October 31, 2025 • 43 mins
Compliance officers and privacy leaders are facing a rapidly changing health care landscape, including new state laws, evolving federal guidance, and heightened expectations for data breach preparedness. Melissa Andrews, Senior Manager of Consulting Services, Clearwater, speaks with Roy Wyman, Partner, Bass Berry Sims, about what makes an effective compliance program, how organizations can overcome emerging challenges, and practical steps leaders can take to strengthen their compliance posture going into 2026 and beyond. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=DwGqmz6Knaw
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:04):
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitClearWaterscurity.com.
SPEAKER_01 (00:16):
Welcome to American Health Law Association's
Speaking of Health Law Podcast.
I'm Melissa Andrews, SeniorManager of Consulting Services
at Clearwater, and I'm your hostfor today's discussion.
As a compliance officer, I'mexcited about today's
discussion.
Compliance officers and privacyleaders are caught in a rapid
changing landscape.
We have new state laws likeTexas EHR law.
(00:39):
We have evolving federalguidance and heightened
expectations for data breachpreparedness.
We focus on building andmaintaining effective compliance
programs in today's healthcareenvironment, including the need
for better visibility in howdata flows into an organization,
how it is used, and how it isshared.
Joining me today is Roy Wyman, apartner of Bass Berry Sims.
(01:03):
Roy brings deep experienceadvising healthcare
organizations on compliance,privacy, and regulatory issues.
Roy has agreed to let me pickhis brain on what really makes
an effective compliance programand how organizations can
overcome emerging challenges andpractical steps leaders can take
to strengthen their compliancepostures as we prepare for 2026
(01:26):
and beyond.
Thank you for joining me today,Roy.
SPEAKER_02 (01:29):
It's a pleasure.
SPEAKER_01 (01:32):
So I'll just go ahead and jump in.
So, Roy, what's driving theheightened focus on compliance
programs today?
Are you seeing this more fromregulatory payers, board of
directors?
Where is this coming from?
SPEAKER_02 (01:48):
Everybody, it seems like.
Boards of directors, for awhile, this has now been on
their list of things to worryabout.
(02:09):
But I think where we're reallyseeing some new pressure is from
patients, customers, andplaintiffs' counsel that have
figured out they can make moneyoff of this stuff.
And sometimes it's, you know,very serious claims around real
uses of data in the healthcarespace that are pretty
(02:30):
problematic, all the way down towe're seeing now we'll have
four, five, six clients receivethe exact same letter from the
exact same plaintiff orplaintiff's firm.
So I think that's really what'schanged is you've got a lot more
engagement from potentialplaintiffs, as well as a lot of
new theories around liabilitythat just weren't there in the
(02:52):
past.
SPEAKER_01 (02:54):
Interesting.
So I know the Department ofJustice, the Office of Inspector
General, and the US Cent and Cguidelines each kind of
emphasize what an organization,specifically a healthcare
organization, needs to establishthat effective compliance
program.
Can you kind of elaborate on thefoundational elements that every
(03:17):
healthcare organization shouldhave in place to kind of ensure
that they have that effectivecompliance program that the
regulators are looking for?
SPEAKER_02 (03:28):
Yeah, happy to.
And thank you so much for howyou frame that.
Because I think sometimes,especially for in-house counsel
that maybe haven't dealt withcompliance quite so much,
there's this feeling like you'rejust sort of making it up as you
go or winging it.
And that is absolutely not thecase.
But sometimes because thereisn't a specific statute maybe
(03:48):
that lays out some of thesethings, uh, it can feel a little
more squishy.
But there absolutely arestandards and guidelines for how
a compliance program should beset up.
And you named some of the reallyimportant ones.
One that I go to a lot on kindof the bigger process that is
not necessarily the substance ofwhat you're going to look at,
(04:11):
but just in general complianceprograms, is the sentencing
guidelines.
Um, and it's scary to think thatwe're looking at sentencing
guidelines, but you know, that'swhere it kind of comes from is
corporations can be criminallyliable for some of these things,
as well as individuals in them.
And so these sentencingguidelines lay out some things
that uh entities really need tothink about and make sure are in
(04:35):
place in setting up a complianceprogram.
One is just in general, havingstandards and processes in
place.
This is how we do these things.
So, for example, we've got a newuse case for data, or we've got
a new way of billing.
Who signs off on that?
(04:57):
Is there a written document andpolicy doing, you know, handling
that?
Uh, second really important oneis do you have high-level
individuals involved in thatprocess?
Every level of responsibilitydown from the C-suite is kind of
taking a step back of howseriously it would appear to a
(05:17):
regulator that you're takingthese issues.
So you want high-levelindividuals involved with
compliance.
Uh, beyond that, you need a lotof training and education of
individuals, particularlyemployees, and making sure that
contractors are getting thatsort of education, uh,
communications, disclosures,make sure that there's a
reporting.
Things like hotlines are reallygreat.
(05:41):
Now, one that gets underratedbut is critical to me are is
having a sanctions policy.
If you break our rules, if youbreak our policies, there are
real ramifications.
And we don't care what level ofemployee you are, we're going to
apply those across the board.
If you don't have that, youreally don't have an effective
(06:02):
compliance program.
Um, one that we'll probably endup talking about quite a bit, my
guess is that uh you reallyshould be monitoring your
compliance program, auditing it,figure out where your weaknesses
are and looking at those, andthen responding to violations,
if there's any issues.
And uh and the and I think themost critical one of all is
(06:25):
regularly, usually every year,assessing what are our risks and
what are we doing to mitigatethose risks.
SPEAKER_01 (06:33):
So that's when you answered that next question of
what is the one that you thinkis the most important, and you
feel that's that risk review.
SPEAKER_02 (06:41):
I absolutely do because what that does is it
creates a cadence and a cultureof we know, oh, okay, it's you
know, August.
We know that there's going to bea new, you know, risk assessment
or new policies coming out, orthat's when we do our training.
But the uh the folks within theorganization start to learn
(07:03):
about it, and that's how youidentify okay, we're doing
something new.
What's the risk?
Or there's a new regulation out,or there's a new attack vector
uh that all the cool hackers areusing these days.
We better get on top of that.
Those sorts of things that thatmake sure that you really have
(07:24):
that culture of compliance.
SPEAKER_01 (07:27):
No, I I agree.
And one thing that I think I'veseen a lot of, and I'm sure you
have too, is compliance reallyis an organizational function.
It's not enough to just kind ofhave that narrow scope.
Compliance really does need tobe involved in the entire
organization and what thestrategic plan is as it builds
and grows to be able to definethe risk that you're talking
(07:51):
about and wanting us toidentify.
Um, how are we starting to seean increase in the regulatory
enforcement actions thathighlight the importance of the
organizational complianceprograms?
And kind of what are some of thegaps that you're seeing that are
(08:11):
being identified in thoseenforcement actions?
SPEAKER_02 (08:14):
Yeah, um, I'm seeing a lot of the usual suspects, you
know, anti-kickback, you've gotfalse claims, all of those
things.
Um, my favorite thing to talkabout though is IT.
Uh, what what's yourinformation?
What's your data?
And we're really looking at thatand your systems.
(08:34):
And I'm not just because I'm aprivacy and data wonk, which I
am, I admit, but also becausewhen you look at some of these
other things, oftentimes whatleads to the problems isn't that
somebody just doesn't get it,it's not a lack of education.
Sometimes it's just badprogramming, bad software.
(08:56):
And so you'll have FDA rulesaround prescribing, you'll have
rules around the anti-kickbackstatute or whatever, but for
whatever reason, things slipthrough the cracks.
And so keeping a hold of yourdata is and security are really
important.
And I'm seeing a lot of actionswhere folks did not monitor
(09:20):
their uses of data or understandwhere it is sufficiently, and
that and that just creates aworld of hurt, really.
SPEAKER_01 (09:28):
Yeah, I'm seeing it a lot also in reference to the
False Claims Act, whereorganizations are making these
claims that they know wheretheir data is, they know who's
using this, they know wherethat's going, they're making
these false claims to thefederal government, and now
they're getting hit with a falseclaims act violation because of
those false statements, which isnot something you hear about a
(09:51):
lot, but it's been picking upquite a bit.
So, yeah, um, let's talk aboutthe data mapping and all of that
data that we're talking about.
Can you explain a little bitabout what data mapping is and
why it's important to anorganization?
SPEAKER_02 (10:11):
Yeah, and and I think your last, you know, last
point that you just made isreally critical in this, in that
um more and more regulations aresaying not only do you need to
know where all that is, but youneed to have somebody at a high
level certify certain thingsaround that.
And so the traditional sort ofwhat we call a spaghetti chart
(10:34):
of, you know, here's all theservers, here's all the
monitors, we know where all ofthe equipment is, therefore
we're okay, is not a data map.
What we're really talking about,a data map is substantively
knowing here are the categoriesof data that we collect.
You know, we may have PHI, wehave employee records, we have
(10:55):
marketing, we have, you know,our subcontractors list, we've
got all of this data and we knowexactly the types of data that
we're collecting.
And so for each of thecategories, where do we collect
that?
Is it from the individual?
Is it from a data broker?
Is it from a client?
Is it from a vendor?
(11:16):
Where do we collect it?
How do we collect it?
Uh, and you know, as we get intothis further, once you kind of
know that, then you can look atthings like okay, do we have
contracts where we need them?
All of that.
But the data map itself is goingto show all of those assets and
those processes.
So we've got the informationcoming in, it's stored on these
(11:37):
servers.
We know what we do with thedata.
What are all of our use casesfor each category of data?
Where is each category of datastored?
Where is it used?
How do we manage it?
And then with whom do wedisclose it?
Uh, and those disclosures are abig part of it, too, so that at
each step of it, we know all ofthe different types of
(12:01):
processing around it.
And I think this is reallycritical to understand, and and
it's a lot to swallow for somefolks who haven't done this in
the past.
Like, oh my goodness, are youserious?
But it really is criticalbecause uh whatever you're
doing, if you, for example, havea privacy notice, and almost all
(12:25):
of the folks listening to thiswill have a privacy notice on
their website, and it is notaccurate, that becomes an FTC
violation because you have madea material statement or omission
uh that just simply isn't true.
And that will get you in a worldof hurt very quickly.
SPEAKER_01 (12:46):
You make a very good point.
A lot of times when I'll go intoorganizations to review their
compliance program, one of thequestions that I do ask is do
you have a data inventory and doyou map that data?
Um, and a lot of people don'tknow the difference between the
two.
They will hand me this document,be like, these are all the
(13:08):
systems that we have that mayhave PHI or data in it.
And I'm like, that's great, butso just to kind of clarify
things because those terms areso similar, can you explain the
difference between what a datamap is and what a data inventory
is?
SPEAKER_02 (13:27):
Sure, and how I would think of that is uh a data
inventory is going to list outuh the data that you've got and
and maybe where it is.
Whereas a data map is reallyfollowing each of those so that
we understand uh, for example,the use cases involved.
(13:48):
So it's one thing to know thatuh this data is on server X.
It's another to know how youcollected that and whether you
can then go back in.
And if I've just got aninventory, I don't necessarily
know what contract and whatcontract provisions I need to
(14:09):
have around that data.
But a full data map is gonna letyou put your arms around where
not only where the data is, butwho can access it, uh to whom
it's disclosed.
And then you can track yourcompliance.
So it's not just inventory, butit's also systems and the
(14:32):
broader picture.
SPEAKER_01 (14:35):
That makes sense.
Um so a lot of times when wetalk about data and technology,
people focus in on thatcybersecurity, um, which I think
every organization that's one oftheir top risks is
cybersecurity.
Um but as a compliance officer,sometimes we forget to include
(14:57):
the things that are moretechnical and those kinds of
aspects, like what you were justdescribing: the where is the
information going?
How did we get that information?
What's the purpose of theinformation?
When you're talking tocompliance officers, what is
kind of the main thing that youtell them?
(15:18):
This is why, as a complianceofficer, you really should care
about all of these things thatwe're talking about.
SPEAKER_02 (15:26):
Yeah.
So if you've got data or usecases out there that you don't
(15:47):
know about, that is your numberone risk because there's no way
to control for it.
On the other hand of it, uhother hand, the other flip side
of it is whatever is measured,is transformed, is improved.
So the more that you canunderstand the data, the more
(16:09):
you can improve your processesso that you don't have things
like missing business associateagreements.
So you don't have data that'sgetting out in ways you didn't
know.
Uh, I've seen examples withclients where, you know, they
simply did not know that therewas there was a certain level of
documents going out orinformation going out, even PHI
(16:33):
being sent out to third partiesthat nobody had any idea about
because somebody thought it wasa good idea.
And so it's critical to havethose processes in place to make
sure that you can monitor that.
But you can't monitor it if youdon't know it's there.
And so that's really what I'mpushing is just know what's
(16:53):
there.
SPEAKER_01 (16:54):
Yeah, and I'm gonna jump to something you had just
kind of pointed out in the youhave these third-party vendors,
you're sending data to them, andsometimes compliance
professionals are not alwaysinvolved in that contracting
process and what goes where.
And then we hear about thesemajor breaches.
(17:15):
Um, you know, the anthem breach,the change breach, you know, all
of these things that happen.
Can you kind of point out why inthose types of situations, it's
really important for complianceprofessionals to understand that
data mapping process and wherethat data came from and who has
(17:36):
it?
SPEAKER_02 (17:37):
Well, I can give you rather than talking about um the
breaches that happen, let me orthe the downside, let me kind of
give you some examples becausemore than once I have gone
through the data mappingexercise with a client, and they
go from not really knowing wheretheir data is to having a really
(17:58):
good idea of it.
And in some cases, I've hadclients that then got hit with
ransomware, where maybe youknow, a shared file or whatever
got hit, and they've called meup and said, you know, Roy, I
really don't need anything.
I just wanted you to know we gothit with a ransom note that
said, we have this server undercontrol.
(18:20):
They sent what they call proofof life.
You know, they sent some filesfrom that showing that they had
it.
And the client said, we had donea data map.
We knew there was absolutelynothing valuable on that server.
So we told them to go away andnever talk to us again.
Uh but if they had had thatransomware hit, say a month
(18:41):
earlier, before their data mapwas complete, they would have
been completely lost.
And they would have ended upshutting down systems, setting
up firewalls that they didn'tneed, doing all kinds of things
and potentially paying ransomsand notice to uh individuals
that just simply weren'trequired because they didn't
(19:02):
know what they didn't know.
And so having that data map inthe event of uh an incident is
critically important.
In addition, it tells you whatsystems really need deeper
protection.
You know, we're no longer in aworld where you have one set of
security protocols for yourentire set of data.
That's wasteful.
(19:24):
And uh you're you're misspendingresources.
So you find where is our realcritical data, our very
sensitive data, and we builddeeper security around that uh
than we would with some of ourother.
So it saves you money, it savesyou headache, and it keeps you
(19:45):
from having a lot of falsepositives where you're sending
out notices that you reallydon't need to send.
SPEAKER_01 (19:52):
That's actually pretty great.
Um, very rarely does complianceever get to say, we're gonna
reduce the cost of something,we're gonna save you money.
So that is a really greatexample of paying a little bit
more attention on the front endcan really save you on the back
(20:12):
end because these days it's notan if it's gonna happen, it's a
when it's gonna happen.
You're eventually gonna get hitwith something.
Um, and to not have to notifythousands of patients to be able
to confidently defend yourselfto that regulator by saying,
Look, we have our data map thatshows they didn't get anything.
(20:37):
That's a pretty gooddefensibility.
Um, and then of course, to beable to save the money and not
have to have this massivesecurity on all of your systems.
SPEAKER_02 (20:49):
Right.
SPEAKER_01 (20:51):
So I know speaking of all of those systems, you
know, we're in the world ofcloud, you know, adoption and
everything.
We have all these third-partyvendors that store our data,
that create our data, that doall kinds of things for us.
Um and they have, I mean,they're great, they make life
easier for us, but they also area huge vulnerability to us.
(21:15):
Um how can or how shouldcompliance programs um handle
those risks effectively when itcomes to handling those data and
paying attention to where all ofthat data, who has it and what
are they doing with it?
SPEAKER_02 (21:35):
Yeah, that's a great question.
And and it's kind of a tough onein a way.
And there's some nuance to itthat you wouldn't expect.
Like uh, you know, the obviousanswer is just, you know,
contract the heck out of it,monitor them, know everything
they're doing.
Unfortunately, the world isn'tquite that simple.
And for some of these larger,you know, uh you can go all you
(21:59):
want to AWS and say we're gonnaaudit you every year, and
they're gonna tell you, okay,here's a list of other vendors
you can use because you're notgonna use us.
So uh it's just not as simple asjust watching over them.
Plus, that's a huge use ofresources, and most of the
clients that I work with simplydon't have the resources to
(22:20):
monitor every single vendor.
So you put your emphasis onareas where there's gonna be
some payback.
Um, and I think that's on thefront end.
So having a strong vendorassessment process at the very
start, uh, you know, having asecurity questionnaire for them
to complete, or if they havesome sort of certification
(22:43):
really looking at that.
So that could be, you know, NISTor something like that.
Um, taking a strong look at thatand identifying any risks on the
front side.
Then for any risks that areidentified, you know, sometimes
you can just say, no, that's toobig a risk, we'll use somebody
else.
But a lot of the time you'regonna say, you know, that's
(23:04):
within kind of standard, we getit.
You know, maybe it's a youngercompany.
Uh, we're gonna monitor that.
So then you build into thecontract.
We want you to report to us uhyour progress on these steps
during this, and so we can keepan eye on that, but you can
trust them to that degree.
(23:25):
Uh, I think it's important tonote here that for most of the
regulations we're talking about,there is no responsibility to go
in and audit them every, youknow, so often.
In other words, if they violatethe law, they're liable for
that.
And you may be liable to theextent that you lose data and
all of that.
But you don't have to go to theextent where you are
(23:49):
second-guessing everything theydo.
You have some ability to trustthat, you know, to a reasonable
extent that they're doing whatthey're gonna do.
And then you have them reportback on the things that, you
know, didn't look so great andreally start pushing them for
things like certification.
So you have those third-partyauditors that are looking at
(24:12):
them, that you can then see,yes, they've been certified.
You can show you've done yourdue diligence on it.
And then the big thing really isI would say uh get contracts in
place that have strongrepresentations and warranties,
don't have a lot of limitationsof liability provisions that are
you know too much, reallynegotiate the heck out of it to
(24:33):
make sure that you're protected.
And um, and the other thing I'llsay too, and and this is kind of
a new thing for most folks, ismaking sure you've got language
in the contracts that say youwill participate and help us on
our data processing impactassessments, our protection
assessments.
So when we assess the risks toour own organization, you're
(24:56):
gonna give us the data that weneed to do that.
You're gonna help us with ourcybersecurity audits.
Uh, if we have, you know, ISOcertification or whatever kind
of certification, you willrespond to our third-party
auditors on those.
So those sorts of contractprovisions that really give you
some ease that your vendors knowwhat they're doing and that
(25:16):
they're complying with the law.
SPEAKER_01 (25:18):
That is a great piece of advice.
Um that's very insightful.
Um, so it wouldn't be aconversation if we didn't bring
up AI.
Um it's kind of everywhere, andI've seen it everywhere in
healthcare.
Um, everything from AI scribesto, you know, the Chat GPT and
(25:44):
the co-pilots and all of thosethings that help you do the work
for you.
Um, I've seen health plans thatare using it to determine
eligibility and all of thosetypes of things.
Um I've also seen where theywill sometimes request to use
(26:06):
our data to train their tool,you know, as a party vendor so
they can get better.
And I've seen those kind ofclauses sneak into contracts and
business associate agreementsand all of those kind of things.
Um I'm just kind of curious fromyour standpoint, because the
Department of Justice has evencalled it out and said they're
(26:28):
paying attention to it, what doyou view to be some of those
higher risks that organizationsshould be doing to pay closer
attention to it?
And then what can they do tokind of mitigate some of those
risks?
SPEAKER_02 (26:41):
Yeah.
Um, and maybe you should talkabout this sort of from highest
level down.
So at the highest level, uh, youbring up a great point about
training of AI.
Everybody, you know, loves theoutput, they love to be able to
use AI for things like chatbots.
(27:01):
The reality, though, is thatthose AI do not come from
nowhere.
Uh that they are trained onsomebody's data.
And if you don't know otherwise,it's probably being trained on
yours.
Now, I will also say though,that um there are real risks in
allowing AI to use information,especially anything like PHI,
(27:27):
employee information, any ofthat, in order to train their
systems.
Because once it's in that AItraining database, it's sort of
there.
You don't know what they'regoing to do with it.
And um, there are some risks ofdisclosure, of um violation of
regulations, all of that.
So, strong recommendation is ifyou can enter into an agreement
(27:51):
with an AI provider that willsay, we will not use your data
for training our AI or anyfuture systems.
And uh sometimes that's underthe guise of training.
Sometimes it will be discussedas use of derivative data, data
taken from the data that yougave us.
(28:12):
Whatever the terms are, you needto have really uh a close look
at that by somebody whospecializes in AI, saying, okay,
yes, we understand the IPramifications, who's gonna own
that data?
Uh, and we understand how it'sgonna be accessed and used and
who how that training AI isgonna happen.
(28:34):
Um, and then stepping down alittle bit from that broader
area is how are we actuallyusing that within our
organization?
Uh, you know, is it a largelanguage model, LLM AI?
Is it a chatbot?
Who's accessing it?
Who's using it?
How are they relying on it?
Because there are a lot ofregulations out there now that
(28:56):
are really aiming at this.
Uh, Colorado has a statutespecifically around AI.
Uh, if you're a global EU AIregulations, but I'll also
notice California just lastmonth came out with uh
regulations around automateddecision-making technology.
And even though they didn't say,okay, this is AI, it pulls in
(29:19):
all AI and it pulls in a lot ofother things as well, where it's
like payers making decisionsaround what to cover, what
health care is going to beprovided.
Those sorts of decisions areones that uh substantively could
you know be pulled in.
You know, you know, there's somequestions around is that going
to be protected because it's PHIunder HIPAA?
(29:42):
Um, that's other conversations.
But I would say for entitieslooking at these kinds of
systems, just assume that ifthere isn't a regulation on it
now, there will be shortly, andstart building in those
processes so that at theIndividual level, they
understand what's appropriateuse of this from the marketing
(30:05):
department, from otherdepartments, as well as just
individual users, so that wedon't get overly reliant on it.
And I like to think of this asyou know, there's lots of cases
where if you are just relying onthe technology, you're okay.
If you're just relying onhumans, you're okay.
But when you get a blend oftechnology and human use, that's
(30:29):
where a lot of times you havethe biggest disasters.
And there are cases of this intrains, in planes, in
automobiles, and all the othermovies out there, uh, you know,
where just the technology andhuman users don't interact well
because they're, you know,coming at it from different
places with different languages.
So at every level, think abouthow is AI going to impact us and
(30:52):
what can we do to mitigate someof those risks.
SPEAKER_01 (30:55):
Yeah, those are great points.
Um, you did bring up somethingthat I want to kind of jump on,
is you talked about the stateregulations.
I have noticed a huge uptick instates coming in and kind of
stepping up and making thesedifferent regulations and
different enforcement actions,everything on, you know, to your
(31:18):
point, AI.
I've seen how you can use uhindividual data, how they
classify all the different data,Texas just broaden their, you
know, two cents on theseregulations.
Um you mentioned Colorado,California always does, um,
Florida does.
(31:38):
How have you seen kind of inthis world of where a lot of
businesses are in multiplestates, some of them are in
multiple countries?
How do when it comes to dealingwith data kind of handle that
patchwork of the differentstates and the different laws
(31:59):
and the different regs?
SPEAKER_02 (32:02):
Um clumsily.
It is rough.
Uh, and so uh we have clients onthe entire spectrum.
I've I've got some clients wherethey've basically decided we're
gonna take the worst of everystatute, kind of build that into
our compliance program.
(32:22):
And a lot of times these areglobal companies where they'll
say, we're gonna comply withGDPR, we're gonna comply with
the big US states, we're gonnacomply with a few other
statutes, maybe if they're bigin Canada, PIPITA or something
like that.
And and basically have onecompliance program across the
board.
And there may be a weird, quirkylaw somewhere that we're not
(32:44):
gonna quite hit, but that's arisk we're willing to take.
And so they have one size fitsall sort of compliance program.
At the other end, and sometimescompanies that are just as big
or bigger will say, no, we'regoing to have a separate
compliance kind of process foreach state and each country that
we're in, and really uh providewhat's required by the law, but
(33:10):
it's not going to be a one sizefits all.
And it's um getting harder andharder and harder to kind of
meet all of the requirements forall of them.
But I think you have to startwith a baseline.
So, you know, if you were therefor HIPAA, you're there for you
(33:31):
know, Graham Leech Wiley orwhatever it is, and then you're
there for California andColorado and Virginia, you've
got a good base, you can buildfrom that.
If you don't have any of those,we can kind of start you out
with it.
And then, but you have to stayaware of each law that's coming
out, each new regulatoryguidance, so that you make sure
(33:52):
that you're building in the newpieces of it.
Like I mentioned, the Californiaregulations.
Anybody subject to CCPA, they'regonna have to pay attention to
this and put some new processesin place.
And so it does really become anongoing process.
And that's uh again emphasizingthat need for a regular
(34:13):
iteration of okay, every year welook at our risk, every year we
set up new processes, but alsohave the flexibility of, oh my
goodness, we've got a new one.
We don't have 12 months, we'vegot until the end of the year.
Let's get on it.
SPEAKER_01 (34:29):
Yeah, that's it's a lot.
It's a lot to take in.
Um, that's why it's great tohave resources to be able to
kind of use uh to reach out toto kind of get that type of
guidance.
Um as a compliance officer, weare not decision makers.
We kind of look at the totalityof the organization, we identify
(34:54):
risk, and we kind of work withthe resources that we have.
We provide guidance and we doall of those kind of fun things.
Um, so if you were advising acompliance officer of, let's
say, um, a mid-sized healthcareorganization that does not have
all the resources in the world,we're gonna speak realistically
(35:18):
here.
Um, where would you recommendthe compliance officer focus
their energy and their budgetfirst?
SPEAKER_02 (35:29):
Yeah.
Um that's a great question.
And let me just note too, Ithink it it's valuable to point
out, I always use sort of areturn on investment approach to
things.
So um I if you've got a problemthat would cost a million
dollars to fix, and there's a10% chance of it happening, uh,
(35:54):
then you want to invest$100,000or less.
You don't want to invest amillion dollars to fix a$100,000
problem.
With that said, there arecertain things that are just
sort of baseline fixed costs.
There's nothing you're gonnahave to do, there's nothing you
can do about it.
So you're just gonna have to dothat.
And the ones that I would saysuggest is really again building
(36:16):
into that infrastructure of aregular rhythm of risk
assessment and management.
That's the first place I wouldlook so that you know what you
need to know and where are yourrisks.
Uh, next, I would look at whatsort of standards or
certification can I get to makesure that I'm complying.
So if I am a covered entity or abusiness associate, baseline you
(36:40):
got to have HIPAA and meet theHIPAA security standards, the
privacy standards.
And then I'd be looking atthings like ISO, NIST, high
trust, even internal audits, butthat are pegged to those
standards are going to behelpful.
Um and then maybe even numberone I would put on here is know
(37:02):
what's going on.
So have a process so thatanytime marketing comes up with
a great new idea, they run it bycompliance and legal.
So you know, okay, legal'slooked at this, they've blessed
it.
Now we have built in a processfor compliance to monitor it so
that it works the way that weheard it was going to work.
(37:27):
And part of that is investing inthe those data processing impact
assessments, knowing what'sgoing to happen, what are the
risks, how are we mitigating it.
And then compliance can dosomething like an audit function
of really watching andmonitoring that those use cases
are being carried out in a way,and uh big emphasis on education
(37:52):
and training for those that aretouching that data.
SPEAKER_01 (37:56):
Yeah, so looking in your crystal ball into the
future, um with thisadministration and maybe a
little bit beyond, how do yousee compliance programs and the
compliance function kind ofevolving, changing, growing?
SPEAKER_02 (38:17):
Yeah, I I think we're going to see more
automation in businesses overalland in compliance as well.
And that is going to create someof that disconnect I was talking
about before between theautomation and the humans and
that human agency involvedthere.
(38:39):
So I think one of the areaswhere I'm going to see, I
believe, a lot more pressure andpoints of potential failure is
around marketing tools.
Uh, and we're already startingto see it now.
Uh tracking technology, cookies,uh, clear gifts, those sorts of
(39:00):
things.
Um and uh, you know, apps andthe SDKs that are involved with
those apps are ones that havebeen great ways to drive new
business, but are undergoing ahuge amount of scrutiny right
now, including a ton of lawsuitsby plaintiffs.
Uh, and so you're gonna havemore pressure uh on marketing to
(39:25):
try and find new ways to drivethe same amount of business.
And that could lead to takingbigger risks.
But my hope is it's gonna leadto greater creativity and new
ways of doing it that don'tdrive so much concern around
privacy and security.
Um, I think there's gonna be alot more regulatory requirements
(39:48):
around monitoring, monitoringthird parties and vendors.
Um and I think um you're gonnasee a lot more regulations
coming out with private rightsof action.
And I think that that alwaysgets everyone's attention
because you've just ratchetedfrom okay, you're gonna pay X
(40:08):
dollars per violation to you'vegot potentially a class action,
thousands, even millions ofindividuals in there, and you
have no idea what sort of cap ison that.
And we're looking at liabilitynow for some you know larger
tech companies in the billions.
So it really does just blow itall up.
(40:29):
So I think you know, the thingsthat I would put in um as things
to do is engage your client,engage marketing, engage IT,
engage the C-suite, let themknow what's going on and make
sure that you're getting inputfrom them.
Uh educate your folks andmonitor, monitor the heck out of
(40:52):
what's going on to make surethat the information you've got
stays relevant and is uh up todate.
SPEAKER_01 (41:00):
That's great.
Um thank you so much for sharingyour insights with me today.
Um, I think we covered a lot.
Um and I think you ended therewith some really great kind of
takeaways that I thinkcompliance officers uh should
really be paying attention to,some things that we don't always
(41:22):
get a chance to pay attentionto.
Um anything else, you know, aswe round out um our conversation
that you really wanted to kindof point out or last-minute
recommendations?
SPEAKER_02 (41:37):
Uh take advantage of the resources out there.
Um AHLA is a fantastic source.
So I would say, you know, lookto them, you know, listservs,
uh, their regular meetings, allof that is great.
And I don't say that justbecause they're you know the one
doing this, but you know, Ireally use them a lot.
(41:59):
Uh on privacy and securityspecifically, I would look at
you know, InternationalAssociation of Privacy
Professionals, IAPP is a greatresource.
Their website has greatresources.
Uh for state laws.
Uh, actually, um, Basperi andSims, my law firm, we have a map
that shows all of the relevantstate laws.
So you can go there, click on astate, and it will have all of
(42:22):
our client alerts.
SPEAKER_01 (42:23):
Wonderful.
Well, thank you so much again,Roy.
I really appreciated thisconversation with you.
And of course, thank you to AHLAfor allowing us to have this
conversation.
Um, again, I'm Melissa Andrewswith Clearwater, and thank you
guys so much.
SPEAKER_00 (42:42):
Thank you.
If you enjoyed this episode, besure to subscribe to AHLA
Speaking of Health Law whereveryou get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit American Health
Law.org and stay updated onbreaking healthcare industry
(43:03):
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
To subscribe and add thisprivate podcast feed to your
podcast app, go toamericanhealthlaw.org slash
daily podcast.
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitClearWaterscurity.com.
SPEAKER_01 (00:16):
Welcome to American Health Law Association's
Speaking of Health Law Podcast.
I'm Melissa Andrews, SeniorManager of Consulting Services
at Clearwater, and I'm your hostfor today's discussion.
As a compliance officer, I'mexcited about today's
discussion.
Compliance officers and privacyleaders are caught in a rapid
changing landscape.
We have new state laws likeTexas EHR law.
(00:39):
We have evolving federalguidance and heightened
expectations for data breachpreparedness.
We focus on building andmaintaining effective compliance
programs in today's healthcareenvironment, including the need
for better visibility in howdata flows into an organization,
how it is used, and how it isshared.
Joining me today is Roy Wyman, apartner of Bass Berry Sims.
(01:03):
Roy brings deep experienceadvising healthcare
organizations on compliance,privacy, and regulatory issues.
Roy has agreed to let me pickhis brain on what really makes
an effective compliance programand how organizations can
overcome emerging challenges andpractical steps leaders can take
to strengthen their compliancepostures as we prepare for 2026
(01:26):
and beyond.
Thank you for joining me today,Roy.
SPEAKER_02 (01:29):
It's a pleasure.
SPEAKER_01 (01:32):
So I'll just go ahead and jump in.
So, Roy, what's driving theheightened focus on compliance
programs today?
Are you seeing this more fromregulatory payers, board of
directors?
Where is this coming from?
SPEAKER_02 (01:48):
Everybody, it seems like.
Boards of directors, for awhile, this has now been on
their list of things to worryabout.
(02:09):
But I think where we're reallyseeing some new pressure is from
patients, customers, andplaintiffs' counsel that have
figured out they can make moneyoff of this stuff.
And sometimes it's, you know,very serious claims around real
uses of data in the healthcarespace that are pretty
(02:30):
problematic, all the way down towe're seeing now we'll have
four, five, six clients receivethe exact same letter from the
exact same plaintiff orplaintiff's firm.
So I think that's really what'schanged is you've got a lot more
engagement from potentialplaintiffs, as well as a lot of
new theories around liabilitythat just weren't there in the
(02:52):
past.
SPEAKER_01 (02:54):
Interesting.
So I know the Department ofJustice, the Office of Inspector
General, and the US Cent and Cguidelines each kind of
emphasize what an organization,specifically a healthcare
organization, needs to establishthat effective compliance
program.
Can you kind of elaborate on thefoundational elements that every
(03:17):
healthcare organization shouldhave in place to kind of ensure
that they have that effectivecompliance program that the
regulators are looking for?
SPEAKER_02 (03:28):
Yeah, happy to.
And thank you so much for howyou frame that.
Because I think sometimes,especially for in-house counsel
that maybe haven't dealt withcompliance quite so much,
there's this feeling like you'rejust sort of making it up as you
go or winging it.
And that is absolutely not thecase.
But sometimes because thereisn't a specific statute maybe
(03:48):
that lays out some of thesethings, uh, it can feel a little
more squishy.
But there absolutely arestandards and guidelines for how
a compliance program should beset up.
And you named some of the reallyimportant ones.
One that I go to a lot on kindof the bigger process that is
not necessarily the substance ofwhat you're going to look at,
(04:11):
but just in general complianceprograms, is the sentencing
guidelines.
Um, and it's scary to think thatwe're looking at sentencing
guidelines, but you know, that'swhere it kind of comes from is
corporations can be criminallyliable for some of these things,
as well as individuals in them.
And so these sentencingguidelines lay out some things
that uh entities really need tothink about and make sure are in
(04:35):
place in setting up a complianceprogram.
One is just in general, havingstandards and processes in
place.
This is how we do these things.
So, for example, we've got a newuse case for data, or we've got
a new way of billing.
Who signs off on that?
(04:57):
Is there a written document andpolicy doing, you know, handling
that?
Uh, second really important oneis do you have high-level
individuals involved in thatprocess?
Every level of responsibilitydown from the C-suite is kind of
taking a step back of howseriously it would appear to a
(05:17):
regulator that you're takingthese issues.
So you want high-levelindividuals involved with
compliance.
Uh, beyond that, you need a lotof training and education of
individuals, particularlyemployees, and making sure that
contractors are getting thatsort of education, uh,
communications, disclosures,make sure that there's a
reporting.
Things like hotlines are reallygreat.
(05:41):
Now, one that gets underratedbut is critical to me are is
having a sanctions policy.
If you break our rules, if youbreak our policies, there are
real ramifications.
And we don't care what level ofemployee you are, we're going to
apply those across the board.
If you don't have that, youreally don't have an effective
(06:02):
compliance program.
Um, one that we'll probably endup talking about quite a bit, my
guess is that uh you reallyshould be monitoring your
compliance program, auditing it,figure out where your weaknesses
are and looking at those, andthen responding to violations,
if there's any issues.
And uh and the and I think themost critical one of all is
(06:25):
regularly, usually every year,assessing what are our risks and
what are we doing to mitigatethose risks.
SPEAKER_01 (06:33):
So that's when you answered that next question of
what is the one that you thinkis the most important, and you
feel that's that risk review.
SPEAKER_02 (06:41):
I absolutely do because what that does is it
creates a cadence and a cultureof we know, oh, okay, it's you
know, August.
We know that there's going to bea new, you know, risk assessment
or new policies coming out, orthat's when we do our training.
But the uh the folks within theorganization start to learn
(07:03):
about it, and that's how youidentify okay, we're doing
something new.
What's the risk?
Or there's a new regulation out,or there's a new attack vector
uh that all the cool hackers areusing these days.
We better get on top of that.
Those sorts of things that thatmake sure that you really have
(07:24):
that culture of compliance.
SPEAKER_01 (07:27):
No, I I agree.
And one thing that I think I'veseen a lot of, and I'm sure you
have too, is compliance reallyis an organizational function.
It's not enough to just kind ofhave that narrow scope.
Compliance really does need tobe involved in the entire
organization and what thestrategic plan is as it builds
and grows to be able to definethe risk that you're talking
(07:51):
about and wanting us toidentify.
Um, how are we starting to seean increase in the regulatory
enforcement actions thathighlight the importance of the
organizational complianceprograms?
And kind of what are some of thegaps that you're seeing that are
(08:11):
being identified in thoseenforcement actions?
SPEAKER_02 (08:14):
Yeah, um, I'm seeing a lot of the usual suspects, you
know, anti-kickback, you've gotfalse claims, all of those
things.
Um, my favorite thing to talkabout though is IT.
Uh, what what's yourinformation?
What's your data?
And we're really looking at thatand your systems.
(08:34):
And I'm not just because I'm aprivacy and data wonk, which I
am, I admit, but also becausewhen you look at some of these
other things, oftentimes whatleads to the problems isn't that
somebody just doesn't get it,it's not a lack of education.
Sometimes it's just badprogramming, bad software.
(08:56):
And so you'll have FDA rulesaround prescribing, you'll have
rules around the anti-kickbackstatute or whatever, but for
whatever reason, things slipthrough the cracks.
And so keeping a hold of yourdata is and security are really
important.
And I'm seeing a lot of actionswhere folks did not monitor
(09:20):
their uses of data or understandwhere it is sufficiently, and
that and that just creates aworld of hurt, really.
SPEAKER_01 (09:28):
Yeah, I'm seeing it a lot also in reference to the
False Claims Act, whereorganizations are making these
claims that they know wheretheir data is, they know who's
using this, they know wherethat's going, they're making
these false claims to thefederal government, and now
they're getting hit with a falseclaims act violation because of
those false statements, which isnot something you hear about a
(09:51):
lot, but it's been picking upquite a bit.
So, yeah, um, let's talk aboutthe data mapping and all of that
data that we're talking about.
Can you explain a little bitabout what data mapping is and
why it's important to anorganization?
SPEAKER_02 (10:11):
Yeah, and and I think your last, you know, last
point that you just made isreally critical in this, in that
um more and more regulations aresaying not only do you need to
know where all that is, but youneed to have somebody at a high
level certify certain thingsaround that.
And so the traditional sort ofwhat we call a spaghetti chart
(10:34):
of, you know, here's all theservers, here's all the
monitors, we know where all ofthe equipment is, therefore
we're okay, is not a data map.
What we're really talking about,a data map is substantively
knowing here are the categoriesof data that we collect.
You know, we may have PHI, wehave employee records, we have
(10:55):
marketing, we have, you know,our subcontractors list, we've
got all of this data and we knowexactly the types of data that
we're collecting.
And so for each of thecategories, where do we collect
that?
Is it from the individual?
Is it from a data broker?
Is it from a client?
Is it from a vendor?
(11:16):
Where do we collect it?
How do we collect it?
Uh, and you know, as we get intothis further, once you kind of
know that, then you can look atthings like okay, do we have
contracts where we need them?
All of that.
But the data map itself is goingto show all of those assets and
those processes.
So we've got the informationcoming in, it's stored on these
(11:37):
servers.
We know what we do with thedata.
What are all of our use casesfor each category of data?
Where is each category of datastored?
Where is it used?
How do we manage it?
And then with whom do wedisclose it?
Uh, and those disclosures are abig part of it, too, so that at
each step of it, we know all ofthe different types of
(12:01):
processing around it.
And I think this is reallycritical to understand, and and
it's a lot to swallow for somefolks who haven't done this in
the past.
Like, oh my goodness, are youserious?
But it really is criticalbecause uh whatever you're
doing, if you, for example, havea privacy notice, and almost all
(12:25):
of the folks listening to thiswill have a privacy notice on
their website, and it is notaccurate, that becomes an FTC
violation because you have madea material statement or omission
uh that just simply isn't true.
And that will get you in a worldof hurt very quickly.
SPEAKER_01 (12:46):
You make a very good point.
A lot of times when I'll go intoorganizations to review their
compliance program, one of thequestions that I do ask is do
you have a data inventory and doyou map that data?
Um, and a lot of people don'tknow the difference between the
two.
They will hand me this document,be like, these are all the
(13:08):
systems that we have that mayhave PHI or data in it.
And I'm like, that's great, butso just to kind of clarify
things because those terms areso similar, can you explain the
difference between what a datamap is and what a data inventory
is?
SPEAKER_02 (13:27):
Sure, and how I would think of that is uh a data
inventory is going to list outuh the data that you've got and
and maybe where it is.
Whereas a data map is reallyfollowing each of those so that
we understand uh, for example,the use cases involved.
(13:48):
So it's one thing to know thatuh this data is on server X.
It's another to know how youcollected that and whether you
can then go back in.
And if I've just got aninventory, I don't necessarily
know what contract and whatcontract provisions I need to
(14:09):
have around that data.
But a full data map is gonna letyou put your arms around where
not only where the data is, butwho can access it, uh to whom
it's disclosed.
And then you can track yourcompliance.
So it's not just inventory, butit's also systems and the
(14:32):
broader picture.
SPEAKER_01 (14:35):
That makes sense.
Um so a lot of times when wetalk about data and technology,
people focus in on thatcybersecurity, um, which I think
every organization that's one oftheir top risks is
cybersecurity.
Um but as a compliance officer,sometimes we forget to include
(14:57):
the things that are moretechnical and those kinds of
aspects, like what you were justdescribing: the where is the
information going?
How did we get that information?
What's the purpose of theinformation?
When you're talking tocompliance officers, what is
kind of the main thing that youtell them?
(15:18):
This is why, as a complianceofficer, you really should care
about all of these things thatwe're talking about.
SPEAKER_02 (15:26):
Yeah.
So if you've got data or usecases out there that you don't
(15:47):
know about, that is your numberone risk because there's no way
to control for it.
On the other hand of it, uhother hand, the other flip side
of it is whatever is measured,is transformed, is improved.
So the more that you canunderstand the data, the more
(16:09):
you can improve your processesso that you don't have things
like missing business associateagreements.
So you don't have data that'sgetting out in ways you didn't
know.
Uh, I've seen examples withclients where, you know, they
simply did not know that therewas there was a certain level of
documents going out orinformation going out, even PHI
(16:33):
being sent out to third partiesthat nobody had any idea about
because somebody thought it wasa good idea.
And so it's critical to havethose processes in place to make
sure that you can monitor that.
But you can't monitor it if youdon't know it's there.
And so that's really what I'mpushing is just know what's
(16:53):
there.
SPEAKER_01 (16:54):
Yeah, and I'm gonna jump to something you had just
kind of pointed out in the youhave these third-party vendors,
you're sending data to them, andsometimes compliance
professionals are not alwaysinvolved in that contracting
process and what goes where.
And then we hear about thesemajor breaches.
(17:15):
Um, you know, the anthem breach,the change breach, you know, all
of these things that happen.
Can you kind of point out why inthose types of situations, it's
really important for complianceprofessionals to understand that
data mapping process and wherethat data came from and who has
(17:36):
it?
SPEAKER_02 (17:37):
Well, I can give you rather than talking about um the
breaches that happen, let me orthe the downside, let me kind of
give you some examples becausemore than once I have gone
through the data mappingexercise with a client, and they
go from not really knowing wheretheir data is to having a really
(17:58):
good idea of it.
And in some cases, I've hadclients that then got hit with
ransomware, where maybe youknow, a shared file or whatever
got hit, and they've called meup and said, you know, Roy, I
really don't need anything.
I just wanted you to know we gothit with a ransom note that
said, we have this server undercontrol.
(18:20):
They sent what they call proofof life.
You know, they sent some filesfrom that showing that they had
it.
And the client said, we had donea data map.
We knew there was absolutelynothing valuable on that server.
So we told them to go away andnever talk to us again.
Uh but if they had had thatransomware hit, say a month
(18:41):
earlier, before their data mapwas complete, they would have
been completely lost.
And they would have ended upshutting down systems, setting
up firewalls that they didn'tneed, doing all kinds of things
and potentially paying ransomsand notice to uh individuals
that just simply weren'trequired because they didn't
(19:02):
know what they didn't know.
And so having that data map inthe event of uh an incident is
critically important.
In addition, it tells you whatsystems really need deeper
protection.
You know, we're no longer in aworld where you have one set of
security protocols for yourentire set of data.
That's wasteful.
(19:24):
And uh you're you're misspendingresources.
So you find where is our realcritical data, our very
sensitive data, and we builddeeper security around that uh
than we would with some of ourother.
So it saves you money, it savesyou headache, and it keeps you
(19:45):
from having a lot of falsepositives where you're sending
out notices that you reallydon't need to send.
SPEAKER_01 (19:52):
That's actually pretty great.
Um, very rarely does complianceever get to say, we're gonna
reduce the cost of something,we're gonna save you money.
So that is a really greatexample of paying a little bit
more attention on the front endcan really save you on the back
(20:12):
end because these days it's notan if it's gonna happen, it's a
when it's gonna happen.
You're eventually gonna get hitwith something.
Um, and to not have to notifythousands of patients to be able
to confidently defend yourselfto that regulator by saying,
Look, we have our data map thatshows they didn't get anything.
(20:37):
That's a pretty gooddefensibility.
Um, and then of course, to beable to save the money and not
have to have this massivesecurity on all of your systems.
SPEAKER_02 (20:49):
Right.
SPEAKER_01 (20:51):
So I know speaking of all of those systems, you
know, we're in the world ofcloud, you know, adoption and
everything.
We have all these third-partyvendors that store our data,
that create our data, that doall kinds of things for us.
Um and they have, I mean,they're great, they make life
easier for us, but they also area huge vulnerability to us.
(21:15):
Um how can or how shouldcompliance programs um handle
those risks effectively when itcomes to handling those data and
paying attention to where all ofthat data, who has it and what
are they doing with it?
SPEAKER_02 (21:35):
Yeah, that's a great question.
And and it's kind of a tough onein a way.
And there's some nuance to itthat you wouldn't expect.
Like uh, you know, the obviousanswer is just, you know,
contract the heck out of it,monitor them, know everything
they're doing.
Unfortunately, the world isn'tquite that simple.
And for some of these larger,you know, uh you can go all you
(21:59):
want to AWS and say we're gonnaaudit you every year, and
they're gonna tell you, okay,here's a list of other vendors
you can use because you're notgonna use us.
So uh it's just not as simple asjust watching over them.
Plus, that's a huge use ofresources, and most of the
clients that I work with simplydon't have the resources to
(22:20):
monitor every single vendor.
So you put your emphasis onareas where there's gonna be
some payback.
Um, and I think that's on thefront end.
So having a strong vendorassessment process at the very
start, uh, you know, having asecurity questionnaire for them
to complete, or if they havesome sort of certification
(22:43):
really looking at that.
So that could be, you know, NISTor something like that.
Um, taking a strong look at thatand identifying any risks on the
front side.
Then for any risks that areidentified, you know, sometimes
you can just say, no, that's toobig a risk, we'll use somebody
else.
But a lot of the time you'regonna say, you know, that's
(23:04):
within kind of standard, we getit.
You know, maybe it's a youngercompany.
Uh, we're gonna monitor that.
So then you build into thecontract.
We want you to report to us uhyour progress on these steps
during this, and so we can keepan eye on that, but you can
trust them to that degree.
(23:25):
Uh, I think it's important tonote here that for most of the
regulations we're talking about,there is no responsibility to go
in and audit them every, youknow, so often.
In other words, if they violatethe law, they're liable for
that.
And you may be liable to theextent that you lose data and
all of that.
But you don't have to go to theextent where you are
(23:49):
second-guessing everything theydo.
You have some ability to trustthat, you know, to a reasonable
extent that they're doing whatthey're gonna do.
And then you have them reportback on the things that, you
know, didn't look so great andreally start pushing them for
things like certification.
So you have those third-partyauditors that are looking at
(24:12):
them, that you can then see,yes, they've been certified.
You can show you've done yourdue diligence on it.
And then the big thing really isI would say uh get contracts in
place that have strongrepresentations and warranties,
don't have a lot of limitationsof liability provisions that are
you know too much, reallynegotiate the heck out of it to
(24:33):
make sure that you're protected.
And um, and the other thing I'llsay too, and and this is kind of
a new thing for most folks, ismaking sure you've got language
in the contracts that say youwill participate and help us on
our data processing impactassessments, our protection
assessments.
So when we assess the risks toour own organization, you're
(24:56):
gonna give us the data that weneed to do that.
You're gonna help us with ourcybersecurity audits.
Uh, if we have, you know, ISOcertification or whatever kind
of certification, you willrespond to our third-party
auditors on those.
So those sorts of contractprovisions that really give you
some ease that your vendors knowwhat they're doing and that
(25:16):
they're complying with the law.
SPEAKER_01 (25:18):
That is a great piece of advice.
Um that's very insightful.
Um, so it wouldn't be aconversation if we didn't bring
up AI.
Um it's kind of everywhere, andI've seen it everywhere in
healthcare.
Um, everything from AI scribesto, you know, the Chat GPT and
(25:44):
the co-pilots and all of thosethings that help you do the work
for you.
Um, I've seen health plans thatare using it to determine
eligibility and all of thosetypes of things.
Um I've also seen where theywill sometimes request to use
(26:06):
our data to train their tool,you know, as a party vendor so
they can get better.
And I've seen those kind ofclauses sneak into contracts and
business associate agreementsand all of those kind of things.
Um I'm just kind of curious fromyour standpoint, because the
Department of Justice has evencalled it out and said they're
(26:28):
paying attention to it, what doyou view to be some of those
higher risks that organizationsshould be doing to pay closer
attention to it?
And then what can they do tokind of mitigate some of those
risks?
SPEAKER_02 (26:41):
Yeah.
Um, and maybe you should talkabout this sort of from highest
level down.
So at the highest level, uh, youbring up a great point about
training of AI.
Everybody, you know, loves theoutput, they love to be able to
use AI for things like chatbots.
(27:01):
The reality, though, is thatthose AI do not come from
nowhere.
Uh that they are trained onsomebody's data.
And if you don't know otherwise,it's probably being trained on
yours.
Now, I will also say though,that um there are real risks in
allowing AI to use information,especially anything like PHI,
(27:27):
employee information, any ofthat, in order to train their
systems.
Because once it's in that AItraining database, it's sort of
there.
You don't know what they'regoing to do with it.
And um, there are some risks ofdisclosure, of um violation of
regulations, all of that.
So, strong recommendation is ifyou can enter into an agreement
(27:51):
with an AI provider that willsay, we will not use your data
for training our AI or anyfuture systems.
And uh sometimes that's underthe guise of training.
Sometimes it will be discussedas use of derivative data, data
taken from the data that yougave us.
(28:12):
Whatever the terms are, you needto have really uh a close look
at that by somebody whospecializes in AI, saying, okay,
yes, we understand the IPramifications, who's gonna own
that data?
Uh, and we understand how it'sgonna be accessed and used and
who how that training AI isgonna happen.
(28:34):
Um, and then stepping down alittle bit from that broader
area is how are we actuallyusing that within our
organization?
Uh, you know, is it a largelanguage model, LLM AI?
Is it a chatbot?
Who's accessing it?
Who's using it?
How are they relying on it?
Because there are a lot ofregulations out there now that
(28:56):
are really aiming at this.
Uh, Colorado has a statutespecifically around AI.
Uh, if you're a global EU AIregulations, but I'll also
notice California just lastmonth came out with uh
regulations around automateddecision-making technology.
And even though they didn't say,okay, this is AI, it pulls in
(29:19):
all AI and it pulls in a lot ofother things as well, where it's
like payers making decisionsaround what to cover, what
health care is going to beprovided.
Those sorts of decisions areones that uh substantively could
you know be pulled in.
You know, you know, there's somequestions around is that going
to be protected because it's PHIunder HIPAA?
(29:42):
Um, that's other conversations.
But I would say for entitieslooking at these kinds of
systems, just assume that ifthere isn't a regulation on it
now, there will be shortly, andstart building in those
processes so that at theIndividual level, they
understand what's appropriateuse of this from the marketing
(30:05):
department, from otherdepartments, as well as just
individual users, so that wedon't get overly reliant on it.
And I like to think of this asyou know, there's lots of cases
where if you are just relying onthe technology, you're okay.
If you're just relying onhumans, you're okay.
But when you get a blend oftechnology and human use, that's
(30:29):
where a lot of times you havethe biggest disasters.
And there are cases of this intrains, in planes, in
automobiles, and all the othermovies out there, uh, you know,
where just the technology andhuman users don't interact well
because they're, you know,coming at it from different
places with different languages.
So at every level, think abouthow is AI going to impact us and
(30:52):
what can we do to mitigate someof those risks.
SPEAKER_01 (30:55):
Yeah, those are great points.
Um, you did bring up somethingthat I want to kind of jump on,
is you talked about the stateregulations.
I have noticed a huge uptick instates coming in and kind of
stepping up and making thesedifferent regulations and
different enforcement actions,everything on, you know, to your
(31:18):
point, AI.
I've seen how you can use uhindividual data, how they
classify all the different data,Texas just broaden their, you
know, two cents on theseregulations.
Um you mentioned Colorado,California always does, um,
Florida does.
(31:38):
How have you seen kind of inthis world of where a lot of
businesses are in multiplestates, some of them are in
multiple countries?
How do when it comes to dealingwith data kind of handle that
patchwork of the differentstates and the different laws
(31:59):
and the different regs?
SPEAKER_02 (32:02):
Um clumsily.
It is rough.
Uh, and so uh we have clients onthe entire spectrum.
I've I've got some clients wherethey've basically decided we're
gonna take the worst of everystatute, kind of build that into
our compliance program.
(32:22):
And a lot of times these areglobal companies where they'll
say, we're gonna comply withGDPR, we're gonna comply with
the big US states, we're gonnacomply with a few other
statutes, maybe if they're bigin Canada, PIPITA or something
like that.
And and basically have onecompliance program across the
board.
And there may be a weird, quirkylaw somewhere that we're not
(32:44):
gonna quite hit, but that's arisk we're willing to take.
And so they have one size fitsall sort of compliance program.
At the other end, and sometimescompanies that are just as big
or bigger will say, no, we'regoing to have a separate
compliance kind of process foreach state and each country that
we're in, and really uh providewhat's required by the law, but
(33:10):
it's not going to be a one sizefits all.
And it's um getting harder andharder and harder to kind of
meet all of the requirements forall of them.
But I think you have to startwith a baseline.
So, you know, if you were therefor HIPAA, you're there for you
(33:31):
know, Graham Leech Wiley orwhatever it is, and then you're
there for California andColorado and Virginia, you've
got a good base, you can buildfrom that.
If you don't have any of those,we can kind of start you out
with it.
And then, but you have to stayaware of each law that's coming
out, each new regulatoryguidance, so that you make sure
(33:52):
that you're building in the newpieces of it.
Like I mentioned, the Californiaregulations.
Anybody subject to CCPA, they'regonna have to pay attention to
this and put some new processesin place.
And so it does really become anongoing process.
And that's uh again emphasizingthat need for a regular
(34:13):
iteration of okay, every year welook at our risk, every year we
set up new processes, but alsohave the flexibility of, oh my
goodness, we've got a new one.
We don't have 12 months, we'vegot until the end of the year.
Let's get on it.
SPEAKER_01 (34:29):
Yeah, that's it's a lot.
It's a lot to take in.
Um, that's why it's great tohave resources to be able to
kind of use uh to reach out toto kind of get that type of
guidance.
Um as a compliance officer, weare not decision makers.
We kind of look at the totalityof the organization, we identify
(34:54):
risk, and we kind of work withthe resources that we have.
We provide guidance and we doall of those kind of fun things.
Um, so if you were advising acompliance officer of, let's
say, um, a mid-sized healthcareorganization that does not have
all the resources in the world,we're gonna speak realistically
(35:18):
here.
Um, where would you recommendthe compliance officer focus
their energy and their budgetfirst?
SPEAKER_02 (35:29):
Yeah.
Um that's a great question.
And let me just note too, Ithink it it's valuable to point
out, I always use sort of areturn on investment approach to
things.
So um I if you've got a problemthat would cost a million
dollars to fix, and there's a10% chance of it happening, uh,
(35:54):
then you want to invest$100,000or less.
You don't want to invest amillion dollars to fix a$100,000
problem.
With that said, there arecertain things that are just
sort of baseline fixed costs.
There's nothing you're gonnahave to do, there's nothing you
can do about it.
So you're just gonna have to dothat.
And the ones that I would saysuggest is really again building
(36:16):
into that infrastructure of aregular rhythm of risk
assessment and management.
That's the first place I wouldlook so that you know what you
need to know and where are yourrisks.
Uh, next, I would look at whatsort of standards or
certification can I get to makesure that I'm complying.
So if I am a covered entity or abusiness associate, baseline you
(36:40):
got to have HIPAA and meet theHIPAA security standards, the
privacy standards.
And then I'd be looking atthings like ISO, NIST, high
trust, even internal audits, butthat are pegged to those
standards are going to behelpful.
Um and then maybe even numberone I would put on here is know
(37:02):
what's going on.
So have a process so thatanytime marketing comes up with
a great new idea, they run it bycompliance and legal.
So you know, okay, legal'slooked at this, they've blessed
it.
Now we have built in a processfor compliance to monitor it so
that it works the way that weheard it was going to work.
(37:27):
And part of that is investing inthe those data processing impact
assessments, knowing what'sgoing to happen, what are the
risks, how are we mitigating it.
And then compliance can dosomething like an audit function
of really watching andmonitoring that those use cases
are being carried out in a way,and uh big emphasis on education
(37:52):
and training for those that aretouching that data.
SPEAKER_01 (37:56):
Yeah, so looking in your crystal ball into the
future, um with thisadministration and maybe a
little bit beyond, how do yousee compliance programs and the
compliance function kind ofevolving, changing, growing?
SPEAKER_02 (38:17):
Yeah, I I think we're going to see more
automation in businesses overalland in compliance as well.
And that is going to create someof that disconnect I was talking
about before between theautomation and the humans and
that human agency involvedthere.
(38:39):
So I think one of the areaswhere I'm going to see, I
believe, a lot more pressure andpoints of potential failure is
around marketing tools.
Uh, and we're already startingto see it now.
Uh tracking technology, cookies,uh, clear gifts, those sorts of
(39:00):
things.
Um and uh, you know, apps andthe SDKs that are involved with
those apps are ones that havebeen great ways to drive new
business, but are undergoing ahuge amount of scrutiny right
now, including a ton of lawsuitsby plaintiffs.
Uh, and so you're gonna havemore pressure uh on marketing to
(39:25):
try and find new ways to drivethe same amount of business.
And that could lead to takingbigger risks.
But my hope is it's gonna leadto greater creativity and new
ways of doing it that don'tdrive so much concern around
privacy and security.
Um, I think there's gonna be alot more regulatory requirements
(39:48):
around monitoring, monitoringthird parties and vendors.
Um and I think um you're gonnasee a lot more regulations
coming out with private rightsof action.
And I think that that alwaysgets everyone's attention
because you've just ratchetedfrom okay, you're gonna pay X
(40:08):
dollars per violation to you'vegot potentially a class action,
thousands, even millions ofindividuals in there, and you
have no idea what sort of cap ison that.
And we're looking at liabilitynow for some you know larger
tech companies in the billions.
So it really does just blow itall up.
(40:29):
So I think you know, the thingsthat I would put in um as things
to do is engage your client,engage marketing, engage IT,
engage the C-suite, let themknow what's going on and make
sure that you're getting inputfrom them.
Uh educate your folks andmonitor, monitor the heck out of
(40:52):
what's going on to make surethat the information you've got
stays relevant and is uh up todate.
SPEAKER_01 (41:00):
That's great.
Um thank you so much for sharingyour insights with me today.
Um, I think we covered a lot.
Um and I think you ended therewith some really great kind of
takeaways that I thinkcompliance officers uh should
really be paying attention to,some things that we don't always
(41:22):
get a chance to pay attentionto.
Um anything else, you know, aswe round out um our conversation
that you really wanted to kindof point out or last-minute
recommendations?
SPEAKER_02 (41:37):
Uh take advantage of the resources out there.
Um AHLA is a fantastic source.
So I would say, you know, lookto them, you know, listservs,
uh, their regular meetings, allof that is great.
And I don't say that justbecause they're you know the one
doing this, but you know, Ireally use them a lot.
(41:59):
Uh on privacy and securityspecifically, I would look at
you know, InternationalAssociation of Privacy
Professionals, IAPP is a greatresource.
Their website has greatresources.
Uh for state laws.
Uh, actually, um, Basperi andSims, my law firm, we have a map
that shows all of the relevantstate laws.
So you can go there, click on astate, and it will have all of
(42:22):
our client alerts.
SPEAKER_01 (42:23):
Wonderful.
Well, thank you so much again,Roy.
I really appreciated thisconversation with you.
And of course, thank you to AHLAfor allowing us to have this
conversation.
Um, again, I'm Melissa Andrewswith Clearwater, and thank you
guys so much.
SPEAKER_00 (42:42):
Thank you.
If you enjoyed this episode, besure to subscribe to AHLA
Speaking of Health Law whereveryou get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit American Health
Law.org and stay updated onbreaking healthcare industry
(43:03):
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
To subscribe and add thisprivate podcast feed to your
podcast app, go toamericanhealthlaw.org slash
daily podcast.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Ruthie's Table 4
For more than 30 years The River Cafe in London, has been the home-from-home of artists, architects, designers, actors, collectors, writers, activists, and politicians. Michael Caine, Glenn Close, JJ Abrams, Steve McQueen, Victoria and David Beckham, and Lily Allen, are just some of the people who love to call The River Cafe home. On River Cafe Table 4, Rogers sits down with her customers—who have become friends—to talk about food memories. Table 4 explores how food impacts every aspect of our lives. “Foods is politics, food is cultural, food is how you express love, food is about your heritage, it defines who you and who you want to be,” says Rogers. Each week, Rogers invites her guest to reminisce about family suppers and first dates, what they cook, how they eat when performing, the restaurants they choose, and what food they seek when they need comfort. And to punctuate each episode of Table 4, guests such as Ralph Fiennes, Emily Blunt, and Alfonso Cuarón, read their favourite recipe from one of the best-selling River Cafe cookbooks. Table 4 itself, is situated near The River Cafe’s open kitchen, close to the bright pink wood-fired oven and next to the glossy yellow pass, where Ruthie oversees the restaurant. You are invited to take a seat at this intimate table and join the conversation. For more information, recipes, and ingredients, go to https://shoptherivercafe.co.uk/ Web: https://rivercafe.co.uk/ Instagram: www.instagram.com/therivercafelondon/ Facebook: https://en-gb.facebook.com/therivercafelondon/ For more podcasts from iHeartRadio, visit the iheartradio app, apple podcasts, or wherever you listen to your favorite shows. Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com