November 11, 2025 • 43 mins
Vendor relationships and data breaches are usually found very high on the risk heat map for anyone working in health care and technology. Andrew Mahler, Vice President of Privacy, Compliance, and Audit Services, Clearwater, speaks with Shalyn Watkins, Associate, Holland & Knight, about how health care organizations can better manage third-party vendors, respond to data breaches, and navigate the evolving legal landscape of privacy and security compliance. Shalyn spoke about this topic at AHLA’s 2025 Annual Meeting in San Diego, CA. From AHLA’s Behavioral Health Practice Group. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=2hf8MQ5ZwZM
Learn more about the AHLA 2025 Annual Meeting that took place in San Diego, CA: https://www.americanhealthlaw.org/annualmeeting
Learn more about AHLA’s 2025 Annual Meeting eProgram: https://educate.americanhealthlaw.org/local/catalog/view/product.php?productid=1472
Learn more about AHLA’s Behavioral Health Practice Group: https://www.americanhealthlaw.org/practice-groups/practice-groups/behavioral-health
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:04):
This episode of AHMLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitClearWatersecurity.com.
SPEAKER_02 (00:17):
Welcome everyone.
My name is Andrew Mahler.
I'm the Vice President ofPrivacy, Compliance, and Audit
here at Clearwater.
And very excited that todaywe're talking about a topic
that's usually found very highon risk heat maps for anyone
working in healthcare and tech.
And that's this topic of vendorrelationships and data breaches.
(00:40):
Really fortunate to have with metoday Shaylin Watkins, who's an
associate at Holland and Knight.
She's truly an expert who bringsdeep expertise in health law and
privacy and the practicalrealities of working with
vendors.
She spoke about this topicduring a presentation at AHLA's
2025 annual meeting in SanDiego, which was called The
(01:01):
Complexities of Managing VendorRelationships, Practical
Strategies for Navigating DataBreaches in a New Age of Data
Privacy.
Shaylin's also the vice chair inAHLA's behavioral health
practice group.
In this conversation today, I'llask Shaylin a bunch of questions
about this topic and leveragingher expertise will unpack how
(01:24):
healthcare organizations canbetter manage vendors, respond
to related data breaches, andnavigate the evolving legal and
risk landscape.
From HIPAA to high-tech regs torecent lessons learned from
high-profile cases, we're goingto get a firsthand look from
Shaylin about how industryleaders and their council are
(01:44):
looking to protect data andmanage risk.
Shaylin, really I'm thrilled tobe speaking with you.
And, you know, I just wouldwould love if you just start off
by maybe telling us about yourrole and why this topic is so
central to your work.
SPEAKER_00 (02:00):
Yeah, thanks for that intro.
It actually makes me feel likeI'm way better than I am
sometimes.
So I love that.
Yeah, I'm I work at Holland andNight and as a senior associate
in our healthcare regulatoryenforcement practice group.
And a big subset of the clientsthat I represent, especially are
(02:20):
telehealth companies andtelehealth platforms, but I also
work with plenty of differentprovider types, hospital
systems, health systems,laboratories, and other vendors,
which is something that I thinkis really applicable to the
topic we're talking about today.
In my past life as a lawyerbefore I came home at night, I
(02:43):
also worked at the US Departmentof Health and Human Services in
the Office of General Counsel asan assistant regional counsel in
one of our regional offices.
And in that role, I actuallyrepresented OCR, the Office for
Civil Rights, which is theagency that promulgates HIPAA,
which is a lot of what we'll betalking about today.
But at the same time, there's somany other things happening
(03:05):
since my long stint back in theday with OCR that I think is
going to be fun to talk throughin this podcast.
SPEAKER_02 (03:12):
Yeah, thanks for thanks for sharing that.
And um yeah, just excited to,you know, to your point, you
know, things just seem tochange, you know, day to day,
let alone, you know, year toyear.
Um so for those listeners, andyou mentioned OCR already, but
for those who maybe aren't asfamiliar, I'm sure many, many
are, um, can you can you speak abit about how you know HIPAA
(03:36):
shapes an organization's um youknow responsibilities related to
managing vendor risk?
SPEAKER_00 (03:42):
Yeah, especially for large organizations, HIPAA is
usually the first thing we'retalking about because it it
transcends state lines, right?
We're talking about anyone whois involved in a healthcare
organization for the most part.
And if you're billing insuranceor you're getting some sort of
um federal financial assistancethrough your practices, or if
(04:04):
you're contracting with someonewho is a HIPAA-regulated entity,
you're gonna fall in this bucketrequiring you to have HIPAA
compliance.
And I think for large scale, youknow, when we're talking about
just creating a compliant healthsystem, privacy and security
becomes a huge chunk of thatbecause HIPAA violations, as you
know, Andrew, and we work withClearwater all the time in our
(04:26):
firm.
Our clients realize that thereis a big financial impact if you
have a HIPAA violation.
And sometimes that financialimpact can get up to trouble
damages.
Um, also, an investigation whenyou're dealing with
HIPAA-regulated entities can getso intense, it also involves
sometimes, you know, grandconsequences like referrals to
(04:51):
other agencies, OIG, DOJ, andeven sometimes to CMS, which
could put Medicare funds atrisk.
And for a lot of theseorganizations, Medicare and
Medicaid are some of the highestpayers that are coming in to
their organizations.
So it's really important andcritical that we're thinking
about the most important umelement uh of some of this,
(05:15):
which it always kind of comesdown to privacy and security.
And I think another thing thatmakes HIPAA so critical these
days is the fact that we're kindof in the age of this kind of
new tech wave, right?
You know, you watch TV andthere's always a hacker of some
sort.
Um, there's a robot that can doanything and everything.
(05:36):
Um, we know that none of uscould probably probably live
without our smartphones in ourhands.
Um we're we just have so muchmore access and ability to get
to things, which makeseverything that we're doing a
higher risk for those who mightbe looking to fish out really
protective information.
(05:57):
And likewise, when we're talkingabout kind of why HIPAA becomes
the backbone of a lot of ourcompliance issues, it's because
then every state, for the mostpart, has its own kind of baby
HIPAA law that, you know, has alittle nuance about what needs
to be happening.
And then even outside of thebaby HIPAA laws, there is now
this new wave of health datainformation privacy laws that is
(06:21):
sweeping the nation, right?
Um, you know, you you go toColorado, you come here to
California, um, and many otherstates, data privacy is so
critical that states are alsolooking to show examples of why
they're important, they'recreating these laws.
And so their enforcement metricsare just really high priority
(06:46):
right now.
SPEAKER_02 (06:46):
Yeah.
unknown (06:47):
Yeah.
SPEAKER_02 (06:48):
And it's, I mean, it's it to your point about
privacy.
I mean, in this world of datasharing and, you know, whether
whether it's you know, datasharing related to, you know,
interesting tech or for youknow, your your robots running
around your house or your city,um, data sharing for you know
other types of reasons, um, itit just that risk just continues
(07:09):
to evolve as we're you knowliving in such an interconnected
world.
And, you know, I know that, youknow, again, many listeners
probably familiar with theconcept of business associated
agreements, but you know, canyou talk a little bit about how
that you know fits into vendormanagement and maybe some of the
most common pitfalls you see inBAAs, whether it's drafting or
(07:31):
acceptance or negotiation?
SPEAKER_00 (07:33):
Yeah.
So I think the BAA is the thingthat is the first thing we all
want to look to in anysituation, whether you're a
regulator, you're a party to theBAA, you're an outsider who
wants to maybe purchase acompany, you look to see what
are your obligations in theevent of one of these inevitable
breaches.
(07:53):
And and because of that, I thinkthat's kind of why BAAs become a
critical point here.
Now, there's also the fact thatHIPAA requires you to have a
BAA, right?
So I would say when you talkabout pitfalls, if you're a
covered entity and you don'thave a BAA in place, but you're
giving out information to any ofyour business associates, then
(08:16):
you're already in violation ofHIPAA.
And therefore we have a big redflag.
So not having the BAA isprobably one of the biggest
pitfalls.
Um, but I'm seeing that less andless often.
In fact, sometimes I'm seeingthe Converse where some people
just slap a BAA on everything.
And there's times where youdon't need a BAA at all because
you're not actually transmittingany protected health
(08:37):
information.
Um and so I think the a bigthing that we discussed in our
presentation was the thepitfalls that happen in the
middle of that spectrum, theover BAA to the under BAA area.
And and and for basicunderstanding, a business
associate um for the purposes ofthis discussion is anyone that a
(09:02):
covered entity or anotherbusiness associate is sharing
protected health informationwith.
And and to remove nuance, I'lljust make it kind of simple for
the purposes of carrying out thebusiness that um that is being
uh organized under the serviceagreement that's overly.
(09:22):
And um one thing we really notedwas uh an incomplete BAA is just
as bad as a non-existent VAA.
Um and furthermore, uh a BAAthat hasn't been updated is
sometimes just as bad.
These are some of the biggestthings that we're seeing with
(09:44):
our clients because you know, ifyou have an ongoing relationship
with a party who's yourthird-party vendor, um, and
you've had this relationship for20, 30 years and HIPAA and high
tech undergo, you know,revisions, you might be missing
some new changes.
Um for example, you know, aslawyers, we try to keep up to
(10:05):
date and tell our clients, butthere's a point in time where
we're like, hey, there's aboutto be a new MPP requirement um
rolling out in 2026.
So we need to make sure all ofour clients are aware that
there's this new requirement forupdating your notice of privacy
practices.
And because of the fact that youhave to be up to date with
(10:26):
different changes that arehappening over time, it's really
easy to forget to add thosereview cycles in your day-to-day
if you're in-house.
It's easy for me to put outanother article and say, hey,
don't forget this is happening.
It's easy for me to call myclients and say, oh, by the way,
I saw this.
Um, but the interoperations ofan organization, sometimes
(10:51):
you're just you're not reallythinking about some of the
mundane.
And and and back to the idea ofan incomplete BAA.
There are some times where we'veseen that the BAA won't
necessarily address all of thedifferent circumstances as to
which um, you know, data mightbe transmitted and/or lost
inadvertently or you know,purposefully.
(11:13):
And that leaves a gap whenyou're actually face the data
breach, right?
So something happens and the BAAdoesn't address that situation
and everybody's got their handsin the air and like whose job is
it to deal with this?
Is it the business associate'sjob?
Is it the covered entity's job?
Um, when was notice required?
(11:34):
Um, little pieces of the puzzlethat are critical when you get
to those big breaches, which I'msure we'll talk a little bit
about.
SPEAKER_02 (11:42):
Yeah, I, you know, I and I agree with you.
I mean, we frequently see, youknow, incomplete BAAs, we'll see
BAAs that, you know, haven'tbeen updated to comply with
HIPAA, but some BAs that haven'tbeen, you know, I think to your
point, updated to even reallyreflect what the services are.
Um, and then we see some caseswhere, you know, the the maybe
(12:05):
the business associate has hasdrafted their own version of a
BAA and is allowing, you know,themselves to do a lot with the
data that maybe the coveredentity no longer feels
comfortable with.
You know, we see you know thingslike the business associate can
de-identify, you know, PHI forits own purposes.
And, you know, some might arguethat that's that may not be a
(12:27):
legitimate, you know, purpose ofa business associate
relationship.
And so we we see that too.
So I think, you know, kind of asnot to jump too far ahead, but I
think as we sort of are you knowtalking about best practices at
the end, I mean, I think this isjust one that probably will
throw, you know, flow throughoutthe conversation today.
It's like, you know, are are youreviewing it regularly?
(12:49):
Do you do you really feelcomfortable with your template?
Do you feel comfortable withyour agreements?
Um, is somebody on point,particularly for those
high-risk, you know, vendorswith lots of data, lots of PHI
or or sensitive information?
So I think brilliant.
SPEAKER_00 (13:04):
And I I even plug in here too, there's the idea of
the DPA, right?
And having the the the data, thedata agreement as well, which
are usually attached.
And I think one question thatyou kind of rose is who's
supposed to drive this?
What party is supposed to beresponsible?
Typically, vendors are the oneswho have it because they're the
ones who are giving out theirservices so regularly.
But if you're not negotiatingthat appropriately as a covered
(13:27):
entity, really this is your dataand you're on the line.
So you should be either havingyour own standard BAA or heavily
negotiating every BAA youreceived, even if it's standard
for the vendor.
SPEAKER_02 (13:39):
That's right.
Yeah.
SPEAKER_00 (13:40):
And and, you know, I I I kind of laugh sometimes when
I I think of um, you know, thosekind of frivolous clauses where
the vendor is asking to do alittle bit more with the with
the information than than thatthan is necessary.
I think that goes to kind of myoriginal point, right?
One thing that you shouldn't bedoing is collecting information
(14:04):
that you have no need to have.
So um one of my biggest piecesof advice for privacy with even
my providers are do you needthis PHI?
Why are you asking for it?
Perfect example.
If I'm representing a dentist,maybe it is important for you to
know if your female client ispregnant or not because it'll
(14:25):
help you with your assessmentprotocols.
However, do you need to know thelast date of her menstrual
cycle?
Is that helpful for what yourpractice is doing?
And to the same point forvendors, is it helpful for you
to be collecting informationthat you don't necessarily need
for even your internal, youknow, services that you're
providing?
SPEAKER_02 (14:44):
Yeah.
Do you want that risk?
You know, do you want do youwant to carry that?
I mean, I I think, yeah, whetherit's uh, and as I was hearing
you talk, I was also thinkingabout you know downstream
business associate relationshipstoo, because you you think, I
mean, the covered entity has,you know, really the ultimate
responsibility here.
But you know, I'm sure you havelots of clients that are that
(15:05):
are business associates who thenshare data with other business
associates.
And you know, there'sresponsibilities there that, you
know, as those kind ofresponsibilities flow down the
chain.
I mean, it it's it's you know,whether or not you're a covered
entity or a business associate,I mean, these are, I think your
your words are applicable acrossthat ecosystem.
Right.
(15:25):
Yeah.
Um, so you know, you you sortof, I think briefly, you kind of
touched on some of the, I thinkyou said, you know, some of the
baby HIPAA laws, which is my newfavorite, uh, my new favorite
phrase.
But um, if you know, yourpresentation, you talked about,
you know, the FTC health breachnotification rule as well as
some of these state level uhprivacy laws, like, you know, of
(15:48):
course, people are familiar withCalifornia and more and more
familiar with Washington, what'sgoing on in Washington.
Um, you know, can you talk, youknow, speak a bit about, you
know, are there differences inapproaches related to those
state laws?
You know, are you encouragingclients to add certain
provisions or remove provisionsbased on you know what we're
(16:10):
seeing at the state level?
SPEAKER_00 (16:12):
Yeah, that's a really good question.
One thing I love about workingat Holland and I is that we also
have our own data privacy teamthat I get to work closely with
because they get even more intothe trenches with some of these
state data privacy laws than Ido.
Um and it it is a full-time jobat this point, especially you
look at the Washington MyHealth, My Data Act.
(16:34):
It is kind of the archetype foreverybody who is coming out with
a new law.
And I think um in ourpresentation, we highlighted
various states that had pendinglegislation of the like.
And what I've come to realize isthe most important piece for us
as lawyers when we're advisingclients and thinking about state
(16:55):
level implications is makingsure that we ask the question on
the front end.
Where are you providingservices?
Where are you collecting data?
Because sometimes the answer is,hey, I'm not doing very much
business in Washington at all.
And so then maybe I don't needto have a very stringent, you
know, part of DPA or agreementor any type of set of
(17:19):
protections that you knowcomplies with the Washington My
Health, My Data Act, which is ait's a long haul of work.
Um but then if we never ask thequestion and we find out a
substantial amount of you knowdata is being collected in
California, Washington, youknow, we are behind if we
haven't already addressed that.
(17:39):
So it's about first having thatinitial analysis, asking where's
the data being collected from,what is the purpose of the data
usage, how many individuals arebeing is their information being
collected, and then creatingprivacy policies and having
other um elements of umgovernance that will ensure that
(18:00):
your organization is compliantwith all the applicable laws.
Um to that same point, right?
That that also usually meansthat part of your public-facing
policies, not just your internalpolicies, your public-facing
policies are going to beimpacted, right?
Um both California andWashington require certain
(18:20):
notices to be to be availablefor their consumers to see, for
example.
So um that's why it's importantto have like um counsel that is
really up to date andknowledgeable about these
things, um, to work withconsultants like Clearwater that
understand you know the impactsof what happens if these any of
(18:40):
these provisions are beingtriggered.
Um, because if you do the duediligence on the front end, we
if we just assume the breach iseventually going to happen.
Hopefully it doesn't happentomorrow.
Hopefully it doesn't happenregularly, but if you just
assume the breach is going tohappen because it's inevitable,
confirming that there are noholes or avoidable incidents in
(19:04):
that breach, I think becomes thecritical piece.
And so to that same point, wetouched a little bit on the FTC
um health brief notificationrule, um, which is almost the
harder thing for me personallyto wrap my head around because
there's a lot of questions aboutif something was was given with
(19:28):
or without authorization.
We were talking about really thenuances between when this rule
is triggered versus dealing withjust a breach notification under
HIPAA, for example.
Um and I think at the end of theday, what I've seen in practice
is um you're gonna play acatch-up game if you haven't
(19:49):
already analyzed these things onthe front end.
Um one thing we don't talk aboutenough is the importance of risk
analyses, right?
So we talked about updating ouragreements and managing and is
as part of our managing ofrelationships.
And, you know, I typically tellmy clients at least once a year
you should be looking at thoseagreements.
But to the same point, youshould be doing your own risk
(20:13):
analysis that usually includesthe review of your agreements,
right?
And and completing that riskanalysis to see if those polls
exist, um, not just within yourorganization, but with your
downstream vendors is very, veryimportant.
SPEAKER_02 (20:29):
Yeah.
Yeah.
And I mean, part of that is, youknow, when you you you think
about your risk analysis, youalso think about your, you know,
data data privacy or dataprotection impact assessments
that many of these state lawsand GDPR and others require,
where your, you know, forces youto look at the data and you
know, what where are youcollecting data?
(20:50):
You know, where are thesepatients or consumers or or
others based?
Um, and I think, I mean, not toyou know, put too fine a point
on it, but I, you know, wefrequently will hear, I mean,
maybe not as frequently as weused to, but you know, hear from
startups in particular andemerging, you know, health IT
groups who would say, you know,gosh, we just we love to have
(21:11):
all the data.
Can can we work with our clientsand just get all the data we can
so that then we can figure outwhat we want to do with it.
And, you know, maybe there'smaybe there's some legitimate
purposes for that depending onthe circumstances, but we always
tell people, you know, I don'tknow that you know what you're
asking for, right?
Because you're, you know, evenif you have a relationship where
(21:33):
there is more free-flowing dataand and there's a legitimate
purpose for that and there's thecontrols in place.
To your point, you know, if andwhen there's a breach, are are
you really sure you wanted thisbiometric data that was just
cool to have, just in case?
You know, maybe you didn't, youknow, maybe, maybe you don't
need that.
Um, because it triggers uh ittriggers, you know, may trigger
(21:56):
reporting, notification.
You know, you may get in for,you know, you may have a
regulator asking questions, youmay have news reporters asking
questions, and all of that justbecause you thought it would be
cool if we collected the dataand maybe we'll use it down the
road, um that's that's a bigrisk.
SPEAKER_00 (22:13):
Yeah, and even with clients like that, I and I love
working with startups becausethey're always so innovative,
right?
And they're they're always onthe cutting edge of things, but
you almost have to sometimeshold their hands and say, hey,
maybe we don't need it rightnow.
But if we do think we need it inthe future, it's not hard to
amend this agreement and pullthat information.
(22:35):
Why hold on to it in perpetuity,you know, if we are not sure we
need it right now?
And for our listeners, sometimeswhat I've seen, the reason why
clients really kind of thinkthat the idea of capturing large
amounts of data would be great,it leads to this kind of
marketing-ish deal, uh, wherethey they kind of want to be
(22:58):
able to reach more consumers,reach more patients, uh, which
becomes a whole nother slew ofproblems.
Um, and I think kind of gets usinto some of the big breaches
that we've seen or the big, youknow, namesake cases that we've
seen um happen over the last fewyears.
SPEAKER_02 (23:17):
Let's let's maybe talk a bit about this.
So um, you know, we've we'vetalked about, you know, I think
you've shared a lot of insightsabout some of these, the
regulations, the rules, youknow, whether it's HIPAA or
state level or FTC health breachnotification, but maybe let's
talk a little bit about legalrisks and and what you're
seeing, you know, in in sort ofthe the the sort of whether it's
(23:41):
the class action or kind ofgeneral sort of courtroom
setting.
And your presentation, ofcourse, you know, hard to talk
about this, you know, this thisday and age without reflecting
back on you know what's happen,what's happened with Metapixel
and what's happened with ChangeHealthcare.
And those are just two, as youknow, among you know, a growing
list of of um you knoworganizations that are you know
(24:06):
on the receiving end of classaction complaints and and other
other sort of initiatives.
So we'd just love to hear fromyou, you know, could you could
you talk a bit about the trendsthat you're seeing, you know, in
terms of just legal risks andand maybe also um you know
defenses and things that you'veseen that that seem to be
(24:27):
working well, just as you'rekind of doing, you know, in your
presentation a great job of thissort of the survey of of the
legal risk landscape.
SPEAKER_00 (24:35):
Yeah, and I'd be remiss if I didn't mention that
I had two really greatco-presenters as well in in this
presentation.
And so Maria did a really goodanalysis of the economic and
financial impact of databreaches, which I think is the
the first risk, right?
It it is the damages portion ofthese breaches.
Um, you know that damages beingcalculated are is is the first
(25:01):
thing your client's gonna hearand understand before anything
else.
And I think uh she ascertainedthat I think in 2024 was about
$4.9 million had um been theaverage cost of a data breach on
large-scale data breaches.
So that was already shocking tome.
(25:21):
And I think that that's enoughusually to catch a client's ear.
Um, but when we talk about someof the cases that we were
seeing, and I think we we kindof introduced the idea just now
when we're talking aboutcapturing large amounts of data.
Um, Google Pixel was kind of oneof the first hits that we were
receiving when we're like, oh mygoodness, what's going on?
(25:43):
And even to this day, you know,Google Analytics is free.
Clients love to use it becauseit's free.
Um, but Google is also stillcollecting a lot and a lot and a
lot when you're using it.
And that's hard.
That's hard to really navigatearound for clients.
You know, we we try to do simplethings like um make sure that
(26:04):
the pixels aren't sitting onevery single landing page on
their website, that it's onlythat they're only applicable
when necessary.
Um because it you once you'vegiven it away inadvertently,
it's gone forever.
And you end up in this big classaction world, which I think is
also what we're seeing withchange health care.
(26:26):
Kelly, my other co-presenter,she is in-house at a health plan
and she was able to talk aboutthe real-world impacts of the
change health care litigation.
Um, both Google Medical Pixeland Change Healthcare showed us
that the plaintiff's bar is notafraid, is not afraid to gather
(26:47):
as many plaintiffs as possiblein these scenarios.
And I think with the creation ofthese new even state level laws,
we're seeing even more of that,right?
You're getting more causes ofaction as available options for
plaintiffs.
Um, it's no longer just tryingto find ways under HIPAA where
(27:10):
we were like, oh, well, thereisn't really a private right of
action.
You know, we're we're now seeingthat there are multiple
different avenues for plaintiffsto initiate litigation.
And um what Kelly spoke prettywell about was that in her
organization, they realized thatthe reason why they ended up as
(27:31):
part of the change healthcare umordeal was really because they
hadn't updated their agreementwith their vendors.
Um and their data ended up beingkind of sunken in as part of one
of those those those big ominousdata pools.
(27:58):
Um and there was the next riskof once they were identified as
being a part of all of this,they didn't know whose job it
was going to be to do the recordrecursive reporting until you
know it was finally determinedthat change healthcare was going
to have to do it for everyone.
At some point, theseorganizations were just
scrambling because they this wasall happening, that happened
(28:21):
without them knowing what wasgoing to happen.
Um, everyone has an immediateresponsibility to do the
necessary protocols, do theirown internal investigations,
determine what their riskprofile is.
And when you're behind the balllike that, then you're also
thinking about the fact that younow have notification
requirements, which could be notonly under HIPAA, right?
You're you're thinking aboutnotifications to the
(28:41):
individuals, to the media, tothe department, but then you're
thinking about what are yourother requirements under other
laws, whether they be the statelaws, whether it be if the FTC
breach notification ruleapplies, um which also requires
some of those large, you know,notice notifications.
Another thing to think about isthat and so the cost of those
(29:04):
notifications um was a big pointof negotiation for for most
everyone.
Um another thing to think aboutis that you're thinking about
the cost of being a part of thelitigation and settling the
litigation.
Um not just the cost of thedamages that you have
(29:26):
encountered by being a part ofthe data breach, but of making
whole quote unquote theplaintiffs or the affected
individuals.
When you're dealing with just anenforcement action, you're not
really thinking as much aboutit.
But when we're in sitting inlitigation, your your number
isn't just is it's it's not justthat original damages number,
(29:48):
it's and more.
Um and so I think um one of ourone of our big big lessons
learned was you know.
Leveraging your leveraging yourdesires as the covered entity
(30:12):
with that of your vendors, youknow, is it's it requires a
special touch.
It requires you to have peoplewho are on the ground who are
willing to be in constantcommunication with your vendors,
who are willing to ensurecompliance from your vendors.
(30:34):
You know, no one likes to be thewatchdog, but in this day and
age, if you're thinking aboutthe average number being in the
millions of dollars for a databreach, you want to kind of
insulate yourself from thatrisk.
Um and that's without thinkingabout what the attorney's fees
are going to be.
That's without thinking aboutyou know what happens when you
(30:57):
have now to overhaul yoursecurity in your privacy group.
Um, when you have to uh put innew frameworks, it costs a lot
more on the other side.
Um we didn't really get too muchinto uh to to great defenses
because I think if we're honestwith with ourselves, we have to
(31:20):
we have to say a data breachconsidering that the fact that
we're gonna assume they'reinevitable, you know, there is
no defense to the idea ofviolating or improperly
protecting and securinginformation to the level that is
(31:40):
required by law.
The idea is that if the breachis going to occur, so long as
you are in compliance with therequisite laws, there should not
be any real risk to theorganization because we assume
the breach will occur and that'swhy the law exists.
Um and so the the caveat thereis if you're in compliance, and
(32:03):
being in compliance requiresthat watchdog mentality of our
clients.
And that is a mentality wehaven't had to have for so long.
And and now that we have thingslike AI that are just embedded
in our systems that are helpingus get our jobs done, we have to
be on top of it.
We have to kind of be forwardthinking.
(32:23):
Um, it wasn't to blame anyonein, you know, within the
organizations for for theirpersonal failings at that point.
It was the fact that theorganizations had failed to keep
up with what was happening andwhat was going on.
So I think ultimately the onlydefense that that we really
(32:43):
heard was, hey, it's not my myduty to deal with this, it's
change healthcare, right?
Who whose job is it?
And that gets me back to one ofmy favorite rules I always tell
clients when they're negotiatingtheir BAAs is be very clear.
Be very, very clear on whoseduty it is to do all types of
(33:06):
diligence, whose duty it is todo specific reportings so that
you're not pointing the fingerin the middle of the crisis.
It's also important if you wantto talk about ideas of
indemnification of sorts, right?
Who's paying for the cost ofthose notifications or the
necessary and requisitecompliance with any notification
(33:29):
requirements?
Um, those are things that can bewritten into the agreements that
can insulate those risks insteadof defend the risks, right?
You're you're insulatingyourself from some of those
risks.
And I know Kelly spoke a littlebit about some of their
agreements, had that kind ofindemnification while others did
not.
And so when we're we're thinkingabout how complex these
(33:50):
relationships can be, those arethings that we want to be
looking at and keeping updatedand thinking through just as
much as we want the the terms ofthe services and the data
collection to be up to date.
SPEAKER_02 (34:00):
Yeah.
No, and I, you know, I that's Ithink really helpful um and I
think very, you know, veryinsightful.
Um, I and I think we're gettingsort of getting into the best
practice part of thisconversation, but really quickly
before we do that, just wantedto mention that it's the so you
mentioned the average cost ofdata breach was 4.9 million.
(34:23):
And when I was looking at at theslide deck, I think this comes
from IBM's data breach reportfrom last year.
I think important to note foryou know, since this is an AHLA
podcast, we've got or video,whatever, whatever we're doing
these days, um, lots of folks inhealthcare, you know, listening,
watching.
The the average cost was 4.9,but the healthcare industry
(34:44):
overall averaged 10.9 millionper data breach.
So um, in terms of just costs,very, I mean, not it not
insignificant, right?
Um, particularly for healthsystems that aren't prepared to,
you know, to manage this.
So, you know, I appreciate youall sharing this, those data
points.
Um and you know, thinking aboutbest practices and kind of as
(35:08):
we're starting to, you know,maybe wind down the
conversation, I think somethingyou said that really resonated
with me.
Like, so Clearwater, we we do alot of work with our clients,
helping to perform vendor riskassessments, we're reaching out
to vendors on behalf of clients,we're we're helping to collect
data, helping them do some ofthat, you know, that ongoing
(35:31):
risk management.
Um, I would say in most cases,that works really well.
Um, we have um uh, you know,there there always is a
percentage of vendors that areeither non-responsive or they're
vendors that are uh that arehuge, you know, Google's,
Amazon's, um, Oracle's, Cerners,Epics, who may be responsive,
(35:58):
but their response is, you know,take a look at this link because
here's where we've postedinformation about our risk
analysis, or here's where we'veposted information about, you
know, our high trust work orwhatever work they've been
doing.
And it's we don't have in bothof those situations, so
non-responsive vendors orunresponsive vendors, and then
these huge vendors, we don'thave that kind of interaction
(36:20):
that we would like to have.
And I think something you saidin um you know, about doing some
of this work up front, uh, Ithink is really important
because, you know, at thatcontracting stage, you do have
this ability to ask these kindsof questions of your future
partner.
You know, it's it's one thing tosay, let's let's negotiate the
(36:43):
BAA together, but it's anotherthing to say, you know, hey,
we're we're gonna have to bedoing some oversight.
We want to make sure we have aprocess with you so that we know
who we're calling or emailing orwe we understand what the the
sort of requirements are upfront, so that if it is, you
know, an oracle and they say,look, we don't we don't answer
vendor questionnaires, buthere's our process, you know,
(37:04):
that organization can make adecision, you know, if that's
the right fit for them.
Um, you know, obviously in somecases it's sort of unavoidable.
But um, yeah, I just really Ithought it was worth kind of
extrapolating that a bit becauseI thought that was a really
helpful point you made.
Um I you know, I don't know whatwhat other, you know, when you
think about clients, you know,whether they're they're business
(37:26):
associate clients or coveredentity clients, um, you know,
what what sort of best practicesare you seeing and
recommendations, you know, areyou making to, you know, whether
it's general counsel orcompliance officers?
Just curious your thoughts.
SPEAKER_00 (37:41):
Yeah, so we came up with three um of our best
practices that we wanted tohighlight for those who watched
our presentation.
Um, it was as lawyers first, um,make sure that your client
really understands the contractand the deliverable that's
coming with that contract.
Um, and I think that kind ofgoes to the point that you were
just speaking about, right?
(38:04):
It's about the questions askingphase.
It's about really diving in.
And even if it's just betweenyou and your client, you uh
initiating conversation aboutthe holes you're seeing so that
they can can really kind of uhappreciate what what's happening
and what's not happening andwhat might be necessary.
Um second, we can do better byempowering our clients to work
(38:29):
with their vendors directly onprivacy issues, um and kind of
creating that watchdog, thatoversight that we've been
speaking about throughout thispodcast.
Umbed someone as a liaison foryour vendor, your vendor
relationships, right?
And let it be that it's anatural conversation.
(38:50):
Maybe they're just they docheck-ins monthly that are not
necessarily, you know, thestringent, hey, produce X, Y,
and Z to me, but just the basicunderstanding.
Are they willing, is the vendorwilling to let you come and
understand their operationsinternally?
Um, just start those kind ofnatural conversations because
when the relationship becomes alittle bit more tense in the
(39:11):
data breach world, you're you'regonna get a lot less hands-on
time with them.
And then the third thing we cameup with was considering a demo
or meeting with the vendor.
And um, when you do that demo,you know, your legal team and
your privacy team should bethere.
Um, we didn't really talk aboutthis, but sometimes it is that,
(39:33):
especially with our kind ofsmaller clients, our startups,
they go have the meeting, theysit down, they talk about it,
but the right people aren't inthe room to kind of assess what
might be next next or what'spractical or impractical for the
organization whole.
So um Kelly talked a little bitabout it, whereas now her team,
they always have privacy in theroom on certain certain
(39:55):
situations.
Um, and and it's anon-negotiable, the meeting
cannot happen unless they arethere.
Um I think that that's a that'sa good kind of rule of thumb to
have where we're talking aboutthings that could impact privacy
or security.
Have the people who need to bein the know at the table, don't
just create a policy orprocedure willy-nilly, um, and
(40:16):
then and then impose it on them.
And then they come back and tellyou, well, that's not even
practical.
We couldn't even do that.
Um I recently had a client um,you know, come to me and say,
hey, well, Google won't sign ourBAA.
And I said, yeah, well, Googledoesn't sign anyone's BAAs.
We, you know, that that'ssomething we we could have
easily told you, you know, onthe front end of things, um,
(40:38):
that that wasn't gonna be anoption for you.
And that's why, you know, theseare the risks that are we're
we're trying to navigate around.
Um, and and it's not worth yourtime trying to get me to
negotiate with them becausethey're not gonna do it.
You know, that's a practicewe've learned.
So um I think those were kind ofour three big pieces and
takeaways.
I think you add that to our listof things to be thinking about
(41:01):
when you're when you'renegotiating the agreements and
and keeping them up to date.
Um you're in a better spot, youknow, and have and have
knowledgeable counsel, have, youknow, have good um good
relationships and rapport withconsultants that really
understand what's going on.
(41:21):
I know I'm always happy when myclient, you know, is willing to
engage Clearwater.
We're just like having a it'sit's so much easier to be on one
page and just be thinkingthrough these things together on
the front end of things becausewe almost never end up with a
problem.
And especially when you get tothe acquisition phase, you know,
you're dealing with startups andthey're like ready to sell off,
(41:42):
you're in a much better fakephase of life, right?
And and you're you're much moreattractive to investors um when
everything's already in tick-topshape.
There's no risk for them toacquire.
SPEAKER_02 (41:55):
That's right.
You can say we're, you know,we've we've got risks and we're
managing them, and and we've gotyou know these people supporting
us, and whether it's you know,Holland and Knight and you or
others, you know, you can youcan say we at least know what
the risks are and we're we'redealing with them, you know,
we're we're sort of managing it.
And and vendor risks are, yeah,it's like it's not gonna go
away.
It's yeah, it's just how do youhow do you manage it?
(42:17):
What's the process?
And do you do you feel like youknow you're sort of taking it a
day at a time to help, you know,make sure you, you know, your
program is in, you know, sort ofmoving towards maturity.
Yeah.
Yeah.
Well, it's um been really greattalking with you, Shaylin.
And and really, you know, like Isaid, I mean, really appreciate
(42:38):
the insights, both from the thepresentation with your other
presenters and and then talkingwith you today.
Um and um yeah, I'd I'd I guessI'll just let in the case you
have any final thoughts, um,just turn it over to you.
But uh just again, thanks foryour time.
SPEAKER_00 (42:53):
No, thanks so much for talking with me too, Andrew.
It's always good to talk to you.
I can't wait to see you soon,hopefully.
And if not soon, then I bettersee you at an annual meeting
next year.
I heard it's exciting becauseit's coming to New York City for
the first time in forever.
So I'd love to be in Manhattantalking about all this with you
in the summer of 2026.
SPEAKER_02 (43:12):
Let's do it.
That sounds great.
SPEAKER_00 (43:14):
All right, sounds good.
SPEAKER_02 (43:15):
Excellent.
SPEAKER_01 (43:21):
If you enjoyed this episode, be sure to subscribe to
AHLA Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit AmericanHealth
Law.org and stay updated onbreaking healthcare industry
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
(43:44):
To subscribe and add thisprivate podcast feed to your
podcast at the go toamericanhealthlaw.org slash
daily podcast.
This episode of AHMLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitClearWatersecurity.com.
SPEAKER_02 (00:17):
Welcome everyone.
My name is Andrew Mahler.
I'm the Vice President ofPrivacy, Compliance, and Audit
here at Clearwater.
And very excited that todaywe're talking about a topic
that's usually found very highon risk heat maps for anyone
working in healthcare and tech.
And that's this topic of vendorrelationships and data breaches.
(00:40):
Really fortunate to have with metoday Shaylin Watkins, who's an
associate at Holland and Knight.
She's truly an expert who bringsdeep expertise in health law and
privacy and the practicalrealities of working with
vendors.
She spoke about this topicduring a presentation at AHLA's
2025 annual meeting in SanDiego, which was called The
(01:01):
Complexities of Managing VendorRelationships, Practical
Strategies for Navigating DataBreaches in a New Age of Data
Privacy.
Shaylin's also the vice chair inAHLA's behavioral health
practice group.
In this conversation today, I'llask Shaylin a bunch of questions
about this topic and leveragingher expertise will unpack how
(01:24):
healthcare organizations canbetter manage vendors, respond
to related data breaches, andnavigate the evolving legal and
risk landscape.
From HIPAA to high-tech regs torecent lessons learned from
high-profile cases, we're goingto get a firsthand look from
Shaylin about how industryleaders and their council are
(01:44):
looking to protect data andmanage risk.
Shaylin, really I'm thrilled tobe speaking with you.
And, you know, I just wouldwould love if you just start off
by maybe telling us about yourrole and why this topic is so
central to your work.
SPEAKER_00 (02:00):
Yeah, thanks for that intro.
It actually makes me feel likeI'm way better than I am
sometimes.
So I love that.
Yeah, I'm I work at Holland andNight and as a senior associate
in our healthcare regulatoryenforcement practice group.
And a big subset of the clientsthat I represent, especially are
(02:20):
telehealth companies andtelehealth platforms, but I also
work with plenty of differentprovider types, hospital
systems, health systems,laboratories, and other vendors,
which is something that I thinkis really applicable to the
topic we're talking about today.
In my past life as a lawyerbefore I came home at night, I
(02:43):
also worked at the US Departmentof Health and Human Services in
the Office of General Counsel asan assistant regional counsel in
one of our regional offices.
And in that role, I actuallyrepresented OCR, the Office for
Civil Rights, which is theagency that promulgates HIPAA,
which is a lot of what we'll betalking about today.
But at the same time, there's somany other things happening
(03:05):
since my long stint back in theday with OCR that I think is
going to be fun to talk throughin this podcast.
SPEAKER_02 (03:12):
Yeah, thanks for thanks for sharing that.
And um yeah, just excited to,you know, to your point, you
know, things just seem tochange, you know, day to day,
let alone, you know, year toyear.
Um so for those listeners, andyou mentioned OCR already, but
for those who maybe aren't asfamiliar, I'm sure many, many
are, um, can you can you speak abit about how you know HIPAA
(03:36):
shapes an organization's um youknow responsibilities related to
managing vendor risk?
SPEAKER_00 (03:42):
Yeah, especially for large organizations, HIPAA is
usually the first thing we'retalking about because it it
transcends state lines, right?
We're talking about anyone whois involved in a healthcare
organization for the most part.
And if you're billing insuranceor you're getting some sort of
um federal financial assistancethrough your practices, or if
(04:04):
you're contracting with someonewho is a HIPAA-regulated entity,
you're gonna fall in this bucketrequiring you to have HIPAA
compliance.
And I think for large scale, youknow, when we're talking about
just creating a compliant healthsystem, privacy and security
becomes a huge chunk of thatbecause HIPAA violations, as you
know, Andrew, and we work withClearwater all the time in our
(04:26):
firm.
Our clients realize that thereis a big financial impact if you
have a HIPAA violation.
And sometimes that financialimpact can get up to trouble
damages.
Um, also, an investigation whenyou're dealing with
HIPAA-regulated entities can getso intense, it also involves
sometimes, you know, grandconsequences like referrals to
(04:51):
other agencies, OIG, DOJ, andeven sometimes to CMS, which
could put Medicare funds atrisk.
And for a lot of theseorganizations, Medicare and
Medicaid are some of the highestpayers that are coming in to
their organizations.
So it's really important andcritical that we're thinking
about the most important umelement uh of some of this,
(05:15):
which it always kind of comesdown to privacy and security.
And I think another thing thatmakes HIPAA so critical these
days is the fact that we're kindof in the age of this kind of
new tech wave, right?
You know, you watch TV andthere's always a hacker of some
sort.
Um, there's a robot that can doanything and everything.
(05:36):
Um, we know that none of uscould probably probably live
without our smartphones in ourhands.
Um we're we just have so muchmore access and ability to get
to things, which makeseverything that we're doing a
higher risk for those who mightbe looking to fish out really
protective information.
(05:57):
And likewise, when we're talkingabout kind of why HIPAA becomes
the backbone of a lot of ourcompliance issues, it's because
then every state, for the mostpart, has its own kind of baby
HIPAA law that, you know, has alittle nuance about what needs
to be happening.
And then even outside of thebaby HIPAA laws, there is now
this new wave of health datainformation privacy laws that is
(06:21):
sweeping the nation, right?
Um, you know, you you go toColorado, you come here to
California, um, and many otherstates, data privacy is so
critical that states are alsolooking to show examples of why
they're important, they'recreating these laws.
And so their enforcement metricsare just really high priority
(06:46):
right now.
SPEAKER_02 (06:46):
Yeah.
unknown (06:47):
Yeah.
SPEAKER_02 (06:48):
And it's, I mean, it's it to your point about
privacy.
I mean, in this world of datasharing and, you know, whether
whether it's you know, datasharing related to, you know,
interesting tech or for youknow, your your robots running
around your house or your city,um, data sharing for you know
other types of reasons, um, itit just that risk just continues
(07:09):
to evolve as we're you knowliving in such an interconnected
world.
And, you know, I know that, youknow, again, many listeners
probably familiar with theconcept of business associated
agreements, but you know, canyou talk a little bit about how
that you know fits into vendormanagement and maybe some of the
most common pitfalls you see inBAAs, whether it's drafting or
(07:31):
acceptance or negotiation?
SPEAKER_00 (07:33):
Yeah.
So I think the BAA is the thingthat is the first thing we all
want to look to in anysituation, whether you're a
regulator, you're a party to theBAA, you're an outsider who
wants to maybe purchase acompany, you look to see what
are your obligations in theevent of one of these inevitable
breaches.
(07:53):
And and because of that, I thinkthat's kind of why BAAs become a
critical point here.
Now, there's also the fact thatHIPAA requires you to have a
BAA, right?
So I would say when you talkabout pitfalls, if you're a
covered entity and you don'thave a BAA in place, but you're
giving out information to any ofyour business associates, then
(08:16):
you're already in violation ofHIPAA.
And therefore we have a big redflag.
So not having the BAA isprobably one of the biggest
pitfalls.
Um, but I'm seeing that less andless often.
In fact, sometimes I'm seeingthe Converse where some people
just slap a BAA on everything.
And there's times where youdon't need a BAA at all because
you're not actually transmittingany protected health
(08:37):
information.
Um and so I think the a bigthing that we discussed in our
presentation was the thepitfalls that happen in the
middle of that spectrum, theover BAA to the under BAA area.
And and and for basicunderstanding, a business
associate um for the purposes ofthis discussion is anyone that a
(09:02):
covered entity or anotherbusiness associate is sharing
protected health informationwith.
And and to remove nuance, I'lljust make it kind of simple for
the purposes of carrying out thebusiness that um that is being
uh organized under the serviceagreement that's overly.
(09:22):
And um one thing we really notedwas uh an incomplete BAA is just
as bad as a non-existent VAA.
Um and furthermore, uh a BAAthat hasn't been updated is
sometimes just as bad.
These are some of the biggestthings that we're seeing with
(09:44):
our clients because you know, ifyou have an ongoing relationship
with a party who's yourthird-party vendor, um, and
you've had this relationship for20, 30 years and HIPAA and high
tech undergo, you know,revisions, you might be missing
some new changes.
Um for example, you know, aslawyers, we try to keep up to
(10:05):
date and tell our clients, butthere's a point in time where
we're like, hey, there's aboutto be a new MPP requirement um
rolling out in 2026.
So we need to make sure all ofour clients are aware that
there's this new requirement forupdating your notice of privacy
practices.
And because of the fact that youhave to be up to date with
(10:26):
different changes that arehappening over time, it's really
easy to forget to add thosereview cycles in your day-to-day
if you're in-house.
It's easy for me to put outanother article and say, hey,
don't forget this is happening.
It's easy for me to call myclients and say, oh, by the way,
I saw this.
Um, but the interoperations ofan organization, sometimes
(10:51):
you're just you're not reallythinking about some of the
mundane.
And and and back to the idea ofan incomplete BAA.
There are some times where we'veseen that the BAA won't
necessarily address all of thedifferent circumstances as to
which um, you know, data mightbe transmitted and/or lost
inadvertently or you know,purposefully.
(11:13):
And that leaves a gap whenyou're actually face the data
breach, right?
So something happens and the BAAdoesn't address that situation
and everybody's got their handsin the air and like whose job is
it to deal with this?
Is it the business associate'sjob?
Is it the covered entity's job?
Um, when was notice required?
(11:34):
Um, little pieces of the puzzlethat are critical when you get
to those big breaches, which I'msure we'll talk a little bit
about.
SPEAKER_02 (11:42):
Yeah, I, you know, I and I agree with you.
I mean, we frequently see, youknow, incomplete BAAs, we'll see
BAAs that, you know, haven'tbeen updated to comply with
HIPAA, but some BAs that haven'tbeen, you know, I think to your
point, updated to even reallyreflect what the services are.
Um, and then we see some caseswhere, you know, the the maybe
(12:05):
the business associate has hasdrafted their own version of a
BAA and is allowing, you know,themselves to do a lot with the
data that maybe the coveredentity no longer feels
comfortable with.
You know, we see you know thingslike the business associate can
de-identify, you know, PHI forits own purposes.
And, you know, some might arguethat that's that may not be a
(12:27):
legitimate, you know, purpose ofa business associate
relationship.
And so we we see that too.
So I think, you know, kind of asnot to jump too far ahead, but I
think as we sort of are you knowtalking about best practices at
the end, I mean, I think this isjust one that probably will
throw, you know, flow throughoutthe conversation today.
It's like, you know, are are youreviewing it regularly?
(12:49):
Do you do you really feelcomfortable with your template?
Do you feel comfortable withyour agreements?
Um, is somebody on point,particularly for those
high-risk, you know, vendorswith lots of data, lots of PHI
or or sensitive information?
So I think brilliant.
SPEAKER_00 (13:04):
And I I even plug in here too, there's the idea of
the DPA, right?
And having the the the data, thedata agreement as well, which
are usually attached.
And I think one question thatyou kind of rose is who's
supposed to drive this?
What party is supposed to beresponsible?
Typically, vendors are the oneswho have it because they're the
ones who are giving out theirservices so regularly.
But if you're not negotiatingthat appropriately as a covered
(13:27):
entity, really this is your dataand you're on the line.
So you should be either havingyour own standard BAA or heavily
negotiating every BAA youreceived, even if it's standard
for the vendor.
SPEAKER_02 (13:39):
That's right.
Yeah.
SPEAKER_00 (13:40):
And and, you know, I I I kind of laugh sometimes when
I I think of um, you know, thosekind of frivolous clauses where
the vendor is asking to do alittle bit more with the with
the information than than thatthan is necessary.
I think that goes to kind of myoriginal point, right?
One thing that you shouldn't bedoing is collecting information
(14:04):
that you have no need to have.
So um one of my biggest piecesof advice for privacy with even
my providers are do you needthis PHI?
Why are you asking for it?
Perfect example.
If I'm representing a dentist,maybe it is important for you to
know if your female client ispregnant or not because it'll
(14:25):
help you with your assessmentprotocols.
However, do you need to know thelast date of her menstrual
cycle?
Is that helpful for what yourpractice is doing?
And to the same point forvendors, is it helpful for you
to be collecting informationthat you don't necessarily need
for even your internal, youknow, services that you're
providing?
SPEAKER_02 (14:44):
Yeah.
Do you want that risk?
You know, do you want do youwant to carry that?
I mean, I I think, yeah, whetherit's uh, and as I was hearing
you talk, I was also thinkingabout you know downstream
business associate relationshipstoo, because you you think, I
mean, the covered entity has,you know, really the ultimate
responsibility here.
But you know, I'm sure you havelots of clients that are that
(15:05):
are business associates who thenshare data with other business
associates.
And you know, there'sresponsibilities there that, you
know, as those kind ofresponsibilities flow down the
chain.
I mean, it it's it's you know,whether or not you're a covered
entity or a business associate,I mean, these are, I think your
your words are applicable acrossthat ecosystem.
Right.
(15:25):
Yeah.
Um, so you know, you you sortof, I think briefly, you kind of
touched on some of the, I thinkyou said, you know, some of the
baby HIPAA laws, which is my newfavorite, uh, my new favorite
phrase.
But um, if you know, yourpresentation, you talked about,
you know, the FTC health breachnotification rule as well as
some of these state level uhprivacy laws, like, you know, of
(15:48):
course, people are familiar withCalifornia and more and more
familiar with Washington, what'sgoing on in Washington.
Um, you know, can you talk, youknow, speak a bit about, you
know, are there differences inapproaches related to those
state laws?
You know, are you encouragingclients to add certain
provisions or remove provisionsbased on you know what we're
(16:10):
seeing at the state level?
SPEAKER_00 (16:12):
Yeah, that's a really good question.
One thing I love about workingat Holland and I is that we also
have our own data privacy teamthat I get to work closely with
because they get even more intothe trenches with some of these
state data privacy laws than Ido.
Um and it it is a full-time jobat this point, especially you
look at the Washington MyHealth, My Data Act.
(16:34):
It is kind of the archetype foreverybody who is coming out with
a new law.
And I think um in ourpresentation, we highlighted
various states that had pendinglegislation of the like.
And what I've come to realize isthe most important piece for us
as lawyers when we're advisingclients and thinking about state
(16:55):
level implications is makingsure that we ask the question on
the front end.
Where are you providingservices?
Where are you collecting data?
Because sometimes the answer is,hey, I'm not doing very much
business in Washington at all.
And so then maybe I don't needto have a very stringent, you
know, part of DPA or agreementor any type of set of
(17:19):
protections that you knowcomplies with the Washington My
Health, My Data Act, which is ait's a long haul of work.
Um but then if we never ask thequestion and we find out a
substantial amount of you knowdata is being collected in
California, Washington, youknow, we are behind if we
haven't already addressed that.
(17:39):
So it's about first having thatinitial analysis, asking where's
the data being collected from,what is the purpose of the data
usage, how many individuals arebeing is their information being
collected, and then creatingprivacy policies and having
other um elements of umgovernance that will ensure that
(18:00):
your organization is compliantwith all the applicable laws.
Um to that same point, right?
That that also usually meansthat part of your public-facing
policies, not just your internalpolicies, your public-facing
policies are going to beimpacted, right?
Um both California andWashington require certain
(18:20):
notices to be to be availablefor their consumers to see, for
example.
So um that's why it's importantto have like um counsel that is
really up to date andknowledgeable about these
things, um, to work withconsultants like Clearwater that
understand you know the impactsof what happens if these any of
(18:40):
these provisions are beingtriggered.
Um, because if you do the duediligence on the front end, we
if we just assume the breach iseventually going to happen.
Hopefully it doesn't happentomorrow.
Hopefully it doesn't happenregularly, but if you just
assume the breach is going tohappen because it's inevitable,
confirming that there are noholes or avoidable incidents in
(19:04):
that breach, I think becomes thecritical piece.
And so to that same point, wetouched a little bit on the FTC
um health brief notificationrule, um, which is almost the
harder thing for me personallyto wrap my head around because
there's a lot of questions aboutif something was was given with
(19:28):
or without authorization.
We were talking about really thenuances between when this rule
is triggered versus dealing withjust a breach notification under
HIPAA, for example.
Um and I think at the end of theday, what I've seen in practice
is um you're gonna play acatch-up game if you haven't
(19:49):
already analyzed these things onthe front end.
Um one thing we don't talk aboutenough is the importance of risk
analyses, right?
So we talked about updating ouragreements and managing and is
as part of our managing ofrelationships.
And, you know, I typically tellmy clients at least once a year
you should be looking at thoseagreements.
But to the same point, youshould be doing your own risk
(20:13):
analysis that usually includesthe review of your agreements,
right?
And and completing that riskanalysis to see if those polls
exist, um, not just within yourorganization, but with your
downstream vendors is very, veryimportant.
SPEAKER_02 (20:29):
Yeah.
Yeah.
And I mean, part of that is, youknow, when you you you think
about your risk analysis, youalso think about your, you know,
data data privacy or dataprotection impact assessments
that many of these state lawsand GDPR and others require,
where your, you know, forces youto look at the data and you
know, what where are youcollecting data?
(20:50):
You know, where are thesepatients or consumers or or
others based?
Um, and I think, I mean, not toyou know, put too fine a point
on it, but I, you know, wefrequently will hear, I mean,
maybe not as frequently as weused to, but you know, hear from
startups in particular andemerging, you know, health IT
groups who would say, you know,gosh, we just we love to have
(21:11):
all the data.
Can can we work with our clientsand just get all the data we can
so that then we can figure outwhat we want to do with it.
And, you know, maybe there'smaybe there's some legitimate
purposes for that depending onthe circumstances, but we always
tell people, you know, I don'tknow that you know what you're
asking for, right?
Because you're, you know, evenif you have a relationship where
(21:33):
there is more free-flowing dataand and there's a legitimate
purpose for that and there's thecontrols in place.
To your point, you know, if andwhen there's a breach, are are
you really sure you wanted thisbiometric data that was just
cool to have, just in case?
You know, maybe you didn't, youknow, maybe, maybe you don't
need that.
Um, because it triggers uh ittriggers, you know, may trigger
(21:56):
reporting, notification.
You know, you may get in for,you know, you may have a
regulator asking questions, youmay have news reporters asking
questions, and all of that justbecause you thought it would be
cool if we collected the dataand maybe we'll use it down the
road, um that's that's a bigrisk.
SPEAKER_00 (22:13):
Yeah, and even with clients like that, I and I love
working with startups becausethey're always so innovative,
right?
And they're they're always onthe cutting edge of things, but
you almost have to sometimeshold their hands and say, hey,
maybe we don't need it rightnow.
But if we do think we need it inthe future, it's not hard to
amend this agreement and pullthat information.
(22:35):
Why hold on to it in perpetuity,you know, if we are not sure we
need it right now?
And for our listeners, sometimeswhat I've seen, the reason why
clients really kind of thinkthat the idea of capturing large
amounts of data would be great,it leads to this kind of
marketing-ish deal, uh, wherethey they kind of want to be
(22:58):
able to reach more consumers,reach more patients, uh, which
becomes a whole nother slew ofproblems.
Um, and I think kind of gets usinto some of the big breaches
that we've seen or the big, youknow, namesake cases that we've
seen um happen over the last fewyears.
SPEAKER_02 (23:17):
Let's let's maybe talk a bit about this.
So um, you know, we've we'vetalked about, you know, I think
you've shared a lot of insightsabout some of these, the
regulations, the rules, youknow, whether it's HIPAA or
state level or FTC health breachnotification, but maybe let's
talk a little bit about legalrisks and and what you're
seeing, you know, in in sort ofthe the the sort of whether it's
(23:41):
the class action or kind ofgeneral sort of courtroom
setting.
And your presentation, ofcourse, you know, hard to talk
about this, you know, this thisday and age without reflecting
back on you know what's happen,what's happened with Metapixel
and what's happened with ChangeHealthcare.
And those are just two, as youknow, among you know, a growing
list of of um you knoworganizations that are you know
(24:06):
on the receiving end of classaction complaints and and other
other sort of initiatives.
So we'd just love to hear fromyou, you know, could you could
you talk a bit about the trendsthat you're seeing, you know, in
terms of just legal risks andand maybe also um you know
defenses and things that you'veseen that that seem to be
(24:27):
working well, just as you'rekind of doing, you know, in your
presentation a great job of thissort of the survey of of the
legal risk landscape.
SPEAKER_00 (24:35):
Yeah, and I'd be remiss if I didn't mention that
I had two really greatco-presenters as well in in this
presentation.
And so Maria did a really goodanalysis of the economic and
financial impact of databreaches, which I think is the
the first risk, right?
It it is the damages portion ofthese breaches.
Um, you know that damages beingcalculated are is is the first
(25:01):
thing your client's gonna hearand understand before anything
else.
And I think uh she ascertainedthat I think in 2024 was about
$4.9 million had um been theaverage cost of a data breach on
large-scale data breaches.
So that was already shocking tome.
(25:21):
And I think that that's enoughusually to catch a client's ear.
Um, but when we talk about someof the cases that we were
seeing, and I think we we kindof introduced the idea just now
when we're talking aboutcapturing large amounts of data.
Um, Google Pixel was kind of oneof the first hits that we were
receiving when we're like, oh mygoodness, what's going on?
(25:43):
And even to this day, you know,Google Analytics is free.
Clients love to use it becauseit's free.
Um, but Google is also stillcollecting a lot and a lot and a
lot when you're using it.
And that's hard.
That's hard to really navigatearound for clients.
You know, we we try to do simplethings like um make sure that
(26:04):
the pixels aren't sitting onevery single landing page on
their website, that it's onlythat they're only applicable
when necessary.
Um because it you once you'vegiven it away inadvertently,
it's gone forever.
And you end up in this big classaction world, which I think is
also what we're seeing withchange health care.
(26:26):
Kelly, my other co-presenter,she is in-house at a health plan
and she was able to talk aboutthe real-world impacts of the
change health care litigation.
Um, both Google Medical Pixeland Change Healthcare showed us
that the plaintiff's bar is notafraid, is not afraid to gather
(26:47):
as many plaintiffs as possiblein these scenarios.
And I think with the creation ofthese new even state level laws,
we're seeing even more of that,right?
You're getting more causes ofaction as available options for
plaintiffs.
Um, it's no longer just tryingto find ways under HIPAA where
(27:10):
we were like, oh, well, thereisn't really a private right of
action.
You know, we're we're now seeingthat there are multiple
different avenues for plaintiffsto initiate litigation.
And um what Kelly spoke prettywell about was that in her
organization, they realized thatthe reason why they ended up as
(27:31):
part of the change healthcare umordeal was really because they
hadn't updated their agreementwith their vendors.
Um and their data ended up beingkind of sunken in as part of one
of those those those big ominousdata pools.
(27:58):
Um and there was the next riskof once they were identified as
being a part of all of this,they didn't know whose job it
was going to be to do the recordrecursive reporting until you
know it was finally determinedthat change healthcare was going
to have to do it for everyone.
At some point, theseorganizations were just
scrambling because they this wasall happening, that happened
(28:21):
without them knowing what wasgoing to happen.
Um, everyone has an immediateresponsibility to do the
necessary protocols, do theirown internal investigations,
determine what their riskprofile is.
And when you're behind the balllike that, then you're also
thinking about the fact that younow have notification
requirements, which could be notonly under HIPAA, right?
You're you're thinking aboutnotifications to the
(28:41):
individuals, to the media, tothe department, but then you're
thinking about what are yourother requirements under other
laws, whether they be the statelaws, whether it be if the FTC
breach notification ruleapplies, um which also requires
some of those large, you know,notice notifications.
Another thing to think about isthat and so the cost of those
(29:04):
notifications um was a big pointof negotiation for for most
everyone.
Um another thing to think aboutis that you're thinking about
the cost of being a part of thelitigation and settling the
litigation.
Um not just the cost of thedamages that you have
(29:26):
encountered by being a part ofthe data breach, but of making
whole quote unquote theplaintiffs or the affected
individuals.
When you're dealing with just anenforcement action, you're not
really thinking as much aboutit.
But when we're in sitting inlitigation, your your number
isn't just is it's it's not justthat original damages number,
(29:48):
it's and more.
Um and so I think um one of ourone of our big big lessons
learned was you know.
Leveraging your leveraging yourdesires as the covered entity
(30:12):
with that of your vendors, youknow, is it's it requires a
special touch.
It requires you to have peoplewho are on the ground who are
willing to be in constantcommunication with your vendors,
who are willing to ensurecompliance from your vendors.
(30:34):
You know, no one likes to be thewatchdog, but in this day and
age, if you're thinking aboutthe average number being in the
millions of dollars for a databreach, you want to kind of
insulate yourself from thatrisk.
Um and that's without thinkingabout what the attorney's fees
are going to be.
That's without thinking aboutyou know what happens when you
(30:57):
have now to overhaul yoursecurity in your privacy group.
Um, when you have to uh put innew frameworks, it costs a lot
more on the other side.
Um we didn't really get too muchinto uh to to great defenses
because I think if we're honestwith with ourselves, we have to
(31:20):
we have to say a data breachconsidering that the fact that
we're gonna assume they'reinevitable, you know, there is
no defense to the idea ofviolating or improperly
protecting and securinginformation to the level that is
(31:40):
required by law.
The idea is that if the breachis going to occur, so long as
you are in compliance with therequisite laws, there should not
be any real risk to theorganization because we assume
the breach will occur and that'swhy the law exists.
Um and so the the caveat thereis if you're in compliance, and
(32:03):
being in compliance requiresthat watchdog mentality of our
clients.
And that is a mentality wehaven't had to have for so long.
And and now that we have thingslike AI that are just embedded
in our systems that are helpingus get our jobs done, we have to
be on top of it.
We have to kind of be forwardthinking.
(32:23):
Um, it wasn't to blame anyonein, you know, within the
organizations for for theirpersonal failings at that point.
It was the fact that theorganizations had failed to keep
up with what was happening andwhat was going on.
So I think ultimately the onlydefense that that we really
(32:43):
heard was, hey, it's not my myduty to deal with this, it's
change healthcare, right?
Who whose job is it?
And that gets me back to one ofmy favorite rules I always tell
clients when they're negotiatingtheir BAAs is be very clear.
Be very, very clear on whoseduty it is to do all types of
(33:06):
diligence, whose duty it is todo specific reportings so that
you're not pointing the fingerin the middle of the crisis.
It's also important if you wantto talk about ideas of
indemnification of sorts, right?
Who's paying for the cost ofthose notifications or the
necessary and requisitecompliance with any notification
(33:29):
requirements?
Um, those are things that can bewritten into the agreements that
can insulate those risks insteadof defend the risks, right?
You're you're insulatingyourself from some of those
risks.
And I know Kelly spoke a littlebit about some of their
agreements, had that kind ofindemnification while others did
not.
And so when we're we're thinkingabout how complex these
(33:50):
relationships can be, those arethings that we want to be
looking at and keeping updatedand thinking through just as
much as we want the the terms ofthe services and the data
collection to be up to date.
SPEAKER_02 (34:00):
Yeah.
No, and I, you know, I that's Ithink really helpful um and I
think very, you know, veryinsightful.
Um, I and I think we're gettingsort of getting into the best
practice part of thisconversation, but really quickly
before we do that, just wantedto mention that it's the so you
mentioned the average cost ofdata breach was 4.9 million.
(34:23):
And when I was looking at at theslide deck, I think this comes
from IBM's data breach reportfrom last year.
I think important to note foryou know, since this is an AHLA
podcast, we've got or video,whatever, whatever we're doing
these days, um, lots of folks inhealthcare, you know, listening,
watching.
The the average cost was 4.9,but the healthcare industry
(34:44):
overall averaged 10.9 millionper data breach.
So um, in terms of just costs,very, I mean, not it not
insignificant, right?
Um, particularly for healthsystems that aren't prepared to,
you know, to manage this.
So, you know, I appreciate youall sharing this, those data
points.
Um and you know, thinking aboutbest practices and kind of as
(35:08):
we're starting to, you know,maybe wind down the
conversation, I think somethingyou said that really resonated
with me.
Like, so Clearwater, we we do alot of work with our clients,
helping to perform vendor riskassessments, we're reaching out
to vendors on behalf of clients,we're we're helping to collect
data, helping them do some ofthat, you know, that ongoing
(35:31):
risk management.
Um, I would say in most cases,that works really well.
Um, we have um uh, you know,there there always is a
percentage of vendors that areeither non-responsive or they're
vendors that are uh that arehuge, you know, Google's,
Amazon's, um, Oracle's, Cerners,Epics, who may be responsive,
(35:58):
but their response is, you know,take a look at this link because
here's where we've postedinformation about our risk
analysis, or here's where we'veposted information about, you
know, our high trust work orwhatever work they've been
doing.
And it's we don't have in bothof those situations, so
non-responsive vendors orunresponsive vendors, and then
these huge vendors, we don'thave that kind of interaction
(36:20):
that we would like to have.
And I think something you saidin um you know, about doing some
of this work up front, uh, Ithink is really important
because, you know, at thatcontracting stage, you do have
this ability to ask these kindsof questions of your future
partner.
You know, it's it's one thing tosay, let's let's negotiate the
(36:43):
BAA together, but it's anotherthing to say, you know, hey,
we're we're gonna have to bedoing some oversight.
We want to make sure we have aprocess with you so that we know
who we're calling or emailing orwe we understand what the the
sort of requirements are upfront, so that if it is, you
know, an oracle and they say,look, we don't we don't answer
vendor questionnaires, buthere's our process, you know,
(37:04):
that organization can make adecision, you know, if that's
the right fit for them.
Um, you know, obviously in somecases it's sort of unavoidable.
But um, yeah, I just really Ithought it was worth kind of
extrapolating that a bit becauseI thought that was a really
helpful point you made.
Um I you know, I don't know whatwhat other, you know, when you
think about clients, you know,whether they're they're business
(37:26):
associate clients or coveredentity clients, um, you know,
what what sort of best practicesare you seeing and
recommendations, you know, areyou making to, you know, whether
it's general counsel orcompliance officers?
Just curious your thoughts.
SPEAKER_00 (37:41):
Yeah, so we came up with three um of our best
practices that we wanted tohighlight for those who watched
our presentation.
Um, it was as lawyers first, um,make sure that your client
really understands the contractand the deliverable that's
coming with that contract.
Um, and I think that kind ofgoes to the point that you were
just speaking about, right?
(38:04):
It's about the questions askingphase.
It's about really diving in.
And even if it's just betweenyou and your client, you uh
initiating conversation aboutthe holes you're seeing so that
they can can really kind of uhappreciate what what's happening
and what's not happening andwhat might be necessary.
Um second, we can do better byempowering our clients to work
(38:29):
with their vendors directly onprivacy issues, um and kind of
creating that watchdog, thatoversight that we've been
speaking about throughout thispodcast.
Umbed someone as a liaison foryour vendor, your vendor
relationships, right?
And let it be that it's anatural conversation.
(38:50):
Maybe they're just they docheck-ins monthly that are not
necessarily, you know, thestringent, hey, produce X, Y,
and Z to me, but just the basicunderstanding.
Are they willing, is the vendorwilling to let you come and
understand their operationsinternally?
Um, just start those kind ofnatural conversations because
when the relationship becomes alittle bit more tense in the
(39:11):
data breach world, you're you'regonna get a lot less hands-on
time with them.
And then the third thing we cameup with was considering a demo
or meeting with the vendor.
And um, when you do that demo,you know, your legal team and
your privacy team should bethere.
Um, we didn't really talk aboutthis, but sometimes it is that,
(39:33):
especially with our kind ofsmaller clients, our startups,
they go have the meeting, theysit down, they talk about it,
but the right people aren't inthe room to kind of assess what
might be next next or what'spractical or impractical for the
organization whole.
So um Kelly talked a little bitabout it, whereas now her team,
they always have privacy in theroom on certain certain
(39:55):
situations.
Um, and and it's anon-negotiable, the meeting
cannot happen unless they arethere.
Um I think that that's a that'sa good kind of rule of thumb to
have where we're talking aboutthings that could impact privacy
or security.
Have the people who need to bein the know at the table, don't
just create a policy orprocedure willy-nilly, um, and
(40:16):
then and then impose it on them.
And then they come back and tellyou, well, that's not even
practical.
We couldn't even do that.
Um I recently had a client um,you know, come to me and say,
hey, well, Google won't sign ourBAA.
And I said, yeah, well, Googledoesn't sign anyone's BAAs.
We, you know, that that'ssomething we we could have
easily told you, you know, onthe front end of things, um,
(40:38):
that that wasn't gonna be anoption for you.
And that's why, you know, theseare the risks that are we're
we're trying to navigate around.
Um, and and it's not worth yourtime trying to get me to
negotiate with them becausethey're not gonna do it.
You know, that's a practicewe've learned.
So um I think those were kind ofour three big pieces and
takeaways.
I think you add that to our listof things to be thinking about
(41:01):
when you're when you'renegotiating the agreements and
and keeping them up to date.
Um you're in a better spot, youknow, and have and have
knowledgeable counsel, have, youknow, have good um good
relationships and rapport withconsultants that really
understand what's going on.
(41:21):
I know I'm always happy when myclient, you know, is willing to
engage Clearwater.
We're just like having a it'sit's so much easier to be on one
page and just be thinkingthrough these things together on
the front end of things becausewe almost never end up with a
problem.
And especially when you get tothe acquisition phase, you know,
you're dealing with startups andthey're like ready to sell off,
(41:42):
you're in a much better fakephase of life, right?
And and you're you're much moreattractive to investors um when
everything's already in tick-topshape.
There's no risk for them toacquire.
SPEAKER_02 (41:55):
That's right.
You can say we're, you know,we've we've got risks and we're
managing them, and and we've gotyou know these people supporting
us, and whether it's you know,Holland and Knight and you or
others, you know, you can youcan say we at least know what
the risks are and we're we'redealing with them, you know,
we're we're sort of managing it.
And and vendor risks are, yeah,it's like it's not gonna go
away.
It's yeah, it's just how do youhow do you manage it?
(42:17):
What's the process?
And do you do you feel like youknow you're sort of taking it a
day at a time to help, you know,make sure you, you know, your
program is in, you know, sort ofmoving towards maturity.
Yeah.
Yeah.
Well, it's um been really greattalking with you, Shaylin.
And and really, you know, like Isaid, I mean, really appreciate
(42:38):
the insights, both from the thepresentation with your other
presenters and and then talkingwith you today.
Um and um yeah, I'd I'd I guessI'll just let in the case you
have any final thoughts, um,just turn it over to you.
But uh just again, thanks foryour time.
SPEAKER_00 (42:53):
No, thanks so much for talking with me too, Andrew.
It's always good to talk to you.
I can't wait to see you soon,hopefully.
And if not soon, then I bettersee you at an annual meeting
next year.
I heard it's exciting becauseit's coming to New York City for
the first time in forever.
So I'd love to be in Manhattantalking about all this with you
in the summer of 2026.
SPEAKER_02 (43:12):
Let's do it.
That sounds great.
SPEAKER_00 (43:14):
All right, sounds good.
SPEAKER_02 (43:15):
Excellent.
SPEAKER_01 (43:21):
If you enjoyed this episode, be sure to subscribe to
AHLA Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit AmericanHealth
Law.org and stay updated onbreaking healthcare industry
news from the major mediaoutlets with AHLA's Health Law
Daily Podcast, exclusively forAHLA comprehensive members.
(43:44):
To subscribe and add thisprivate podcast feed to your
podcast at the go toamericanhealthlaw.org slash
daily podcast.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Ruthie's Table 4
For more than 30 years The River Cafe in London, has been the home-from-home of artists, architects, designers, actors, collectors, writers, activists, and politicians. Michael Caine, Glenn Close, JJ Abrams, Steve McQueen, Victoria and David Beckham, and Lily Allen, are just some of the people who love to call The River Cafe home. On River Cafe Table 4, Rogers sits down with her customers—who have become friends—to talk about food memories. Table 4 explores how food impacts every aspect of our lives. “Foods is politics, food is cultural, food is how you express love, food is about your heritage, it defines who you and who you want to be,” says Rogers. Each week, Rogers invites her guest to reminisce about family suppers and first dates, what they cook, how they eat when performing, the restaurants they choose, and what food they seek when they need comfort. And to punctuate each episode of Table 4, guests such as Ralph Fiennes, Emily Blunt, and Alfonso Cuarón, read their favourite recipe from one of the best-selling River Cafe cookbooks. Table 4 itself, is situated near The River Cafe’s open kitchen, close to the bright pink wood-fired oven and next to the glossy yellow pass, where Ruthie oversees the restaurant. You are invited to take a seat at this intimate table and join the conversation. For more information, recipes, and ingredients, go to https://shoptherivercafe.co.uk/ Web: https://rivercafe.co.uk/ Instagram: www.instagram.com/therivercafelondon/ Facebook: https://en-gb.facebook.com/therivercafelondon/ For more podcasts from iHeartRadio, visit the iheartradio app, apple podcasts, or wherever you listen to your favorite shows. Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com