AHLA's Speaking of Health Law

HIPAA Privacy Proposed Rule - What Lawyers Need to Know

December 30, 2020 AHLA Podcasts
AHLA's Speaking of Health Law
HIPAA Privacy Proposed Rule - What Lawyers Need to Know
Show Notes Transcript

Wes Morris, Clearwater, and Kirk J. Nahra, WilmerHale, discuss the recently-issued Health Insurance Portability and Accountability Act (HIPAA) proposed rule. The podcast discusses key changes made by the proposal, including changes to the minimum necessary standard for care coordination and other information disclosure changes. Sponsored by Clearwater

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for hospitals, health systems, and their business associates. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support and manage services provided by our deep team of information security and compliance experts. For more information, visit clearwater compliance.com.

Speaker 2:

My name is Wes Morris. I am managing principal consultant for Clearwater Compliance. And I'd like to welcome you today to our podcast, discussing the proposed modifications to the HIPAA privacy rule, to support and remove barriers to coordinated care and individual engagement. Uh, joining me this morning is Kirk Nara and Kirk and I will discuss, uh, the major elements of this proposed rule and, uh, what it might lead to for the future. Uh, Kirk, would you be so kind just to introduce yourself and tell us anything you'd like to know about you?

Speaker 3:

Uh, sure. Thank you. Uh, thank you Wes, and thanks to, uh, a H L A for having me. Um, so I'm Kirk Nara. I am a partner with WilmerHale in Washington DC where I am the co-chair of our global cybersecurity and privacy practice. And I've been working on healthcare privacy issues since, uh, I'm almost afraid to say 1999 or so. Um, so I've been dealing with the full evolution of the, uh, HIPAA rules from the very beginning, the early drafts, and I can certainly remember, um, spending a lot of time over, uh, the Christmas holiday in 2000, just like we're gonna spend time over the Christmas holiday in 2020, um, reading these enormously long proposals. So, uh, look forward to discussion of that today,

Speaker 2:

<laugh>. Yeah. Uh, I don't have quite as much time in it as you do, Kirk. I, uh, I, I, I moved from clinical work, uh, working in mental health and substance abuse counseling on April 14th, 2003 into my first role in the world of HIPAA privacy and security. So, uh, I didn't get the opportunity to spend the time on the original, uh, publication of the privacy rule, but certainly joined right in, uh, starting in oh three, uh, with it just as much. So, um, this new proposed modification, uh, coming as it is right at the tail end of an administration, we don't really know what's going to to happen in the next administration before we even get into the content and the details, what are your thoughts around that, Kirk?

Speaker 3:

Well, I said the, the current administration is obviously putting out a lot of final rules, but this is sort of an odd thing. This is a proposed rule. And so the, the, the rule hasn't even formally been published yet. We're working with a, you know, an informal draft. I mean, it's not a draft, but it's an informal document at this point. So the comments to this proposed rule will not be due until sometime in February at the earliest. Obviously, there will be a new administration at that point in time. Um, you know, the administration, I suppose, between inauguration and that due date could pull this whole thing. I don't know that that's, uh, high on their priority list. So I sort of suspect that won't happen. But I do think there's gonna be a real question as to, um, whether the substance will move forward. I mean, the, as as you said when you were reading the, the, the title of the document, a lot of this proposed rule is driven by the idea in the head of the current administration, um, in the mind of the current administration, that in a HIPAA privacy rule to the goal of coordinated care or value-based care, you know, we can debate whether that's really true or not. And so I think there's a lot of questions, there are a lot of important policy questions we'll talk about today. And is that, I don't know that there's any thinking yet from the new administration on those issues.

Speaker 2:

What's the first clock that's starting for us once this is published?

Speaker 3:

Well, I mean, the most important clock right now is just gonna be the comment period. And there's gonna be a 60 day comment period between, you know, when it's published in the Federal Register. Comments will be due. Um, again, that, that certainly takes it at least till February, assuming that, uh, you know, it gets published between now and the end of the year, which I expect that it, it will, it's something that could get published, um, you know, any day by the time you're, by the time folks are hearing this, it may have already been published again, but, but the substance of the proposal is set. The document that we've been looking at is in fact, the substance. It's just not formally been print, been printed and published yet. Um, right after that, the government, you know, there's no timing. There's no particular mandatory timeframe at this point. We've had HIPAA rules that have moved at a relatively quick pace. We have had other HIPAA rules that have taken years to get to go from a proposal to, to a finished rule. Um, one of the provisions that is, that was part of the request for information that proceeded this proposed rule, had to do with the HIPAA counting rule. HIPAA counting rule, uh, changes are a holdover from the 2009 Tech Act. And in this proposed rule, the government basically said, we don't know what to do about that yet. And so we're not even addressing it in this proposal. So that proposal, um, is now working on an, an 11 year time period. So<laugh>, the time all these issues can be, uh, you know, again, noth nothing happens quickly, but there are, there are normal delays and there are extended delays. And, you know, I really don't know where this is gonna fit in the

Speaker 2:

Middle of that. Yeah. I remember being concerned about that accounting, uh, element, uh, back in 2009 when I was sitting as a privacy officer in a hospital system and thinking, how in the world are we going to accomplish this? So, I guess, uh, in this particular case,<laugh>, we find ourselves in the same place that, uh, the, the folks that are writing and promulgating these rules have yet to figure out how are we going to

Speaker 3:

Accomplish? Well, that, that particular, that particular, yeah, that particular rule is one that I will be perfectly happy to have, just never, never see the light of day. I, I work in another area of privacy where there's been an effort by some of the federal regulators to come up with privacy rules related to, to faxes, um, commercial faxes. And my theory is that they're just trying to wait long enough for faxes to disappear. So they don't actually have to come up with a rule that may be sort of what's happening with the accounting rule. The, there was in fact a proposal on the HIPAA accounting rule that goes back to, I think 2010 or 2011 mm-hmm.<affirmative> that's now been formally pulled. That, that, that proposal had the sort of unusual result of almost all of the comments being negative. Everybody seemed to dislike that proposal. Usually some people like a proposal and some people don't. That was uniformly disliked. And so,

Speaker 2:

Um,

Speaker 3:

Yeah, we'll, we'll, we'll be navigating that, but that's not today's discussion. Cause that's

Speaker 2:

Not today's

Speaker 3:

Discussion, especially, it's not in the proposed rule. They said they're gonna deal with it later.

Speaker 2:

Yeah. So, um, of course, we really don't know when the final rule will be published or if the final rule will be published, but, but supposing that it is, then we start a second clock, and that is, uh, the compliance date followed by the enforcement date. Let's get into some details here. Um, when we think about what this, this, this, um, proposed modification is all about, what's your big ticket take on it? What, what's, what's it really trying to do for us? Yes.

Speaker 3:

So, so, so despite how long this document is, I would break it into two main pieces

Speaker 2:

Mm-hmm.<affirmative>.

Speaker 3:

Um, the first piece has to do with patient access to their own health information. And that is a topic that's been, you know, the, the original, the HIPAA access right. Has been in the privacy rule since the very beginning. There have been complaints and concerns about how effective it's been for the entire history of the hip rules. Um, those issues have really gotten a lot more attention in the last couple of years. Um, there have been some really interesting efforts in the private sector to encourage, um, hospitals, particularly to be better on access. There's been a number of developments in other regulations about encouraging access for patients. And, and then there's been enforcement by Office of Civil Rights for the first time. I mean, I think that, um, there's been problems with access for many years, but they viewed as, um, you know, single issue situations not sort of worthy of particular enforcement efforts. The, the, the current ocr, um, has been taking enforcement action in connection with patient access. So this is an evolution, it's an important evolution, but it's an evolution. It's not a revolution on access. Right. So there are a series of important changes that are somewhat technical, but are designed to make it easier and cheaper and faster for patients to get access to their records. That's topic one. Yeah. Topic two is much more policy driven, much more complicated, and frankly, a little, just trickier in general, the, the current administration believes that the HIPAA rules somehow impede goals related to coordinated care and value-based care. Mm-hmm.<affirmative>, they also believe that at least to some extent, HIPAA restrictions played a part in the opioid crisis. Both of those premises are things you can question. Um, I'm not sure I agree with them, but those are, those are ideas that are driving the changes here. And what we're talking about in terms of big picture, you know, the, the second category is either expanding the ability of covered entities to disclose p h i in connection with things like coordinated care or making it clearer that they are able to make those disclosures even if they were permitted before, because the government has this idea that people were not making disclosures that they were allowed to make. And they believe that the reason doctors and hospitals weren't making disclosures is cuz they thought they were prevented from doing it. So there's a number of provisions that are designed to encourage more sharing of information with the goal of supporting value-based care, coordinated care, and helping to deal with, um, things like the opioid crisis.

Speaker 2:

So, circling back to the first big one, the access, right of access as, as you noted, this has been a, uh, a high visibility item for O C R at least for the last couple years. But I think all the way back to the first really big, uh, case involving Cignet Health, I don't recall what year that was. I'm sure you recall it, the case as well, in which it was a 4.3 million, uh, penalty, uh, as a result of refusing to provide records to 41 individuals, and then all kinds of different iterations and things that were

Speaker 3:

Right. But that's, I mean, that, that, that, that, that is, that is the one enforcement case that was not recent. But that, but that case is a, again, I, I, I had clients who freaked out about that case. Yes. And, but, but, but that case is a funny case and it's a, you know, and I, and I said to my clients, what are you actually worried about here? In that case, the government asked Cignet Healthcare something like 15 times to Right. They sent Marshalls, they sent, they sent subpoenas, and essentially the company just ignored them. And eventually the government got so mad that they entered into a penalty. You know, my advice to my clients, and this is really very sophisticated, you know, high expertise, legal advice is don't blow off the government 15 times. It's just the Right, right.<laugh>, you know, you re you read, you read the papers in that case, and you get the sense that if they had responded the eighth time, they would've been fine. So that case is not really about access rights, it's about blowing off the government by the same couple of years, is actual cases that are based entirely on failures to provide access rights without the blowing off the government component.

Speaker 2:

I I've noticed on several of those in the last couple of years, that there was technical assistance rendered. Sure. And, and then still the, the, uh, the patient, the member didn't, the individual did not receive what they were, what they were seeking. And so it led to further things. So I feel almost as though there is still a component of that. Don't blow us off if we give you technical assistance.

Speaker 3:

Well, look, I mean the, the, the, if, if, if, if a patient makes a request to the hospital and the hospital messes it up for whatever reason, they don't respond too late, whatever, and there's a complaint and they missed one, the government says, don't miss anymore fix it, and you know how you can fix it going forward. That's most of the cases, right? The government doesn't take action because you mess. In fact, I have a, I just closed a case with OCR R for a client where again, they, they had gotten a whole bunch of requests from somebody and they missed one. And then once it was pointed out that they missed one, they fixed it. And it's fine, you know, the, the government, but, but the government is doing some individualized cases. They just, tho those cases are not gonna be driven by a single mistake. OCR almost never does a case based on a single mistake, maybe if it's a really enormous mistake. I mean, I I, I've been, ID, you know, when I, when I teach enforcement on these areas that, you know, there are a small handful of cases that are cases that I characterize as sort of send a message cases. There was one involving a hospital that had a reality TV show filmed in the hospital and the government, yes. Just wanted to send a message saying, look, that's just a bad idea. You can't do that. But for the most part, what the government does is they go after companies who have had either repeated problems or really egregious problems. I mean, the example I use with, with my students is if a company, a hospital has a security breach, and the government knocks on the door and says, I'd like to see your HIPAA security policies, and they say, what's hipaa? Okay, that's a problem,<laugh>. But they don't tend to, they don't tend to take cases on a single, single situation. But I, but I think what, what, what's been important about the enforcement a, uh, effort in the last couple years is that they're going after these cases again with whatever baseline of activity. But even in situations where the, the monetary penalties are not enormous. They're moed. I mean, they're, they, no, nobody wants to pay anything, but they're relatively small for the kinds of cases that the government has normally taken penalty cases. But they're doing them and they're doing'em repeated. They're doing them repeatedly. And there's clearly a message to the healthcare providers that says, look, you gotta do this. Right? This is important. Now, you can't get away with being lazy. You can't be get away with being irresponsible. There are, you know, the government is paying attention to these issues. And I think that's an important message. And at the same time, these rule changes, these proposed rule changes are just designed to make things easier. For example, there's, there's information about fees they're trying to reduce, the fees they're trying to deal with, you know, accelerating some of the timetables. I mean, the, the, the, the timetable for, for an HIPAA access right? Was written in 30 days with the idea of, oh, I gotta, you know, there's a box of documents and I gotta have somebody in my office sit at a copy machine and copy. You know, that's not what happens anymore. So the idea, we're gonna make it faster, we're gonna make it, you know, so, so a lot of those things are, again, they're relatively, the, the, there's not a lot of, you know, sophisticated policy debate that goes into, are we gonna make it 15 days instead of 30 days? But it's important, and it's gonna, again, all of these proposals are designed to make it easier for patients to get access to their own information, to get them more engaged in the healthcare system. Again, all of these things are, I mean, there's trade offs, right? I mean, when you, when you make things faster, uh, there's a, there's some obligation and some increased obligation on the covered entity side. What they're saying here is, we don't think it's much on the covered entity side, and we think there's a real value to the patient. We're gonna draw the line and we're gonna say, favor the patient's, right? To access their own information. Mm-hmm.<affirmative> that be straightforward. And I don't expect that there will be a lot of companies who go out and say, oh my God, we can't possibly do 15 days. We really think that, you know, the answer should always be 30 days. Yeah. Maybe somebody's gonna say that. But I think in general, the changes on patient access are consistent with a series of developments that have been happening for a number of years that reflect the goal of patient access and reflect improved technology that makes it easier to respond to those rights. And again, those are all generally good things.

Speaker 2:

Yeah. I also noticed that they gave a lot of, uh, of time in, in the, in the proposed mods to discussion around things like allowing an individual to use their own device to take a picture of a screen of their P H I or, uh, allowing an individual to, um, uh, to make an, uh, an oral request rather than demanding a written, written request from'em for access. Uh, and also drew a line between the use of the authorization form that most organizations have, and many have used as their source document for access requests as well. Uh, but they drew a line there that said, that's, that's not really what you should be doing. So I think in a lot of ways they are adjusting, uh, to, to try to make things better. Uh, I mean, you know, in many circumstances, being able to sit there with your provider and the provider says, well, here's your labs, Mr. Morris, and, hey, can I take a picture of those? Great. It can create its own challenges in some, in some cases. Um, but, uh, I think you're right around the access rules that we're really not talking about wholesale, throwing out everything considered with access in the past and redoing it. What about some of the other changes to these rules? I'm really interested in your take on this, this, um, the, the exceptions to the minimum necessary standards for, uh, care coordination, case management, and, uh, allowing for, um, uh, disclosures to, uh, for, for that, uh, care coordination, case management. What do you ta what do you think about what's happening there?

Speaker 3:

So, so the idea is to make sure, or, or to make it easier for people to sh you know, HIPAA covered entities, mainly doctors, not only doctors and hospitals could be there. There's some discussion of health plans as well. Make it easier for information to be shared when you're trying to coordinate care. Mm-hmm.<affirmative>. Yeah. That level, that's a, that's an admirable goal, right? I mean, it's better in general if healthcare providers have the right information. Um, and some of the, some of the changes are designed to make it clearer to hospitals and doctors that they're allowed to share for these purposes. The government seems to believe that people are not sharing historically because they thought they weren't allowed to. I don't know if that's true necessarily. I suspect there are lots of occasions where people just aren't doing it for other reasons. Sometimes, frankly, it could be laziness too. I mean, and I'm not sure where, where you say something's permitted and people haven't been doing it before because they're lazy. I'm not sure saying even more clearly that you're allowed to do it is going to change that. But that, but that's the idea, is to try to encourage sharing of information in coordinated care settings. Now, there are, you know, there are a couple of different examples of that. There are examples that are within different healthcare providers. You know, if I, you know, I, I have a primary care physician. I had surgery on my knee at a different hospital because I had a, you know, I, I, I had an injury when I was playing tennis, and I also have been treated by a psychiatrist because of Covid i's making me crazy, and I have a substance abuse problem. And so, from a pure healthcare perspective, it's obviously helpful to the primary care physician to know all those things. The way that the primary care physician usually knows all these things is I tell the primary care physician mm-hmm.<affirmative>, if I tell the primary care physician, or I say to my other doctors, please send information to my primary care physician. The doctor has all of that stuff. So all of these rules are designed to deal with a situation where I haven't told my primary care physician, they're designed to make it easier for those other doctors to share with my primary care physician. Probably a good thing at some level, but if I haven't told them, or I don't want to tell them, having the other doctors do that, again, we're, we have a trade off there between, um, between the healthcare system's interest and perhaps my interest in my own healthcare, but at the same time my own control over that situation. I think that's part of the difficulty. The other component that we're seeing here is in connection with social service organizations. We have built into the healthcare system. And, you know, last couple years, this, this isn't a surprise to most people when you talk about it, but we learn, you know, we're learning more and more that one of the reasons that people may be in bad health is that they don't have access to food, or they don't have good housing, goes onto the label of social determinants of health. And so there's always been a question of whether a hospital, for example, could disclose information to a local food bank to help a patient. Now, one way to do that is to ask the patient, there's always been the ability to ask the patient. Mm-hmm.<affirmative>, these rules are designed to make it easier for the hospital to do this without asking the patient. Now, again, there may be reasons to do that, but it's not cost free in the sense that that either means you haven't asked the patient or the patient has said no. And that's a trickier situation. So that's why I think it's just a more philosophically interesting question. Um, we're trying to, you know, again, there's no, nobody is gonna share that information because they think it's a bad thing for the patient. It's, but, but, but, but I think the issue we're gonna be thinking about is, do I as a doctor or a hospital get to decide what's good for the patient? If the patient isn't interested in that or doesn't want to do that, then the next issue that we have to think about, and this is a, a, a, an important sort of structural issue because of the limitations on the scope of the HIPAA privacy rule. When information is shared from a hospital to a food bank, for example, the hospital under these rules would have a permitted ability to make that disclosure. But once it goes to the food bank, we have to recognize that it's not subject to the HIPAA rules anymore because the food bank isn't a covered entity. The food bank isn't a business associate. The food bank, as far as HIPAA is concerned, is nothing. And so that's a result that may be an acceptable result, but we have to at least consider the implications of that result. That result exists because of the history of the HIPAA rules, where only it's not. Yeah. Again, this is, this is, uh, hopefully a reminder for most people listening to this, but the HIPAA rules are not overall medical privacy rules. They are rules that protect personal health information, protected health information when that information is held by certain kinds of entities in certain contexts for certain reasons. And so we are seeing more and more examples in our broadly defined healthcare ecosystem where health information isn't subject to the HIPAA rules. That's a parallel development that's going on here. That's something that's, we're seeing state laws, we're seeing some efforts at the federal level. That's a much bigger issue. But some of these disclosure principles that are in these proposed rules exacerbate those scope limitations by saying information that's protected by HIPAA is now gonna be disclosed to people who don't have a HIPAA obligation to protect it anymore. And again, I'm not at all saying that's a bad idea, but it's not a cost-free idea, and it's not a, you know, it's not an automatically good idea because again, the option today is to ask the patient, these rules are designed to make it easier for, for covid entities to disclose without asking the patient.

Speaker 2:

Yeah. Quite a valid point there. And, and I agree very much with your perspective on that. Um, couple of other areas that I just wanted to touch on very briefly. One of the things that I can definitely get behind, and I think most people can probably get behind, is eliminating the requirement to receive written acknowledgement of receipt of the notice of privacy practices. Uh, what are your thoughts around that one?

Speaker 3:

Yeah, so, so there's been a provision in the privacy rule from the beginning that says, um, you know, covered entities who are direct treatment providers have to give you a privacy notice when you're a patient and you're supposed to sign an acknowledgement that you received the notice. Mm-hmm.<affirmative>, partly that's because there's no, you know, the consent that you would be signing in other circumstances, the consent is assumed by, by the operation privacy rules. So you're not actually consenting to anything when you sign that. You're just acknowledging that you received that. And so the government has basically said in this proposal, we don't think there's any particular, we think there's a cost associated with having to collect those acknowledgements and keep track of them and maintain them. And we're just, we're, we're gonna not have that anymore. I, you know, I, I think it's fine. Um, covered entities are still gonna have to have a procedure in place to make sure that people are seeing those notices. But it's, but right now there's notices. It doesn't mean anybody's reading that. It just means there's sign something saying it was handed to you. So I am not a big fan of the HIPAA privacy notices in general. I think that the rule, uh, the, the rule, the way it's written and, and nothing in the proposed rule is changing this, um, requires there to be too much information in those documents that isn't of use to the consumers. And so, if I was in charge of this, I'd be writing a different rule to shorten up what's actually in that notice. But all they're doing right now is getting rid of this acknowledgement, which again, I think is, is a, it, it, it's interesting when you look at some of the details of the rule, when they, they, they estimate how much cost savings there are, and I'm gonna forget the number, but they, they have an enormous amount of cost savings<laugh> that they say from not getting that. I'm like, I don't know how that, how they get to that amount of money. But, uh, um, that, that, that's a modest tweak. Um, you know, again, there may be people who disagree with it, but it's a, that, that, that, that's very much a tweak without any big,

Speaker 2:

Well, the one point you make was, uh, I, on the other hand, am the guy who if I go into a new practice and, and I'm asked to check in for the first time, I'm going to look to see if you're asking me to sign that acknowledgement. And if you're actually giving me a copy of your notice, half the time, uh, they, they asked me to sign for it without it, and I won't, I won't do so. Uh, and, and then they'll have to scramble through the drawers to find the, the copy of the notice.

Speaker 3:

Right. But, but, but, but that, but, but that's a problem that exists today and is changed by getting rid of, you

Speaker 2:

Know, no, no, that won't be,

Speaker 3:

That won't obligation anyway. Yeah. They have an obligation to give you that notice to give you a copy of it, to make it available to you. No, I'll say most of those practices, you can probably go online and look at it anytime you feel like it, rather than look at right then. Um, there, there is an interesting discussion. I, I had the sense when the original rules came out that the government expected there to be, you know, you would go to the doctor's office for the first time and the doctor would, the doctor would hand you that notice, we know the doctor's not, not ever the one handing you the notice, but that you would then have a, a a, an engaging discussion with the doctor about the privacy practices of the doctor's office. And that would result in both of you being educated. None of that ever happened.<laugh>. So that actually comes up in a couple places in this rule where they envision this comes up in the patient access section, more of a discussion between patients and doctors and hospitals about, I just don't see any of that realistically happening, but they're trying to facilitate that.

Speaker 2:

Right, right. Yeah. The other areas that they, uh, touched on, um, very briefly, uh, one was, um, basically pulling telecommunication communication relay services out of the situation of having to be a business associate in order to provide services for people with a, uh, hearing or site disability or a speech disability. Uh, and then the other one was around, um, expanding the, um, the armed forces, um, area, uh, to a address the, the US Public Health Services and, uh, uh, n o a, uh, to include in'em. But for the most part, those are relatively modest things, and especially the armed forces part is not going to apply to a huge range of organizations. Would you agree with that opinion?

Speaker 3:

Yes.<laugh>. Yeah. That's, that's, that's as much time as we should spend on the armed forces change

Speaker 2:

<laugh>. Exactly. Yeah. Now, I worked for the Armed forces at one point, uh, running, uh, a team of, of specialists in HIPAA for the Air Force Medical Service. And for us, that was a big deal. Yeah, of course. But for the rest of the universe, it's,

Speaker 3:

It's not required. Well, and that, and that's, that's actually an, you know, like I was mentioning in the notice of privacy practices, that there are things in the, in the notice that are required to be there that I don't think are useful. You're required to disclose, you're required to include in a privacy notice, all of the possible, possible ways in which you might dispose information. And for 99% of the patients, those things aren't relevant. But you have to write them in the privacy notice for everyone because one out of a hundred or one out of a thousand times you might do it. That ends up, from my perspective, resulting in a notice that isn't very useful. But we've got that. The, the other point you made about those relay services, I think that particular example is a pretty limited example, but it's a, there's a broader question, which is, you, you know, there, there's an issue now with business associates where if a business associate gets one piece of protected health information, they can be a business associate. And so there are lots of situations where, um, companies really barely touch the information. There are some that are called conduits, right? Like the post office where they've said explicitly you're not a business associate, but there's a whole bunch of others where they really barely touch the information. They may not even know that it's protected health information. And the rules today have them be a business associate. And so I've spent all kinds of time over the last 20 years, you know, negotiating those deals. And then both, both sides seem unhappy with them. And I, I could easily see a more sophisticated analysis that would cut out some of the business associate category, but that's not what this rule is doing. They're, they're, they're dealing with a particular very small picture, not, not unimportant, but a very narrow tweak that they're dealing with. And, you know, I i I, I sort of wish that there would be a broader look at the, the, the HIPAA rules in general. When the, um, when the high-tech rules were coming out, they said that they were, they were making changes. They were making proposals not only to address the high-tech law, but also to address the first 10 years of the HIPAA privacy rule. And then they didn't do anything to address the first 10 years of their privacy rule. Um, we've never really had a big full scale reevaluation. You know, again, I understand why we haven't had it. It's not like the rules. I, I love, I love how the rules work. I think the rules have been generally very effective where they apply. Um, but it's said, there hasn't been a lot of overall thought about how the rules should work. And, you know, this, this proposal is, is a, is is overall thought on a couple of narrow topics, but it doesn't do anything more than that.

Speaker 2:

So in essence, we're still continuing the incremental change approach

Speaker 3:

<laugh>. Well, and, and, and again, I'm not saying that's a bad approach. I mean, I, I, the, the, the, the, the, the question that's coming up, and this is a much bigger topic, I mean, not not today's topic and, and, but something that people in the healthcare industry should be thinking about is we we're, we're, we've been dealing with a relatively stable healthcare privacy environment for about 20 years. Cuz the HIPAA rules, you know, once people understood them and implemented them, have worked pretty well. And I think they've generally worked pretty well for both consumers and the healthcare industry. What we are seeing now is that there are more and more places, and I alluded to this earlier, there are more and more places in the broader healthcare ecosystem where health information is being collected, created, analyzed, disclosed, et cetera, that aren't subject to the HIPAA rules. And at the same time, we're also seeing more and more situations where there are other laws that apply to certain kinds of health information. And so I think that equilibrium that we've had for 20 years is threatened right now because of all the other kinds of principles that are crossing healthcare information that's gonna be part of, you know, a national privacy law debate. That's gonna be a part of what the states are doing as they look at broad-based privacy laws. I've been using one example in California, many of you may have heard about the California Consumer Privacy Act, which is a broad privacy law in, in California. If you look at, if you're a California resident, your healthcare information in California right now can be subject to at least six different regulatory regimes. I am personally of the view that that's bad for both consumers and industry. You know, the rare privacy lose lose. And so I think that those bigger picture topics are bubbling up as part of a broader debate on national privacy. But the, the, what we're seeing on HIPAA is, is that that incremental discussion, because the rules generally work well, where they apply the problem is all the places they don't apply or they don't only apply.

Speaker 2:

It's an excellent perspective. I really appreciate that. Um, I, I think we've covered a lot of information thus far. Uh, what would you give as a final summation, um, before we close out today?

Speaker 3:

Well, I think pay attention to these rules. If you have a particular perspective on any of those information disclosure changes. Do you think it's, it's too permissive for industry, you think there's a patient concern about that, but I think in general, I want you to pay attention in 2021 to the other developments that are going on in the privacy space. Some of which relate to healthcare, some of which, some of which directly relate to healthcare, some of which indirectly relate to healthcare. But I think that that's gonna be a really interesting, broader discussion as we see, again, states moving forward, perhaps Congress moving forward, um, changes also happening for those of you who work internationally, different rules in different countries. So we're really seeing a lot of turmoil in privacy generally, and a lot of that is applying to the healthcare industry, even though we have this veneer of stability around the HIPAA rule. So that's, that's just creating, that's creating a lot of my work these days. It's creating a lot of issues for my, for my clients, um, and just a really, and I think it's a really interesting issue to watch because of all the important elements of, uh, how data is used in the healthcare system.

Speaker 2:

That sounds like a good place to leave it. Uh, Kirk, thank you so much for taking the time to, uh, talk through some of these aspects of, of the rules. This says Ben, uh, uh, the podcast on proposed modifications to the HIPAA privacy rule so long, everyone.