HIPAA Is Not the Hard Part Anymore

Foreign. Low Code High Impact Podcast I'm Paul Quirk and this show is about one thing, how organizations solve real problems with low code faster and at a fraction of the cost of traditional development. Today we are talking about healthcare and specifically HIPAA. 2026 marked the 30th anniversary of HIPAA being signed into law by the then US President Bill Clinton. And yet most organizations are still approaching it in the wrong way. My guest today is Matt Fisher, a healthcare privacy and security attorney at Hancock, Daniel and Johnson. Matt works with everyone from multi state hospital systems to healthcare startups and his view is direct. HIPAA is not the hard part anymore. The harder problems are the ones most organizations are not talking about. AI risk, data sharing, exposure and a checkbox mentality around compliance that is creating a false sense of security at the board level. So if you work in healthcare, build applications that handle patient data or evaluating platforms for HIPAA compliant development, this conversation will change how you think about it. Let's dive in. Matt, welcome and thank you for joining Caspio's podcast. Paul, thanks for having me on. Happy to be here today and be able to talk through some issues. Great stuff. So I know we're going to be talking today about healthcare privacy and security. So let's share with everyone about your background, who you are and what lens you're bringing to this conversation. Yeah, no, I'm happy to do that. So I'm currently a partner at the law firm of Hancock, Daniel and Johnson which is kind of based on the east coast but we represent clients all over the country. We actually have attorneys license in Almost every all 50 states so it is very broad coverage within the firm. My specialty is I do corporate and regulatory law within healthcare. So I'm working with companies of all different sizes in business operations, contracting, strategic transactions. And then one area that I really like to focus on is privacy and security, compliance with HIPAA and kind of all those issues that come up. So it's, you know, really any organization you're talking about in health care they're going to have privacy and security issues because data has become the currency of everything nowadays. And so in that work I work with, you know, traditional health care systems, whether it be, you know, multistate hospital systems or physician groups. But you know, I also really working in the startup world, you know, I find the innovation that happens there and the fast pace of change to just be really exciting, you know, so I really find, find a lot of joy in working with those companies so they can understand what that regulatory field looks like and then Figure out how can I get my idea, my, you know, kind of the way I'm trying to push the industry and drive change or innovation, how can I get that into the market and make it fit the needs of the industry? Because it's, you know, for better or for worse, a lot of things within health care just have to operate a bit counterintuitively from what normal good business sense might look like. Yeah, thank you for sharing that. And obviously HIPAA is such an important area for our prospects and customers as well. So I know we're going to talk about. HIPAA is not the hard part anymore. What do you mean by that from your site, Matt? Yeah, I mean, I think that's a really good way to frame it. It's, you know, while most people might not think about it this way, it's, you know, kind of my lens on it is, you know, HIPAA focus, the most part is relatively black and white in terms of what it covers and who needs to comply with it. And, you know, just kind of the general compliance function, you know, and I call it black and white because, you know, for, you know, depending on where you sit within healthcare, you know, if you have to worry about fraud, abuse regulations or even like Medicare and Medicaid compliance, those can be really convoluted. And, you know, there are times where those regulations even work at cross purposes with each other where, you know, as they've developed over time, you know, despite probably the best of intentions, the regulators might have forgotten what, what was potentially on the books. And you can have two competing requirements. There's also, you know, the few cases where you get into a court, judges have essentially thrown their proverbial hands up in the air and said, this is too confusing. I can't believe anyone has to deal with this. So, you know, when you compare it to that side of kind of the regulatory field, that's why, you know, you know, I think at least that HIPAA isn't necessarily the hard part of it. It's, you can really break it down into three major components of where you're looking at for compliance. You know, you've got your privacy rule, security rule, and then breach notification. And you know, as I said, you can really segment those and then you can also see where the areas are that you need to comply. And then also depending on what your role is within healthcare, you might not even need to comply with the entire piece of each one of those rules, you know, and then even taking another step back, it's like while you have those three rules, you Also only have three categories of entities that even need to comply with hipaa because it's, you know, despite maybe a popular perception about it, it's not this broad overarching coverage for all healthcare data. Especially the way different parts of healthcare have evolved where you now have a lot more kind of like wellness or direct to individual type solutions, you know. So HIPAA only applies, as I said, to three categories. You got covered entities, business associates and then subcontractors and business associates and subcontractors are really kind of two sides of the same coin because a subcontractor is really just a business associate of a business associate, you know, but a covered entity. There's only three types of covered entities. You've got health plans, health care providers and health care clearinghouses. You know, health plan, pretty self explanatory, those are your insurance companies, health care providers, that is someone who's delivering a healthcare service. So a hospital physician group, nursing home. So fairly relatively easy to see and follow there. Although a key component there is they also have to engage in a transaction covered by hipaa. So kind of really boiling that down, it means they're electronically billing for reimbursement, which is where you could see something that you almost looks and breathes and talks like a healthcare provider technically not actually be subject to hipaa. And then you know, Healthcare Clearinghouse is where data is flowing through it and you know, that's really more of a technical piece of the industry that you're probably not going to see on a day to day basis. And then a business associate is a vendor or someone who's providing a service for on behalf of a covered entity. And in providing that service interacts with the protected health information of the covered entity. So it's, you know, but that the primary purpose has to be interacting with it. So it's, you know, kind of like a classic example is if you have a physical office and you have a janitorial service coming in, they're not your business associate because they're not supposed to be handling your patient information. Like if they see something on the desk, it's really incidental to their actual service. And you know, you should have, you might want to have confidentiality with them, but you don't need a visit, they're not your business associate and they're not, you know, subject to that regulatory scope. So it's, you know, as I said, when you kind of see those different types of categories first who needs to comply with it and then where you're complying, you know, it is a, you know, from a regulatory perspective, kind of a narrowly defined scope and you're not talking this kind of sprawl of regulations like you might see in other areas within healthcare. Yeah, no, thank you for sharing. That makes sense. And kind of leading onto that is, do you think HIPAA's becoming a distraction? And what I mean by that is, are organizations overinvesting in passing audits while really focused on under investigate, investing in true data governance? Yeah, I mean, I think it's a little hard to maybe parse those two things apart because it's, you know, if you're focused on compliance that will help with your data governance, you know, at least on a basic level. You know, if you're looking at hipaa, like if you're spending a lot on outside audits, I mean, I would say depending, it really depends on the sophistication of your organization and the size of it. It's, you know, because to show that you're complying with HIPAA is all about self certification. You know, there are companies out there that might try to give you a seal that says you're HIPAA compliant or you're HIPAA certified that's not even worth the money that of the paper that it's printed on because there is no recognized certification standard like under the regulations, there is no such thing as HIPAA certified or someone being able to tell you that you're HIPAA compliant. Like if you go through and you kind of self believe that you, that you're following the requirements, that's what you want to do. And then, you know, if unfortunately something were to happen and you end up having the government come in and investigate, you're just going to be showing them your policies and procedures and your logs and your other evidence that shows how you're complying with your requirements. If you try to tell them, hey, we had this outside organization come in and audit us and they gave us the seal. You know, they might not laugh at you, but they're also not going to really take that with much credence because you know, they're, it's not like they're giving their stamp of approval to anybody else. But at the same time, as I said, it is helpful to, you know, periodically have someone on the outside come in and audit and help you review what your, what your compliance stamps looks like. Because you know, as we all know, if you're living and breathing with something day in and day out, it is really easy to just overlook something because you expect it to be there. Because you Know, our brains all trick us. So it's, you know, I think there is definitely a space for the focus on that auditing and spending money there. But then, you know, if you're looking at data governance, as you said, it's, you know, that is more of that operational day to day piece that you want to make sure you're appropriately investing in. Because if you can't maintain your data governance, doesn't really matter where your compliance stands. You know, if you're not handling the data, if you're not making sure that you've got the right controls in place, you know, that's where you're going to be selling the farm right up front. So it's, you know, as they go, a bit hand in hand, but they're, you know, maybe there is some prioritization there, you know, but then taking HIPAA on that, as I said, it's not going to get you all the way to good data governance. It's going to, you know, I always like to say HIPAA helps you build a good foundation that you can then build a really solid house on top of. Because HIPAA is not overly prescriptive. It, it is not telling you, for example, on the security side, like this is the type of encryption you have to have, or this is the specific length of your password and that type of, you know, really detailed information, it's telling you you need to have, you need to, or you should have those things and then you get to figure out how you implement it, which is, you know, then goes into that daily governance and that ongoing governance where you can actually truly have a strong and, or as strong an organization as possible. Because it's, you know, I think no matter how good your intentions are and how good your operations are, it's just inevitable that something is going to happen. And you know, part of having, part of where HIPAA helps you focus is being prepared when something, you know, unfortunate might occur. Yeah, it's interesting you say that, Max. I was talking to a customer recently, a compliance manager at this customer, and he was saying that he thinks HIPAA's creating a false sense of security with his board and executive team. So it kind of lends nicely to what you're saying there. It sounds like that's, that's the case. Yeah, no, I, I think I would fully agree with that. It's, you know, when I'm talking with new clients and they're like, what do we need to do to comply with hipaa? Like, you know, what do we need to do to show that you know, we're meeting the security requirements. And kind of my typical answer is if you're developing and you're building a product and you're following industry standards of what security measures look like, you're already going to be well above and beyond whatever HIPAA says, because HIPAA is not exactly telling you what to do. And I think that's a good thing because if HIPAA tried to do that, well, guess what? The day after the regulations are published, they're going to be out of date because we all know that's how quickly technology moves and evolves and also where the threats can come from. So by just kind of having that those general parameters allows you to figure out what's right for your organization, you know. So, you know, kind of going back to the question, yeah, no, I fully agree that, you know, it's easy to focus on what's the regulation or what is, you know, what is it that people are talking about and then not think about, you know, what, you know, what really should we be keeping our eyes focused on, you know, so, you know, when you're going back to thinking that it's, you know, that it gives you that framework and if you're following industry standard, you're going to be doing better than what the regulations say. That's what you want to keep in mind. Kind of where it comes back to the HIPAA side of it, though, is even if you're doing all that, and this is, you know, I know also where the frustration can arise is you still need to then document your policies and procedures and how what you're doing to comply with hipaa. So it's, you know, I was kind of describing it recently as it's, you know, it's compliance with HIPAA can a lot of the time really just be an exercise in paperwork because you're writing things down and you're having to, you know, kind of show what you're doing, blog different things. And that's, you know, not really what it takes to, to have a really strong, secure operation from a, you know, a current technical standpoint. So, you know, it's a little bit of a tension, but it also then helps you, you know, I think it does help keep you focused on making sure you're living within what you should be. Yeah, no, it makes complete sense. And I only realized today when I was looking back through kind of the history of HIPAA, that it's the 30th anniversary this year, 1996, President Clinton signed it into legislation. And for those that are not familiar with hipaa. If we kind of step back, what would you the best way to describe HIPAA and what it is? Yeah, that's a great question because it's, you know, obviously we've been talking about it already and you know, we've been talking about the privacy and security aspects of it. But you know, the part that gets lost is that's actually like a really small piece of what the overall law does. The, the biggest impact and the ongoing impact of HIPAA is it creates standard transactions. And that is, you know, on the billing side, the claim side, like that is the bulk of what the law actually does and focuses on. And it has, you know, really driven AC change. You know, because I was listening to something else recently where they were talking about, you know, like data exchange and claims exchange. Yeah. And you know, while for better, you know, unfortunately it is way more expensive in healthcare for that. It's surprising because it's one of the few industries where you're mandated to have common data sets. And you know, while the data set, you know, I know there's nuance within there, there is still those, you know, standard transaction sets that HIPAA created that theoretically should make it easier for that to exchange. So it's, you know, when you're thinking about the law, that is the bulk of what it does. But you know, the privacy and security piece gets the most attention just because that's, you know, that that's what captures the attention from outside the industry as well. And I know kind of just to, I think expand what we were talking about a little bit earlier. It's security. It's talking about different security controls, administrative, physical and technical, and then privacy controls and also individual rights that you and I get to be able to exercise with respect to our healthcare information that an entity that's subject to HIPAA is holding. So it's, obviously there's lots of pieces within there, but from a very high level perspective, those are a couple of the key points. And then the brief notification rule, which is why you hear about when a problem happens. Because by statute and regulation, organizations are required to announce when a data breach happens. Yeah. Makes complete sense. So I was reading an article recently that healthcare is interoperability with heavy h I r APIs, data sharing mandates, patient access rules. So from a privacy and security standpoint, Matt, are organizations ready for what that opens up? Yeah. So there's, you know, I know I keep saying this, there's a few different ways to look at that. You know, going back to what I just talked, you know, referenced about individual rights. You know, since the beginning of HIPAA there has been an individual right of access. You know, so under HIPAA you are allowed to ask for and accept in very limited instances your, say hospital, your physician is supposed to give you a copy of your record. Obviously that doesn't always happen in practice and there's other hoops and hurdles that you might need to jump through. So it's, you know, that has always existed. It's been a challenge. Some of the new regulations that have come into place, you know, from like 21st Century Cures act with like information blocking regulations where it's trying to expand that. It's, you know, I think one perspective is it's building upon those existing requirements and adding new kind of hooks and you know, poles that can force, you know, better compliance. You know, whether or not that has actually occurred. I think still an open question, especially where enforcement of those information blocking regulations hasn't really started yet because it took a few years beyond the publication the info blocking regs to actually then get the enforcement regs that go along with them finalized. You know, but the kind of, one of the bigger changes as you said, is, you know, the ability to, or the requirement to have more connections and the more, you know, more, more places where you can hook different systems together. And you know, kind of my personal view on it is I think technically organizations are probably ready for it. Yeah. But I also, you know, at the same time think that there is well placed words of caution coming from kind of the traditional healthcare side of it, you know, because part of those connections are you or I can call up again, call up our office, you know, and say, hey, I'm using this app, I want to connect in. I want you to push all my records over here. Well, the question is going to be what are they doing with your records? Yeah. Because if it's someone building a service for me as an individual, well, they're probably intentionally coming into a space where they're not going to be subject to hipaa. They're not going to be one of those like covered entities or business associates that I was talking about earlier. And if they're not covered by hipaa, then the question is what, if any regulation, are they covered by it to maintain the privacy of my information? Yeah. So, you know, healthcare organizations are trying to raise those questions, but unfortunately they, you know, if they don't allow the connection or they don't allow the push of the information, they could then be subject to, you know, an allegation of information blocking. Because saying that the tool that I'm telling you I want my data sent to isn't compliant with HIPAA is, is not a reason to stop this, that sharing of the information. Yeah. You know, so I think the question of is it, is the industry ready? Is more is almost like kind of a little bit of a too narrow perspective on it. It's, you know, are individuals ready and understanding of where they're putting information and can you trust the developer? You know, you know, all the potential development of tools that are being presented to you because you don't always know who's behind it. And for better or for worse, there are a lot of nefarious actors out there who will take advantage of that situation to get access to data. And kind of one of the tropes is if a service is free, well, it's not free. You're the price. Because they're clearly seeing value in getting information from you or other things that you're going to pump into that system. Because know there's going to be a lot of things that are probably being collected that you might not be aware of. Yeah. And that goes to a different point which is, you know, even, even if you're the really small fraction of people who would read the terms of use or the privacy policy of everything you're using, there's, you know, the reality is you can't negotiate those things if you're an individual user. The only option is you use it or you don't. And depending on what that tool is, you, you're probably going to use it because there might not be a better option. Yeah, kind of building up on that. Matt, how do you think organizations are aware of the exposure of that? And what I mean by if they've got patient data that flows to a third party app through an API and HIPAA doesn't follow the same way. Do you think the organizations are aware of the exposure for this? So one, I think the organizations are potentially aware that the data is exposed. But if you. But then the other side of it is they don't have liability. Yeah. Yeah. Because if, if your patient is telling you I want you to send it to this application that I'm using, I'm invoking my rights under info blocking and all that. Well, I, as the health care organization, my, I'm liable if I block you from access to the data or if I, you know, if I'm not following the requirements of the regulation. But once I've sent it to where you've asked me to, that not my problem anymore to, you know, to put it bluntly. And I think that is part of the problem or maybe not necessarily the problem, but that's where the concerns are being raised because, you know, back to what we were talking about a minute ago, it's, you know, if you're sending data to a place that's untrustworthy, well, maybe no one has responsibility for it. But if you've let that cat out of the bag, someone's going to feel bad about it afterwards. And then you might try, you know, you might try to have that finger pointing at that point might not get you anywhere, but it might also harm a different type of relationship. So it's, you know, I don't know if liability is necessarily the folk issue there, you know, because liability is always going to be somewhere or there's going to be, you know, allegations of some type of liability. But I think it's really, you know, being able to get to relationships and trust and you know, understanding what is happening. And I think that piece of it is, you know, not where it would ideally be. Yeah, and I know that you work with a lot of companies in terms of counseling them, especially where organizations are caught between information blocking compliance on one side and protecting patient data on the other. How do you counsel them on that? Yeah, I mean it's, I said not an easy conversation because it's, you know, at baseline you have to comply or you should be complying. You know, obviously there are probably instances where you can, you know, you can take on that risk of non compliance if you think that, you know, the potential blowback isn't going to be that great. You know, it's obvious I'm not going to counsel anyone to violate the law because that is contrary to my ethical obligations. But I can counsel on what are risks involved with different types of behavior. And you know, when it comes to these instances, it's, you know, potentially not fully meeting the requirement is maybe morally or ethically the better thing to be doing and to drive a conversation with the individual making a particular request. You know, if you're talking about large organizations, I fully understand that that is a really tough ask and you know, operational thing to try and follow. You know, if you're talking about like a multi state hospital system, you know, it's probably going to be hard to train all your staff on having these types of conversations as patients are making requests to send data to different places. To the extent that that's even happening because it's, you know, I think it's also a somewhat smaller Subset of patients who are actively aware of all of these, you know, new rights that they might be able to exercise. You know, so it's, you know, I know that isn't really a fully complete answer, but it, you know, I do think a lot of it is a work in progress. And the biggest thing from my perspective is to have conversations. And if a request is coming in where there is a concern or there isn't a known risk with sending data somewhere, use that as an invitation to open a dialogue and talk it through with somebody. So that way if they still ask for it. Well, now from an organizational standpoint, you have that CYA where you can document saying we counseled or we had a discussion and there was still the clear request. So that way, you know, if something bad were to happen in the future, you know, you can then lean back on that conversation and be able to show, you know, we, we really followed a request here and, you know, you probably don't want to try to throw it back on the person if we told you it was a bad idea, but you got that in your back pocket, you know, if some, you know, something were to try to fall back on you. Yeah. And talking of risk, Matt, I know a lot of organizations out there, if not every organization is working with AI, they're working with AI co pilots. It's been embedded into their workflows, revenue cycles and things. Do you think organizations are underestimating the risks that are associated with this as everyone is rushing to deploy it? Yeah, one, I don't think any of us know the full scope of risk when it comes to AI. That's arguably the glib answer to it because the technology itself is, know, evolving and growing so quickly. You know, I do think a lot of organizations are asking a lot of good questions. It's, you know, a bunch of the systems I work with, you know, they are developing standard terms around usage of AI and they are thinking about it, you know, at times that can potentially be very restrictive and, you know, runs contrary to potentially how solutions actually operate. Because, you know, I'm also on the other side where I've worked with a bunch of companies that are premised on AI and have AI as their core functionality. So it's, I think what it comes down to though is transparency and understanding what data are being collected, how the data is being used and what are going to be the outputs and how can you structure it so you're meeting requirements. When it comes to the risk, I'm more concerned about generally available AI solutions. You know, because the bigger the big issue is, you know, I'm sure every organization out there, even if they have AI tools that they've made available to people that are, you know, vetted, contracted, and have all the right agreements in place, people are still probably going on the Internet using, you know, ChatGPT or any, any of those freely available services. Well, now once you put your data in there, it's gone and it is forever in that system. And you have. And if you've put in phi, you have a breach. Yeah, and I think that is happening, unfortunately, probably more frequently than might be expected because maybe someone's on it, doesn't like the particular tool that was selected because they, they don't think it works quite the right way or they just aren't paying attention to understanding what the organizational policies are. So, you know, it's kind of, you know, we've always talked about, like, shadow it. There's definitely shadow AI that's going on out there. And, you know, I think that is an issue that, you know, will probably never be solved because, you know, there's always going to be use of unapproved services. But you got to at least try to get in front of it and, you know, create awareness and education. So it's, you know, to me, those are the, you know, at least from a data privacy and data security perspective, those are some of the bigger risks. And know, that doesn't begin to touch on, you know, the operational side of what the, the AI solution is actually doing. And, you know, what are potential liabilities, you know, depending on where it's being deployed, Is it, you know, somehow being involved in clinical care or is it all administrative like, you know, so those types of issues, as I said, are completely to the side of the privacy and security. But, you know, there is, you like, all good, fun new topics and endless supply of legal issues and considerations that are very much in the infant stages of being worked out. Yeah, and we know that many of the leading AI vendors out there are saying they're HIPAA compliant. But from your side, Matt, what does that actually mean and what doesn't it mean? Yeah, I mean, so it's kind of the same as it means for a lot of other companies. It's, you know, what protection, you know, what policies and procedures and what kind of infrastructure and operational methods that they have in place. You know, so it's, you know, when, if you're talking about AI, you know, where is the data going? Is it going into just their proprietary server and database and it's running A private instance of whatever, you know, maybe outside develop AI part, you know, solution that's being utilized. It's, you know, like I have clients that have OpenAI or Quad or, you know, like any of those types of services and you know, those groups, if you're in healthcare, they'll sign, you know, if you can get them to respond to you, you can sign a business associate agreement with them and your data will go into, you know, the right database over there. You know, no different than if you're on like aws, Azure, Google or any, you know, hosting service. You know, you can use the healthcare side of it where they'll sign a baa and, you know, you can have the, the appropriate controls in place or you're not. So it's, you know, you can definitely structure and build the organization from the vendor side. So that way you're hitting those right, you know, checks and putting the right operational goals in place, you know, so I think what it all comes down to, and it's the same whether you're an AI vendor, system, physician, group, anyone, it's, you have to, one, be aware of the requirements to ask questions and then three, work to actually develop and live and abide by them. You know, so it's, you know, while vendors can sometimes get a lot of negative attention for it, you know, unfortunately there's also just as many healthcare providers, you know, that would be defined by hipaa, not also not living up to their obligations. You know, so it, from, you know, as I said, from my perspective, it always comes down to, you know, awareness and the willingness to take the time and effort to, you know, focus not where you might not necessarily want to, but where the industry forces you to. I think, Matt, it's interesting because talking to some customers, they've been raising about kind of the ambiguity about who owns the data fed into the AI models. And from a healthcare organization perspective, what should they be doing in terms of locking down them contractually before signing with an AI vendor? Yeah, so that I think goes into, you know, again, how are the databases set up? Yeah, you know, is data being commingled and then, you know, what can happen if the relationship were to end? Because it's, you know, picking up the ownership piece first. The business associate does not own phi. Yeah. And that, that is crystal clear. If you're a business associate and your contract with the covered entity ends, if hopefully people have been reading their business associate agreements, you know, you have to return or destroy all of that covered entity's phi upon the termination. There is, you know, most BaaS will then include the tag along statement that says if return is not feasible for some reason, then you don't have to, but you can only keep it for that specific reason that return or destruction is not feasible. And I would say wanting to ongoing exploit the data for product development, that is not a reason to make return infeasible. So that's the first piece of it when you're looking at it. A lot of the companies I work with, they are able to segment their databases so it is possible to return or destroy. But then they also want the ability to de identify and aggregate data so that way they can train and do further product development or refinement or other, you know, other uses off of de identified data. And keeping that and explaining that, that is going to be totally fine. Because under hip, you know, HIPAA has a specific provision to address DE identification of data. And once you've DE identified phi, it's not subject to HIPAA anymore. Yeah, so now it's kind of generalized data. So it, you know, I think it's really coming to those couple different buckets and you know, it's kind of interesting. It's, you know, like before AI really started exploding over the past couple years, it felt like the industry had gotten to a place where there was comfort around DE identification and use of ongoing use of de identifying aggregated data. It now feels like we're falling back 10 plus years to where I'm seeing a lot more just blanket prohibitions on DE identification. And it's all because of that, I think, fear of what's happening with AI, you know. So, you know, I think that will probably start to ease up in the next couple of years as we kind of go through that repetitive cycle. You know, and there's probably better or not better, but you know, less fear around what's happening to data in AI models or, you know, in the companies that are developing AI. But for right now, I think, you know, it is going to take a lot of discussion and you know, open, you know, you know, an honest transparency around what's going on there. Yeah, let's, let's kind of switch gears in terms of the breaches. I think it's such an important area as well. And we see that most of the damaging breaches don't originate inside the covered entity. It's really, it comes to the vendors. What's your view on the breaches and the fines that are associated with it? Yeah, I mean, breaches are an ongoing issue. It's, you know, that's One of those things that I just keep an eye on and you know, every single day of the week it is easy for me to go to a couple of the websites that I go to that track breaches. And you know, there's, you know, probably anywhere from three to five or more breaches that are being covered as reported that day. Yeah, you know, when I first started really paying attention to it, say like, you know, 12, 15 years ago, it would be a couple a week. Yeah. You know, so just the fact that there's that ongoing issue, you know, really underscores why security is such an important issue across healthcare. You know, and it's also not a problem just for the vendors, it is for everybody. You know, kind of, I think implicit into your question is, you know, the reality that vendors are being starting to experience, you know, an uptick in attacks. Because, yeah, you know, if you hit one vendor, you're going to impact a bigger date. You're most likely to impact a bigger database because, you know, it is very rare for a vendor to only be supporting one covered entity. You know, they're pro, they probably have data on a number of different covered entities. So they're, you know, there's that ability to have a quicker, wider spread impact, you know, so I, you know, you can't ignore that fact. You know, in terms of penalties coming out of the breaches, you know, comparatively, those are still very few and far between, you know, this past year so, like 25. And you know, so far in 26, there's only been a handful of penalties or settlements announced by the office, Office for Civil Rights within the Department of Health and Human Services. You know, that's the federal agency that enforces hipaa. There's only been, as I said, a few out of there and I think I'm having trouble thinking of it, but I know that there have been a couple of other settlements that have come from different states attorneys general. If you think about, you know, that handful compared to, as I said, multiple data breaches being reported per day and then multiple, you know, other issues being constantly reported to the government, the likelihood of a fine is, you know, as I said, comparatively very low. There is a different area that has been growing significantly and this is now I'm seeing more reports of these coming out in the, the tail end of it is anytime there's a, or not anytime, but like a lot of times when there is a significant or a material data breach, you're now seeing lawsuits come up afterwards where people who are potentially impacted are bringing individual Suits, or very often a bunch of suits are being consolidated into a class action. And then you're seeing settlements of those lawsuits for what could look like significant sums of money. So it's almost like the settlement amount out of those cases has become the more common penalty that organizations are paying. One piece of commentary I'll add onto about the lawsuits is because I, you know, I'm personally extremely cynical of them. If you read the details of most of those settlements, the bulk of that money goes to the attorneys. Because when, when you're doing a class action like that, the attorneys are typically doing it on what's called a contingency fee. So the attorney only gets paid as a percentage of this, of the award or settlement amount. And that contingency fee can typically go from like 25 to 33% of the amount. So a big chunk of the sudden I'm going to go to that. And then individuals, if they can prove that they had out of pocket expenses, will get reimbursement of those expenses. Well, you know what, most people probably aren't going to have documented expenses that they can tie directly to the data breach. And then there might be a nominal amount of money that's just given, you know, directly. And I've seen that be as low as like 10, 15 bucks. So it's, you know, there's really not much personal benefit or, you know, like one that I saw recently, it was, I think it was a $900,000 total settlement. I said there was probably, I think it was about 400 went to the attorneys. You had the five people who are identified as the class litigants, they each got about $1,200. And then impacted individuals, if they have, if they could document expenses, they would get up to about that same $1200 in documented expenses. And then the only thing they definitively got was one year of identity theft protection, which is really a standard response if there's a data breach and a $10 voucher to be used at the provider that was impacted. Wow. Okay. So I'm just thinking, then we let baas most organizations have them in place for their vendors. Does that really offer the protection and the level of protection that they need to provide something when it goes wrong? Yes and no. So you. A business associate agreement. You know, I'll pick up, I'll quibble with one way. One way that you framed it is most organizations, not only should they, but they absolutely have to have a business associate agreement in place before they share phi or allow a vendor to access phi on their Behalf. Because if you do, you know, if the covered entity allows PHI to flow to that vendor before there's a business associate agreement in place, the covered entity now has a breach. You know, because the HIPAA regulations are extremely clear that the BAA is a prerequisite for the business associate to be able to get their hands on phi. So that, that's, that I always want to make sure that people remember that piece of it. On the protection side, I mean, if you have a business associate agreement that is following the, just the black letter of the regulation, there is not, you know, the regulations don't require insurance coverage. They don't require indemnification or expense reimbursement. So it, you know, if you're thinking about protection from that perspective, if you just have like a base BAA like, like OCR might publish as a template, you're not going to have technical protection. The way you're protected is if your business associate causes an issue, they can be directly liable under the regulations for the issue that they cause. So it's, you know, if they cause a breach, OCR investigates and it's clear that it's the business associates, you know, caused that breach. OCR should be looking at the, at that business associate for imposing, you know, any type of punitive action. Yeah. You know, on, you know, additionally, as I said, a lot of business associate agreements will include language around either insurance coverage on the business associate side, identification or, you know, some type of reimbursement language. You know, so that's where you're contractually trying to shift liability and shift responsibility if something were to happen, you know, what, you know, depending, no matter which side I'm on, I can understand why you have it in there. Like, you know, I might push for slightly different wording depending on if I'm representing the covered entity or the business associate. But I'm not, you know, I'm past the point where I'd be trying to have it struck out altogether. You know, the one thing to keep in mind on the business or on the COVID entity side, I mean, is, you know, depending on the size of your business associate, if there's a significant breach that has a lot of cost along with it, well, depending on the financial, you know, capability of that organization, they might get wiped out before they can really make anybody whole for the issue that might have been caused. So I'm not going to use that as a reason not to contract with somebody. It's really just an ongoing risk and it has to kind of figures into that risk calculus. Of when you're thinking about who you're working with and what the potential fallouts could be. Because what I always like to say is one of the roles of that I have as an attorney is like, I always think of what's the worst case scenario. You know, it's kind of you're the wet blanket on all the happy thoughts at the beginning of a relationship. So you can be prepared if something were to go wrong and not have to figure it out at that point in time. Yeah, it's. I was just thinking there a couple of customers I've spoken to recently that they feel like it's just a checkbox exercise in terms of they get the BA signed, get the annual training and then they move on. But I think that's a risky kind of mindset to be in, especially in 20, 26, 30 years since our 30th anniversary of HIPAA being signed to legislation. It just feels like it's a bit of a dangerous position. Yeah, no, I mean, I agree because it's, you know, I've seen a lot of customer, you know, clients or others, they just get the business associates sign in and don't think twice. I've also seen covered entities just kick it out without thinking, you know, what's in here, who am I working with? It's, you know, and the reason it gets me frustrated is because there are a number of scenarios where I've seen that happen where, you know, if I'm on the vendor side, my client hasn't actually been a business associate, so we don't need to be signing it. And then I have to explain to them, you know, because I've had a couple clients come to me where, you know, they were getting going, so they had already signed some. And then I, you know, we start working together as, you know, they're kind of getting deeper into their customer base. And, you know, they tell me, oh, yeah, we got this and we would assign it, we didn't think about it and like walk them through what you didn't need to, you've now you didn't need to. So now you've contractually agreed to these additional requirements. Are you meeting them? Because if they're not meeting them, I told them, you've now given your customer an ongoing daily reason to be able to terminate your agreement because you're in non. You're not complying with a contractual commitment that you've made. So it's, you know, it is definitely very, you know, important and I fully agree with you that you need to Think about what you're putting out there. And then also what are you signing on to, you know, because you, you know, even if, you know, not even if, but like, especially when the business associated agreement is applicable, you want to see specifically what's in there because they're, you know, everyone is slightly different. Like I always like to say, like 90, 95% of it, it's required by regulation. But there are going to be nuances in there and that, you know, that kind of 5% of additional provisions that are custom to what that covered entity is presenting. You need to be fully aware of what's there. So, you know, anytime you have an agreement, you want to take the time to make sure you understand what you're signing up for. Yeah, makes complete sense. So if you could change one thing, Matt, on our health care organizations approaching privacy and security leadership, what would you say? Yeah, it is definitely improving, but it's, you know, it, I would still like to see more investment and you know, time and resources given. You know, it's, I fully recognize that it is not going to be an area where you get a strong or a clear roi. It's kind of more of a, the, if you make the investment here, you might end up paying less on the back end if something unfortunate were to occur. You know, the problem is that unfortunate to occur event is happening more frequently. So it's, you know, if you're giving it short shrift upfront, you're just going to be dealing with one of those issues sooner rather than later. And then the long term fallout of that is definitely more impactful. It's, you know, there's a lot of data out there now showing, you know, if you're a hospital, you know, what are, what's the financial impact to recover, you know, what are the increased level of patient harm that can arise if you're hit by some type of cyber attack or other know, security incident. And you know, if you're on the vendor side, if it happens, you might see your whole customer base evaporate. And you know, even if it was something innocuous, once that's out there, it is hard to, you know, escape it because things live on the Internet forever. So it's, you know, as I said, I, you know, I would just like to see more investment, whether it be time, resources, money, personnel, whatever, you know, just to make sure that it is definitely forefront of mind for everybody across the industry. Yeah. So if it's like as a healthcare executive or a compliance officer listening to this today, what conversations should they be having internally that they're probably not having. Yeah, I mean, I think the conversation is to actually just have the conversation, you know, it's each one, you know, each organization, the content of it is going to be slightly different, but it is, you know, you want to be constantly vetting and aware of, you know, what's your posture, you know, where do you stand with compliance and what can we be doing to continually educate the workforce? You know, in the past when I've been in house, it's, you know, I sent out quarterly fun little reminders to all, you know, every employee of my company where it's, you know, I had a particular piece of Hippo that I wanted to be able to highlight, talk about it, talk about why it's important and then talk about how it applied to us as a company. And it's, you know, that kind of continual reinforcement and having those conversations and showing that everyone from the top down, you know, takes the issue seriously, you know, that that's really going to help keep the ball moving. Yeah, great advice. So let's talk about your podcast then, Matt. So Healthcare de Jour. Tell us more about that. It. So I've been doing it for about 10 years now and it's a show where I just get to, you know, talk with fun people from all across the healthcare industry about, you know, anything, you know, interesting that's happening. So it's, you know, privacy and security have been popular topics. You know, recently AI has definitely been up there. I'll be talking actually non emergency medical transportation soon. You know, health insurance, Medicare Advantage, star ratings, you know, so it is, you know, if there is a topic in healthcare, you know, I'm always happy to chat with somebody about it. Sounds great. We'll put all your contact details there on the podcast onto this one as well so people can start following your work and connecting with you. Because for me it's been really insightful this conversation, Matt. I've learned a lot going through. So thank you for sharing your advice and your expertise in this area. I think a lot of the listeners will find it highly valuable. Thank you very much for the opportunity to chat. It's always fun to pull apart all the different issues that are facing the healthcare industry and hopefully getting people thinking about it. Yeah, thank you so much, Matt. Appreciate your time and I'm sure we'll talk about again soon. To get more information about our low code platform, please visit caspio.com and visit our YouTube channel to learn more. Bye for now.