AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Managing Vendor Relationships and Navigating Data Breaches in the New Age of Data Privacy
Vendor relationships and data breaches are usually found very high on the risk heat map for anyone working in health care and technology. Andrew Mahler, Vice President of Privacy, Compliance, and Audit Services, Clearwater, speaks with Shalyn Watkins, Associate, Holland & Knight, about how health care organizations can better manage third-party vendors, respond to data breaches, and navigate the evolving legal landscape of privacy and security compliance. Shalyn spoke about this topic at AHLA’s 2025 Annual Meeting in San Diego, CA. From AHLA’s Behavioral Health Practice Group. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=2hf8MQ5ZwZM
Learn more about the AHLA 2025 Annual Meeting that took place in San Diego, CA: https://www.americanhealthlaw.org/annualmeeting
Learn more about AHLA’s 2025 Annual Meeting eProgram: https://educate.americanhealthlaw.org/local/catalog/view/product.php?productid=1472
Learn more about AHLA’s Behavioral Health Practice Group: https://www.americanhealthlaw.org/practice-groups/practice-groups/behavioral-health
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHMLA Speaking of Health Law is sponsored by Clearwater. For more information, visit ClearWatersecurity.com.
SPEAKER_02:Welcome everyone. My name is Andrew Mahler. I'm the Vice President of Privacy, Compliance, and Audit here at Clearwater. And very excited that today we're talking about a topic that's usually found very high on risk heat maps for anyone working in healthcare and tech. And that's this topic of vendor relationships and data breaches. Really fortunate to have with me today Shaylin Watkins, who's an associate at Holland and Knight. She's truly an expert who brings deep expertise in health law and privacy and the practical realities of working with vendors. She spoke about this topic during a presentation at AHLA's 2025 annual meeting in San Diego, which was called The Complexities of Managing Vendor Relationships, Practical Strategies for Navigating Data Breaches in a New Age of Data Privacy. Shaylin's also the vice chair in AHLA's behavioral health practice group. In this conversation today, I'll ask Shaylin a bunch of questions about this topic and leveraging her expertise will unpack how healthcare organizations can better manage vendors, respond to related data breaches, and navigate the evolving legal and risk landscape. From HIPAA to high-tech regs to recent lessons learned from high-profile cases, we're going to get a firsthand look from Shaylin about how industry leaders and their council are looking to protect data and manage risk. Shaylin, really I'm thrilled to be speaking with you. And, you know, I just would would love if you just start off by maybe telling us about your role and why this topic is so central to your work.
SPEAKER_00:Yeah, thanks for that intro. It actually makes me feel like I'm way better than I am sometimes. So I love that. Yeah, I'm I work at Holland and Night and as a senior associate in our healthcare regulatory enforcement practice group. And a big subset of the clients that I represent, especially are telehealth companies and telehealth platforms, but I also work with plenty of different provider types, hospital systems, health systems, laboratories, and other vendors, which is something that I think is really applicable to the topic we're talking about today. In my past life as a lawyer before I came home at night, I also worked at the US Department of Health and Human Services in the Office of General Counsel as an assistant regional counsel in one of our regional offices. And in that role, I actually represented OCR, the Office for Civil Rights, which is the agency that promulgates HIPAA, which is a lot of what we'll be talking about today. But at the same time, there's so many other things happening since my long stint back in the day with OCR that I think is going to be fun to talk through in this podcast.
SPEAKER_02:Yeah, thanks for thanks for sharing that. And um yeah, just excited to, you know, to your point, you know, things just seem to change, you know, day to day, let alone, you know, year to year. Um so for those listeners, and you mentioned OCR already, but for those who maybe aren't as familiar, I'm sure many, many are, um, can you can you speak a bit about how you know HIPAA shapes an organization's um you know responsibilities related to managing vendor risk?
SPEAKER_00:Yeah, especially for large organizations, HIPAA is usually the first thing we're talking about because it it transcends state lines, right? We're talking about anyone who is involved in a healthcare organization for the most part. And if you're billing insurance or you're getting some sort of um federal financial assistance through your practices, or if you're contracting with someone who is a HIPAA-regulated entity, you're gonna fall in this bucket requiring you to have HIPAA compliance. And I think for large scale, you know, when we're talking about just creating a compliant health system, privacy and security becomes a huge chunk of that because HIPAA violations, as you know, Andrew, and we work with Clearwater all the time in our firm. Our clients realize that there is a big financial impact if you have a HIPAA violation. And sometimes that financial impact can get up to trouble damages. Um, also, an investigation when you're dealing with HIPAA-regulated entities can get so intense, it also involves sometimes, you know, grand consequences like referrals to other agencies, OIG, DOJ, and even sometimes to CMS, which could put Medicare funds at risk. And for a lot of these organizations, Medicare and Medicaid are some of the highest payers that are coming in to their organizations. So it's really important and critical that we're thinking about the most important um element uh of some of this, which it always kind of comes down to privacy and security. And I think another thing that makes HIPAA so critical these days is the fact that we're kind of in the age of this kind of new tech wave, right? You know, you watch TV and there's always a hacker of some sort. Um, there's a robot that can do anything and everything. Um, we know that none of us could probably probably live without our smartphones in our hands. Um we're we just have so much more access and ability to get to things, which makes everything that we're doing a higher risk for those who might be looking to fish out really protective information. And likewise, when we're talking about kind of why HIPAA becomes the backbone of a lot of our compliance issues, it's because then every state, for the most part, has its own kind of baby HIPAA law that, you know, has a little nuance about what needs to be happening. And then even outside of the baby HIPAA laws, there is now this new wave of health data information privacy laws that is sweeping the nation, right? Um, you know, you you go to Colorado, you come here to California, um, and many other states, data privacy is so critical that states are also looking to show examples of why they're important, they're creating these laws. And so their enforcement metrics are just really high priority right now.
SPEAKER_02:Yeah.
unknown:Yeah.
SPEAKER_02:And it's, I mean, it's it to your point about privacy. I mean, in this world of data sharing and, you know, whether whether it's you know, data sharing related to, you know, interesting tech or for you know, your your robots running around your house or your city, um, data sharing for you know other types of reasons, um, it it just that risk just continues to evolve as we're you know living in such an interconnected world. And, you know, I know that, you know, again, many listeners probably familiar with the concept of business associated agreements, but you know, can you talk a little bit about how that you know fits into vendor management and maybe some of the most common pitfalls you see in BAAs, whether it's drafting or acceptance or negotiation?
SPEAKER_00:Yeah. So I think the BAA is the thing that is the first thing we all want to look to in any situation, whether you're a regulator, you're a party to the BAA, you're an outsider who wants to maybe purchase a company, you look to see what are your obligations in the event of one of these inevitable breaches. And and because of that, I think that's kind of why BAAs become a critical point here. Now, there's also the fact that HIPAA requires you to have a BAA, right? So I would say when you talk about pitfalls, if you're a covered entity and you don't have a BAA in place, but you're giving out information to any of your business associates, then you're already in violation of HIPAA. And therefore we have a big red flag. So not having the BAA is probably one of the biggest pitfalls. Um, but I'm seeing that less and less often. In fact, sometimes I'm seeing the Converse where some people just slap a BAA on everything. And there's times where you don't need a BAA at all because you're not actually transmitting any protected health information. Um and so I think the a big thing that we discussed in our presentation was the the pitfalls that happen in the middle of that spectrum, the over BAA to the under BAA area. And and and for basic understanding, a business associate um for the purposes of this discussion is anyone that a covered entity or another business associate is sharing protected health information with. And and to remove nuance, I'll just make it kind of simple for the purposes of carrying out the business that um that is being uh organized under the service agreement that's overly. And um one thing we really noted was uh an incomplete BAA is just as bad as a non-existent VAA. Um and furthermore, uh a BAA that hasn't been updated is sometimes just as bad. These are some of the biggest things that we're seeing with our clients because you know, if you have an ongoing relationship with a party who's your third-party vendor, um, and you've had this relationship for 20, 30 years and HIPAA and high tech undergo, you know, revisions, you might be missing some new changes. Um for example, you know, as lawyers, we try to keep up to date and tell our clients, but there's a point in time where we're like, hey, there's about to be a new MPP requirement um rolling out in 2026. So we need to make sure all of our clients are aware that there's this new requirement for updating your notice of privacy practices. And because of the fact that you have to be up to date with different changes that are happening over time, it's really easy to forget to add those review cycles in your day-to-day if you're in-house. It's easy for me to put out another article and say, hey, don't forget this is happening. It's easy for me to call my clients and say, oh, by the way, I saw this. Um, but the interoperations of an organization, sometimes you're just you're not really thinking about some of the mundane. And and and back to the idea of an incomplete BAA. There are some times where we've seen that the BAA won't necessarily address all of the different circumstances as to which um, you know, data might be transmitted and/or lost inadvertently or you know, purposefully. And that leaves a gap when you're actually face the data breach, right? So something happens and the BAA doesn't address that situation and everybody's got their hands in the air and like whose job is it to deal with this? Is it the business associate's job? Is it the covered entity's job? Um, when was notice required? Um, little pieces of the puzzle that are critical when you get to those big breaches, which I'm sure we'll talk a little bit about.
SPEAKER_02:Yeah, I, you know, I and I agree with you. I mean, we frequently see, you know, incomplete BAAs, we'll see BAAs that, you know, haven't been updated to comply with HIPAA, but some BAs that haven't been, you know, I think to your point, updated to even really reflect what the services are. Um, and then we see some cases where, you know, the the maybe the business associate has has drafted their own version of a BAA and is allowing, you know, themselves to do a lot with the data that maybe the covered entity no longer feels comfortable with. You know, we see you know things like the business associate can de-identify, you know, PHI for its own purposes. And, you know, some might argue that that's that may not be a legitimate, you know, purpose of a business associate relationship. And so we we see that too. So I think, you know, kind of as not to jump too far ahead, but I think as we sort of are you know talking about best practices at the end, I mean, I think this is just one that probably will throw, you know, flow throughout the conversation today. It's like, you know, are are you reviewing it regularly? Do you do you really feel comfortable with your template? Do you feel comfortable with your agreements? Um, is somebody on point, particularly for those high-risk, you know, vendors with lots of data, lots of PHI or or sensitive information? So I think brilliant.
SPEAKER_00:And I I even plug in here too, there's the idea of the DPA, right? And having the the the data, the data agreement as well, which are usually attached. And I think one question that you kind of rose is who's supposed to drive this? What party is supposed to be responsible? Typically, vendors are the ones who have it because they're the ones who are giving out their services so regularly. But if you're not negotiating that appropriately as a covered entity, really this is your data and you're on the line. So you should be either having your own standard BAA or heavily negotiating every BAA you received, even if it's standard for the vendor.
SPEAKER_02:That's right. Yeah.
SPEAKER_00:And and, you know, I I I kind of laugh sometimes when I I think of um, you know, those kind of frivolous clauses where the vendor is asking to do a little bit more with the with the information than than that than is necessary. I think that goes to kind of my original point, right? One thing that you shouldn't be doing is collecting information that you have no need to have. So um one of my biggest pieces of advice for privacy with even my providers are do you need this PHI? Why are you asking for it? Perfect example. If I'm representing a dentist, maybe it is important for you to know if your female client is pregnant or not because it'll help you with your assessment protocols. However, do you need to know the last date of her menstrual cycle? Is that helpful for what your practice is doing? And to the same point for vendors, is it helpful for you to be collecting information that you don't necessarily need for even your internal, you know, services that you're providing?
SPEAKER_02:Yeah. Do you want that risk? You know, do you want do you want to carry that? I mean, I I think, yeah, whether it's uh, and as I was hearing you talk, I was also thinking about you know downstream business associate relationships too, because you you think, I mean, the covered entity has, you know, really the ultimate responsibility here. But you know, I'm sure you have lots of clients that are that are business associates who then share data with other business associates. And you know, there's responsibilities there that, you know, as those kind of responsibilities flow down the chain. I mean, it it's it's you know, whether or not you're a covered entity or a business associate, I mean, these are, I think your your words are applicable across that ecosystem. Right. Yeah. Um, so you know, you you sort of, I think briefly, you kind of touched on some of the, I think you said, you know, some of the baby HIPAA laws, which is my new favorite, uh, my new favorite phrase. But um, if you know, your presentation, you talked about, you know, the FTC health breach notification rule as well as some of these state level uh privacy laws, like, you know, of course, people are familiar with California and more and more familiar with Washington, what's going on in Washington. Um, you know, can you talk, you know, speak a bit about, you know, are there differences in approaches related to those state laws? You know, are you encouraging clients to add certain provisions or remove provisions based on you know what we're seeing at the state level?
SPEAKER_00:Yeah, that's a really good question. One thing I love about working at Holland and I is that we also have our own data privacy team that I get to work closely with because they get even more into the trenches with some of these state data privacy laws than I do. Um and it it is a full-time job at this point, especially you look at the Washington My Health, My Data Act. It is kind of the archetype for everybody who is coming out with a new law. And I think um in our presentation, we highlighted various states that had pending legislation of the like. And what I've come to realize is the most important piece for us as lawyers when we're advising clients and thinking about state level implications is making sure that we ask the question on the front end. Where are you providing services? Where are you collecting data? Because sometimes the answer is, hey, I'm not doing very much business in Washington at all. And so then maybe I don't need to have a very stringent, you know, part of DPA or agreement or any type of set of protections that you know complies with the Washington My Health, My Data Act, which is a it's a long haul of work. Um but then if we never ask the question and we find out a substantial amount of you know data is being collected in California, Washington, you know, we are behind if we haven't already addressed that. So it's about first having that initial analysis, asking where's the data being collected from, what is the purpose of the data usage, how many individuals are being is their information being collected, and then creating privacy policies and having other um elements of um governance that will ensure that your organization is compliant with all the applicable laws. Um to that same point, right? That that also usually means that part of your public-facing policies, not just your internal policies, your public-facing policies are going to be impacted, right? Um both California and Washington require certain notices to be to be available for their consumers to see, for example. So um that's why it's important to have like um counsel that is really up to date and knowledgeable about these things, um, to work with consultants like Clearwater that understand you know the impacts of what happens if these any of these provisions are being triggered. Um, because if you do the due diligence on the front end, we if we just assume the breach is eventually going to happen. Hopefully it doesn't happen tomorrow. Hopefully it doesn't happen regularly, but if you just assume the breach is going to happen because it's inevitable, confirming that there are no holes or avoidable incidents in that breach, I think becomes the critical piece. And so to that same point, we touched a little bit on the FTC um health brief notification rule, um, which is almost the harder thing for me personally to wrap my head around because there's a lot of questions about if something was was given with or without authorization. We were talking about really the nuances between when this rule is triggered versus dealing with just a breach notification under HIPAA, for example. Um and I think at the end of the day, what I've seen in practice is um you're gonna play a catch-up game if you haven't already analyzed these things on the front end. Um one thing we don't talk about enough is the importance of risk analyses, right? So we talked about updating our agreements and managing and is as part of our managing of relationships. And, you know, I typically tell my clients at least once a year you should be looking at those agreements. But to the same point, you should be doing your own risk analysis that usually includes the review of your agreements, right? And and completing that risk analysis to see if those polls exist, um, not just within your organization, but with your downstream vendors is very, very important.
SPEAKER_02:Yeah. Yeah. And I mean, part of that is, you know, when you you you think about your risk analysis, you also think about your, you know, data data privacy or data protection impact assessments that many of these state laws and GDPR and others require, where your, you know, forces you to look at the data and you know, what where are you collecting data? You know, where are these patients or consumers or or others based? Um, and I think, I mean, not to you know, put too fine a point on it, but I, you know, we frequently will hear, I mean, maybe not as frequently as we used to, but you know, hear from startups in particular and emerging, you know, health IT groups who would say, you know, gosh, we just we love to have all the data. Can can we work with our clients and just get all the data we can so that then we can figure out what we want to do with it. And, you know, maybe there's maybe there's some legitimate purposes for that depending on the circumstances, but we always tell people, you know, I don't know that you know what you're asking for, right? Because you're, you know, even if you have a relationship where there is more free-flowing data and and there's a legitimate purpose for that and there's the controls in place. To your point, you know, if and when there's a breach, are are you really sure you wanted this biometric data that was just cool to have, just in case? You know, maybe you didn't, you know, maybe, maybe you don't need that. Um, because it triggers uh it triggers, you know, may trigger reporting, notification. You know, you may get in for, you know, you may have a regulator asking questions, you may have news reporters asking questions, and all of that just because you thought it would be cool if we collected the data and maybe we'll use it down the road, um that's that's a big risk.
SPEAKER_00:Yeah, and even with clients like that, I and I love working with startups because they're always so innovative, right? And they're they're always on the cutting edge of things, but you almost have to sometimes hold their hands and say, hey, maybe we don't need it right now. But if we do think we need it in the future, it's not hard to amend this agreement and pull that information. Why hold on to it in perpetuity, you know, if we are not sure we need it right now? And for our listeners, sometimes what I've seen, the reason why clients really kind of think that the idea of capturing large amounts of data would be great, it leads to this kind of marketing-ish deal, uh, where they they kind of want to be able to reach more consumers, reach more patients, uh, which becomes a whole nother slew of problems. Um, and I think kind of gets us into some of the big breaches that we've seen or the big, you know, namesake cases that we've seen um happen over the last few years.
SPEAKER_02:Let's let's maybe talk a bit about this. So um, you know, we've we've talked about, you know, I think you've shared a lot of insights about some of these, the regulations, the rules, you know, whether it's HIPAA or state level or FTC health breach notification, but maybe let's talk a little bit about legal risks and and what you're seeing, you know, in in sort of the the the sort of whether it's the class action or kind of general sort of courtroom setting. And your presentation, of course, you know, hard to talk about this, you know, this this day and age without reflecting back on you know what's happen, what's happened with Metapixel and what's happened with Change Healthcare. And those are just two, as you know, among you know, a growing list of of um you know organizations that are you know on the receiving end of class action complaints and and other other sort of initiatives. So we'd just love to hear from you, you know, could you could you talk a bit about the trends that you're seeing, you know, in terms of just legal risks and and maybe also um you know defenses and things that you've seen that that seem to be working well, just as you're kind of doing, you know, in your presentation a great job of this sort of the survey of of the legal risk landscape.
SPEAKER_00:Yeah, and I'd be remiss if I didn't mention that I had two really great co-presenters as well in in this presentation. And so Maria did a really good analysis of the economic and financial impact of data breaches, which I think is the the first risk, right? It it is the damages portion of these breaches. Um, you know that damages being calculated are is is the first thing your client's gonna hear and understand before anything else. And I think uh she ascertained that I think in 2024 was about$4.9 million had um been the average cost of a data breach on large-scale data breaches. So that was already shocking to me. And I think that that's enough usually to catch a client's ear. Um, but when we talk about some of the cases that we were seeing, and I think we we kind of introduced the idea just now when we're talking about capturing large amounts of data. Um, Google Pixel was kind of one of the first hits that we were receiving when we're like, oh my goodness, what's going on? And even to this day, you know, Google Analytics is free. Clients love to use it because it's free. Um, but Google is also still collecting a lot and a lot and a lot when you're using it. And that's hard. That's hard to really navigate around for clients. You know, we we try to do simple things like um make sure that the pixels aren't sitting on every single landing page on their website, that it's only that they're only applicable when necessary. Um because it you once you've given it away inadvertently, it's gone forever. And you end up in this big class action world, which I think is also what we're seeing with change health care. Kelly, my other co-presenter, she is in-house at a health plan and she was able to talk about the real-world impacts of the change health care litigation. Um, both Google Medical Pixel and Change Healthcare showed us that the plaintiff's bar is not afraid, is not afraid to gather as many plaintiffs as possible in these scenarios. And I think with the creation of these new even state level laws, we're seeing even more of that, right? You're getting more causes of action as available options for plaintiffs. Um, it's no longer just trying to find ways under HIPAA where we were like, oh, well, there isn't really a private right of action. You know, we're we're now seeing that there are multiple different avenues for plaintiffs to initiate litigation. And um what Kelly spoke pretty well about was that in her organization, they realized that the reason why they ended up as part of the change healthcare um ordeal was really because they hadn't updated their agreement with their vendors. Um and their data ended up being kind of sunken in as part of one of those those those big ominous data pools. Um and there was the next risk of once they were identified as being a part of all of this, they didn't know whose job it was going to be to do the record recursive reporting until you know it was finally determined that change healthcare was going to have to do it for everyone. At some point, these organizations were just scrambling because they this was all happening, that happened without them knowing what was going to happen. Um, everyone has an immediate responsibility to do the necessary protocols, do their own internal investigations, determine what their risk profile is. And when you're behind the ball like that, then you're also thinking about the fact that you now have notification requirements, which could be not only under HIPAA, right? You're you're thinking about notifications to the individuals, to the media, to the department, but then you're thinking about what are your other requirements under other laws, whether they be the state laws, whether it be if the FTC breach notification rule applies, um which also requires some of those large, you know, notice notifications. Another thing to think about is that and so the cost of those notifications um was a big point of negotiation for for most everyone. Um another thing to think about is that you're thinking about the cost of being a part of the litigation and settling the litigation. Um not just the cost of the damages that you have encountered by being a part of the data breach, but of making whole quote unquote the plaintiffs or the affected individuals. When you're dealing with just an enforcement action, you're not really thinking as much about it. But when we're in sitting in litigation, your your number isn't just is it's it's not just that original damages number, it's and more. Um and so I think um one of our one of our big big lessons learned was you know. Leveraging your leveraging your desires as the covered entity with that of your vendors, you know, is it's it requires a special touch. It requires you to have people who are on the ground who are willing to be in constant communication with your vendors, who are willing to ensure compliance from your vendors. You know, no one likes to be the watchdog, but in this day and age, if you're thinking about the average number being in the millions of dollars for a data breach, you want to kind of insulate yourself from that risk. Um and that's without thinking about what the attorney's fees are going to be. That's without thinking about you know what happens when you have now to overhaul your security in your privacy group. Um, when you have to uh put in new frameworks, it costs a lot more on the other side. Um we didn't really get too much into uh to to great defenses because I think if we're honest with with ourselves, we have to we have to say a data breach considering that the fact that we're gonna assume they're inevitable, you know, there is no defense to the idea of violating or improperly protecting and securing information to the level that is required by law. The idea is that if the breach is going to occur, so long as you are in compliance with the requisite laws, there should not be any real risk to the organization because we assume the breach will occur and that's why the law exists. Um and so the the caveat there is if you're in compliance, and being in compliance requires that watchdog mentality of our clients. And that is a mentality we haven't had to have for so long. And and now that we have things like AI that are just embedded in our systems that are helping us get our jobs done, we have to be on top of it. We have to kind of be forward thinking. Um, it wasn't to blame anyone in, you know, within the organizations for for their personal failings at that point. It was the fact that the organizations had failed to keep up with what was happening and what was going on. So I think ultimately the only defense that that we really heard was, hey, it's not my my duty to deal with this, it's change healthcare, right? Who whose job is it? And that gets me back to one of my favorite rules I always tell clients when they're negotiating their BAAs is be very clear. Be very, very clear on whose duty it is to do all types of diligence, whose duty it is to do specific reportings so that you're not pointing the finger in the middle of the crisis. It's also important if you want to talk about ideas of indemnification of sorts, right? Who's paying for the cost of those notifications or the necessary and requisite compliance with any notification requirements? Um, those are things that can be written into the agreements that can insulate those risks instead of defend the risks, right? You're you're insulating yourself from some of those risks. And I know Kelly spoke a little bit about some of their agreements, had that kind of indemnification while others did not. And so when we're we're thinking about how complex these relationships can be, those are things that we want to be looking at and keeping updated and thinking through just as much as we want the the terms of the services and the data collection to be up to date.
SPEAKER_02:Yeah. No, and I, you know, I that's I think really helpful um and I think very, you know, very insightful. Um, I and I think we're getting sort of getting into the best practice part of this conversation, but really quickly before we do that, just wanted to mention that it's the so you mentioned the average cost of data breach was 4.9 million. And when I was looking at at the slide deck, I think this comes from IBM's data breach report from last year. I think important to note for you know, since this is an AHLA podcast, we've got or video, whatever, whatever we're doing these days, um, lots of folks in healthcare, you know, listening, watching. The the average cost was 4.9, but the healthcare industry overall averaged 10.9 million per data breach. So um, in terms of just costs, very, I mean, not it not insignificant, right? Um, particularly for health systems that aren't prepared to, you know, to manage this. So, you know, I appreciate you all sharing this, those data points. Um and you know, thinking about best practices and kind of as we're starting to, you know, maybe wind down the conversation, I think something you said that really resonated with me. Like, so Clearwater, we we do a lot of work with our clients, helping to perform vendor risk assessments, we're reaching out to vendors on behalf of clients, we're we're helping to collect data, helping them do some of that, you know, that ongoing risk management. Um, I would say in most cases, that works really well. Um, we have um uh, you know, there there always is a percentage of vendors that are either non-responsive or they're vendors that are uh that are huge, you know, Google's, Amazon's, um, Oracle's, Cerners, Epics, who may be responsive, but their response is, you know, take a look at this link because here's where we've posted information about our risk analysis, or here's where we've posted information about, you know, our high trust work or whatever work they've been doing. And it's we don't have in both of those situations, so non-responsive vendors or unresponsive vendors, and then these huge vendors, we don't have that kind of interaction that we would like to have. And I think something you said in um you know, about doing some of this work up front, uh, I think is really important because, you know, at that contracting stage, you do have this ability to ask these kinds of questions of your future partner. You know, it's it's one thing to say, let's let's negotiate the BAA together, but it's another thing to say, you know, hey, we're we're gonna have to be doing some oversight. We want to make sure we have a process with you so that we know who we're calling or emailing or we we understand what the the sort of requirements are up front, so that if it is, you know, an oracle and they say, look, we don't we don't answer vendor questionnaires, but here's our process, you know, that organization can make a decision, you know, if that's the right fit for them. Um, you know, obviously in some cases it's sort of unavoidable. But um, yeah, I just really I thought it was worth kind of extrapolating that a bit because I thought that was a really helpful point you made. Um I you know, I don't know what what other, you know, when you think about clients, you know, whether they're they're business associate clients or covered entity clients, um, you know, what what sort of best practices are you seeing and recommendations, you know, are you making to, you know, whether it's general counsel or compliance officers? Just curious your thoughts.
SPEAKER_00:Yeah, so we came up with three um of our best practices that we wanted to highlight for those who watched our presentation. Um, it was as lawyers first, um, make sure that your client really understands the contract and the deliverable that's coming with that contract. Um, and I think that kind of goes to the point that you were just speaking about, right? It's about the questions asking phase. It's about really diving in. And even if it's just between you and your client, you uh initiating conversation about the holes you're seeing so that they can can really kind of uh appreciate what what's happening and what's not happening and what might be necessary. Um second, we can do better by empowering our clients to work with their vendors directly on privacy issues, um and kind of creating that watchdog, that oversight that we've been speaking about throughout this podcast. Umbed someone as a liaison for your vendor, your vendor relationships, right? And let it be that it's a natural conversation. Maybe they're just they do check-ins monthly that are not necessarily, you know, the stringent, hey, produce X, Y, and Z to me, but just the basic understanding. Are they willing, is the vendor willing to let you come and understand their operations internally? Um, just start those kind of natural conversations because when the relationship becomes a little bit more tense in the data breach world, you're you're gonna get a lot less hands-on time with them. And then the third thing we came up with was considering a demo or meeting with the vendor. And um, when you do that demo, you know, your legal team and your privacy team should be there. Um, we didn't really talk about this, but sometimes it is that, especially with our kind of smaller clients, our startups, they go have the meeting, they sit down, they talk about it, but the right people aren't in the room to kind of assess what might be next next or what's practical or impractical for the organization whole. So um Kelly talked a little bit about it, whereas now her team, they always have privacy in the room on certain certain situations. Um, and and it's a non-negotiable, the meeting cannot happen unless they are there. Um I think that that's a that's a good kind of rule of thumb to have where we're talking about things that could impact privacy or security. Have the people who need to be in the know at the table, don't just create a policy or procedure willy-nilly, um, and then and then impose it on them. And then they come back and tell you, well, that's not even practical. We couldn't even do that. Um I recently had a client um, you know, come to me and say, hey, well, Google won't sign our BAA. And I said, yeah, well, Google doesn't sign anyone's BAAs. We, you know, that that's something we we could have easily told you, you know, on the front end of things, um, that that wasn't gonna be an option for you. And that's why, you know, these are the risks that are we're we're trying to navigate around. Um, and and it's not worth your time trying to get me to negotiate with them because they're not gonna do it. You know, that's a practice we've learned. So um I think those were kind of our three big pieces and takeaways. I think you add that to our list of things to be thinking about when you're when you're negotiating the agreements and and keeping them up to date. Um you're in a better spot, you know, and have and have knowledgeable counsel, have, you know, have good um good relationships and rapport with consultants that really understand what's going on. I know I'm always happy when my client, you know, is willing to engage Clearwater. We're just like having a it's it's so much easier to be on one page and just be thinking through these things together on the front end of things because we almost never end up with a problem. And especially when you get to the acquisition phase, you know, you're dealing with startups and they're like ready to sell off, you're in a much better fake phase of life, right? And and you're you're much more attractive to investors um when everything's already in tick-top shape. There's no risk for them to acquire.
SPEAKER_02:That's right. You can say we're, you know, we've we've got risks and we're managing them, and and we've got you know these people supporting us, and whether it's you know, Holland and Knight and you or others, you know, you can you can say we at least know what the risks are and we're we're dealing with them, you know, we're we're sort of managing it. And and vendor risks are, yeah, it's like it's not gonna go away. It's yeah, it's just how do you how do you manage it? What's the process? And do you do you feel like you know you're sort of taking it a day at a time to help, you know, make sure you, you know, your program is in, you know, sort of moving towards maturity. Yeah. Yeah. Well, it's um been really great talking with you, Shaylin. And and really, you know, like I said, I mean, really appreciate the insights, both from the the presentation with your other presenters and and then talking with you today. Um and um yeah, I'd I'd I guess I'll just let in the case you have any final thoughts, um, just turn it over to you. But uh just again, thanks for your time.
SPEAKER_00:No, thanks so much for talking with me too, Andrew. It's always good to talk to you. I can't wait to see you soon, hopefully. And if not soon, then I better see you at an annual meeting next year. I heard it's exciting because it's coming to New York City for the first time in forever. So I'd love to be in Manhattan talking about all this with you in the summer of 2026.
SPEAKER_02:Let's do it. That sounds great.
SPEAKER_00:All right, sounds good.
SPEAKER_02:Excellent.
SPEAKER_01:If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit AmericanHealth Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast at the go to americanhealthlaw.org slash daily podcast.