don't click the link type of things. Those things that, you know, are most prone to human error or mistakes in how they're processing things, um, things that people will pay attention to and hopefully take something away from the training.

Speaker 2:

Yeah. Um, we've covered a lot of ground here in the last 30 or so minutes, and I do want to wrap us up, but before I do, uh, I, I just want to ask, are there any other tools or, or subjects that you think are really critical to, uh, put out to the audience today?

Speaker 3:

Well, we, you know, I can talk for a really long time. Um, so<laugh>, I do think we hit on some of the most important things. And again, I think, um, you know, as attorneys, obviously we want to follow the regulations, but there's, there's helpful tools again, that, um, our clients might not be aware of, um, in the guidance that we should be looking at holistically and monitoring the different compliance dates that might come out and proactively sharing that information with our clients and can go to this website too, because there's a lot of things out there that help them implement the regulation so that they're calling their lawyers not only if they're in trouble, right, or they've made after they've made a mistake and sent something to the wrong place. Um, but they get in the habit of, of looking at the guidance or calling somebody for help before they do things, um, which ultimately will have a better outcome for'em and their patients. Um, and so again, I think that's most important to, uh, even if you're working with clients on breach events, hey, let's talk about policies and there's this other really important initiative out there, um, because we know you're terrified of breaches now, but you can't forget about these other items,

Speaker 2:

Right? I think that was a really good way to wrap it up. Uh, so with that, um, I'll just, I'll just say that, uh, to the audience, I hope that, uh, there are sparks that have occurred from this, uh, from this podcast today that cause you to look at how you're advising your clients and, and what you can do to help them do the right thing and not just do the legal thing. You know, there's sometimes a subtle difference between those two states. Um, and, and Joy, I want to thank you. It was a real pleasure to spend this time talking with you again. Uh, and, uh, let's do it again sometime.

Speaker 3:

Yeah, I, I'm glad we were able to connect and, uh, I appreciate you guys having me participate today.

Speaker 2:

All right. Well, on behalf of Joy Easterwood, uh, from Johnson Pope and myself from Clearwater, I thank you and, and on behalf of a H L A I, I thank you for your time today and, uh, so long. And have a great day, everyone. Bye now.

Speaker 3:

Bye.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.