Unraveling the layers of HIPAA: A deep dive into data security with Iliana Peters

Secure Talk - Iliana Peters 

Justin Beals: Hi, everyone, and welcome back to SecureTalk. This is Justin Beals, CEO and founder of Strike Graph. I have the real pleasure of being in person today. We don't always get to do this with Iliana Peters. Thank you for joining us today, Iliana. 

Iliana Peters: Thanks for having me. 

Justin Beals: Uh, if you permit me, I'm going to do a brief introduction.

Iliana is a shareholder at Polsinelli, a U. S. national law firm. Prior to joining Pulsinelli, Ileana spent 12 years at the Department of Health and Human Services., she has a deep expert in privacy and security policy for healthcare and as an expert on HIPAA, privacy violations, and the future of the regulatory environment; we think we're going to have a really intriguing conversation today.

Iliana Peters: I agree. 

Justin Beals: All right. Ileana, I work with a lot of organizations that are focused on delivering innovation for patient healthcare and patient care providers. It has been over 25 years since HIPAA. Was passed as a law in the United States. I'm curious how you feel about HIPAA today in our market and maybe more broadly, what's our commitment to it in the United States?

Iliana Peters: Yeah, it's a great question. And I think it's a question that comes up regularly. It's a question that you've seen probably come up very recently as well. There have been lots of conversations fairly recently about whether or not HIPAA is dated, whether the regulations are dated, how we may need to improve them, particularly with regard to cyber security.

Justin Beals: Yeah. 

Iliana Peters: And so, you know, there's been congressional interest in that, HHS has specifically said that they're going to undertake some changes in that respect, particularly to the HIPAA security role. So we do expect to see that coming up. So watch for that. 

Iliana Peters: We recently have seen some changes just in the last month with regard to reproductive health.

Justin Beals: Okay. 

Iliana Peters: And the privacy role. So, you know, there have been changes over the years to address sort of a piece here or a piece there or a piece here or a piece there. And we do expect to continue to see that. Interestingly, the bulk of the rules, and again, just a reminder, we have essentially four rules. There used to be three.

And when we're talking about the history of the HIPAA rules, we started out with privacy, security enforcement. And then after the high tech act, which wasn't so long ago, but still, you know, a decade ago, we got breach. So then we ended up with privacy, security breach and enforcement, along with all the transactions and code sets that allow us to sort of bill electronically for stuff.

 Justin Beals: Yeah. 

Iliana Peters: And so the idea was that once we added breach, you know, we've sort of had this comprehensive set of rules. The nice thing about, for example, the privacy rule and the security rule, and then adding on the breach rule is they are pretty sort of technology neutral.

Yeah. Right. So they're designed to be about activities. about certain types of technologies or certain types of entities. They're really more about, okay, do you, do you play in this space? Do you bill insurance if you bill insurance or if you're a vendor to someone who bills insurance? 

You  know, they're not going to call you out as a certain type of health care provider or a certain type of technology company or a certain type of insurance company.

You know, are you one of these people that does this type of activity? Then you need to keep the data private. Similarly, you know, if you have this type of data, then you need to sort of keep it secure with these. types of controls and the kind of controls that we talk about in every industry in the world.

 They're generally administrative, physical and technical controls to protect the confidentiality, integrity and availability of data. And this is you know, the way that we talk about data security in every industry, in every economic sector in the world. So, you know, it's still interesting for me to have conversations with people and ask them because they say, “Oh, it's so outdated, we need to fix it”. Tell me exactly what you think we need to fix, 

Justin Beals: right? 

Iliana Peters: Because a lot of times they can't specifically tell me, you know, well, You know, we need to do this or we need to do that because it's really meant to be. These rules are meant to be flexible and scalable. They're meant to sort of fit where we are at this moment and they are technology neutral.

So the idea is that right now you have to implement encryption or something better. If tomorrow we all move to quantum computing. Arguably tomorrow we'll all have to implement quantum computing, right? Because that's better. So I think it's, I'm still struggling a lot with the fact that even HHS's own guidance for cybersecurity is suggesting from a best practices standpoint, controls that are arguably already required under HIPAA.

So we're not even there yet. The baseline if the HIPAA security rule is the baseline, we're arguably not even at the baseline yet. And so it's not clear to me if we can't even get to the baseline; what do we need to change to the HIPAA rules to address concerns? Because We're not even there yet.

Justin Beals: I think that is a great design to these standards, you know, like broadly when I think about whether it's something like SOC 2 or something more like a law like HIPAA. And when I talk to colleagues, I'm like, look, it's not dictating technology or your architecture or your product. It's just saying, you know, broadly, you need to encrypt the data, or it may even be more flexible. Like it needs to be kept private. 

Iliana Peters: Right. 

Justin Beals: There's some level of interpretation that you're required to do. Right.?  

Iliana Peters: Absolutely. And it makes it hard in a lot of ways, as you know, as a practitioner. Yeah. Because your business partners, just like my clients, want a checklist. They want you to be able to hand them a checklist and they want to be able to check all the boxes to be compliant.

] And it's just not like the rules for good reason, as you say, are not designed that way because it really is about, okay, what is your system look like? What is your enterprise look like and how are we going to protect your data? And so at the end of the day. It makes the rules very sort of time resistant, but at the same time, they're harder.

They're harder to implement because you don't have a checklist that becomes out of date every two years. 

Justin Beals: But, you know, and I would push back, and I do, um, in conversations on the concept that I wish you would make this easier for me by a checklist because as someone that has built a lot of product and we're trying to make the most innovative technology architecture we can, or the most innovative product we can, or meet a need in the market that's missing, you know, we don't want a checklist because it will box us into some of those decisions.

 So I'd rather have the freedom to be like, Oh, I'm using the cloud architecture in a very unique way, right? I'm putting my firewall in a slightly different place, right? But I'm still going to make some smart decisions about security. And I have to imagine, and I think I see it that once teams take on these as guidance to interpret for their own implementation, that they have better security because they're owners of it now.

Iliana Peters: I, think you've articulated it perfectly in terms of the way that it's supposed to work., and I think really internalizing it that way is the best way to think about how these rules are supposed to work. I think the problem obviously comes up is when you have teams that don't think about it from the beginning and then you're having to bolt on all of data security because legal told us to at the end, you know what I mean?

So it's, it's, you know, it's an important part of that conversation and should be part of that conversation at the beginning rather than at the end for multitude of reasons, including the legal requirements. 

Justin Beals: Yeah. You know, one thing that I, love to understand is how the sausage is made a little bit. 

We have a thing called a law, but then we have health and human services that seem to be interpreting the law and setting a slightly more detailed expectation. Is that right? Like we're getting some legislation, but then we get a little more specificity from enforcement at health and human services. 

Iliana Peters: Yes.  The Administrative Procedures Act process is very complicated. And you know, I've done a series of presentations on what I call “How a Bill Becomes a Law, Part Two”. Do you remember the little guy in “How a Bill Becomes a Law” and he sits on the steps of the Capitol and we're done, you know, Congress has passed the law.

Everyone understands. We're done. There's a whole lot that happens, to your point, after the little guy sits on the steps of the Capitol and he's, he's now a law, right? 

Justin Beals: Yeah. 

Iliana Peters: So, you know, it's, it's quite complicated. It's, you know, it's very resource intensive, but the short answer is that, you know, once you get a statute from Congress, those bills are written, those laws, once they become a law and the little guy steps, sits on the steps of the Capitol are written at extremely high levels.

Justin Beals: Yeah. 

Iliana Peters: They're not easily implemented by entities. That they apply to. Right. So what the agencies and its Health and Human Services, it's Department of Education, it's Department of Defense, whoever that law is directed to have to take what Congress said and do their best to interpret it.. 

And that's sometimes very hard. given all of the agreements, disagreements, conversations that happened on the Hill when that law was being made. And so what they do is they sort of propose, they do what's called a notice of proposed rulemaking. They propose what they think those laws mean and how they're going to implement them. 

And then you see a whole bunch of comments.It's one of the most important ways I personally think, and I'm a big believer in this process, that the public can and should be involved in the way that we make law in this country is the Administrative Procedures Act rulemaking process. When a, when a rulemaking is proposed, the public has the right to comment, and it's all a public process.

All those comments get posted publicly. Some of these laws are very esoteric and you get 30 comments. Some of these laws, like the recent changes for reproductive health, you get thousands of comments and the agency reviews all of those comments, every single one posts them publicly so everybody can see them.

And then they have to adjust all of those and write the final rule. And that's what becomes law. And of course there's, you know, legal consultations within the department. It goes through many different levels of review within the department and in the rest of the federal government, it undergoes a review.

Related to, you know, what the resources on entities that are going to have to implement these rules look like. And usually the best outcome is no one's particularly happy with the outcome, right? If you made everybody happy, you know, you did something wrong because nobody should be happy with what came out at the end of it.

If everybody's really unhappy, then, you know, you still have to do it. You did; you really did something wrong. But everyone, if everyone's a little bit unhappy, but not super mad about it, then you, you kind of know, okay, we probably got this right because no one should be happy and no one should be really unhappy because that's when you know, kind of know you're in the middle.

So that's what the rulemaking process looks like. And then there's what we call sub-regulatory guidance. And that's when the agency looks at a particular policy issue and issue some additional guidance. Because they don't undergo the same process, right? The public doesn't get to comment. Yeah, there isn't sort of departmental review, It [ doesn't go through the same levels of governmental review either. 

That's looked at with more of a skeptical eye because it's just. The department publishing guidance. And, you know, there were some pretty strong opinions, particularly during the Trump administration about whether or not the sub regulatory guidance should be binding.

So there's a lot of difference in, you know, what comes out of these agencies and whether it undergoes administrative rulemaking or not. And what kind of guidance we're talking about in that respect, all of it. gets legally challenged to some extent, you know, the rules that undergo an APA process. the department gets sued, guidance, the department gets sued.

So, you know, this all sort of works its way through the courts as well. Sometimes it gets to the Supreme Court, sometimes it doesn't, but I hope that gives you kind of a flavor for what that second step is. step looks like. It's quite complicated. 

Justin Beals: Yeah. And I thinkthe changing nature of the administration, as you pointed out, absolutely complicates all of it.

We've talked with colleagues that are in the intelligence field and the defense field, and you know, there's a big shift can be every four years in what the motivations are of the administration. And I'm curious about Polsinelli itself and your work here. Do you participate for your, on behalf of your clients in that commenting period or what you're looking for?

Iliana Peters: We absolutely do. We have a very strong public policy group here at Polsinelli. So we have registered lobbyists, but we also have folks like me who aren't registered lobbyists, but have a deep history with, uh, The agencies and work with clients of all different sorts to both comment, to draft comments and to participate in that comment process, but also to help legislators understand these issues.

I mean, in the last couple of months, I've had a couple of conversations with Hill staffers, for example, who are trying to understand these cyber security. issues and questions and what the department HHS has been doing on these questions and what the additional guidance means and what enforcement looks like in this area and those sorts of things.

So it's quite common for, you know, legislators and their staffers to reach out to different folks, including people at my firm who have experiences this area to try and understand better. 

Justin Beals: I mean, I think that in these highly technical areas, that's something that we should I mean, we are in a representative style of government, you know, legislators, their job is to be a politician and represent their constituents, 

Iliana Peters: right? 

Justin Beals: It doesn't make them expert in technology or privacy or security. 

Iliana Peters: Absolutely. 

Justin Beals: Yeah. 

Iliana Peters: No, I totally agree. I mean, I think, Many of the legislators rely on their staffers to get them the best information possible on any particular subject.

And I think that is no matter what side you're on is only helpful. 

Justin Beals: And interesting about your background. You were an investigator, I believe for a while for HIPAA. You must have. feet on the floor, head in the sky perspective on how these things work. 

Iliana Peters: Yeah. I had basically every job you could have in the office for civil rights on that team.

So I started as a regional investigator and then I did policy work. So I did administrative rulemakings and guidance. So I read comments and drafted responses. I wrote guidance with teams, you know, I supervised it specialists. I worked on multimillion dollar settlement case and headed up the enforcement shop.

I was on, you know, White House level, cybersecurity, working groups, trying to figure out these issues during the Obama administration, you know, so all of these things. None of this is new. We're just trying to iterate, you know what I mean? Once the threats change, our threat landscape changes, our security architecture changes, the technology changes.

And so it's just trying to keep up basically with all of the new issues as they arise, for sure. 

Justin Beals: So there's a part of the HIPAA high tech legislation that a lot of the colleagues and customers that I work with struggle with, and that is the business associate. It's when you are a business associate, who to ask to be a business associate.

And I like to call these things greedy in a way they tend to infect everything. We ourselves are becoming HIPAA compliant because we had a customer ask us. to become a BAA for them, even though we don't process patient healthcare information. 

Iliana Peters: Interesting. 

Justin Beals: I wonder if you could give us your take on the BAA part, like who, who should you make as a vendor be a BAA?

Iliana Peters: Right. I think it's a really great question. And it's a question we're seeing a lot, particularly given rising state law obligations. 

So if you back up a little bit and you look at the way. HIPAA was sort of benchmark in the U. S. for data protections.

Justin Beals: It was the first, I think, maybe FERPA came a little bit earlier.

Iliana Peters: Exactly, right? So we had sort of FIPS, right? Fair Information Practices. Yes. And the government certainly had privacy protections, right? We had FOIA and privacy protections and the Privacy Act and all of that. We had substance use disorder protections way back in the seventies, but that was pretty much it right for the rest of the U.S. economic sectors; there wasn't a whole lot besides FERPA, like you said, substance use disorder. So, you know, when Congress passed HIPAA, it was, it was a pretty big deal. And HIPAA was modeled on FIPS. It was modeled on FERPA, modeled on the Privacy Act, because that's what we had at the time, but it went further, obviously.

And so when European regulators were looking at designing European protections, they looked at HIPAA. So GDPR is modeled on HIPAA. 

Iliana Peters: and there was a lot of conversations with European regulators about HIPAA and lots and lots of talks, you know, back in the 90s about why the U. S. did not apply HIPAA to all of its economic sectors because the European Union really thought we should. They still have a problem with the way that we do data in the U. S. 

Justin Beals: There's still no safe harbor agreement. 

Iliana Peters: Right. Yeah, exactly. Because we limit HIPAA to health data, right? There's no sort of, ours is driven by economic sectors, theirs is national. So they really, don't like the fact that our protections are sort of compartmentalized.

Yeah. So, you know, that conversation is still ongoing, but GDPR took a lot of what HIPAA was about and implemented it there as have other countries. So if you look at, you know, if you look at HIPAA and then] GDPR and then CCPA, right? So then we sort of have flowed back to the States in the U S, which is kind of ironic, right?

Justin Beals: Yes. 

Iliana Peters: So now you have all of these states that are implementing very similar requirements at the state level. And if you look at the state level, you have a very similar kind of construct in that you have data owners and you have data processors. Yes. Right. That is the way that you should also look at covered entities and business associates under HIPAA.

It's a very similar way, way to look at it. And just like with the state, you have a data owner and you have a data processor and you have a DPA or data processing agreement. You have a covered entity and you have a business associate and you have a business associate agreement. Okay. So it's, it's a very similar construct.

Now it doesn't apply exactly the same way a hundred percent of the time, but it is almost exactly the same. Yeah. And it's a really good way of thinking about it. Because the way that I can see the business associates. They are data processors. They are the entities that are processing data for the data owner, the covered entity.

And another way that I think it's helpful to look at that is they are infrastructure providers. So you can have a processing relationship with another business partner. That is particularly in the health care sector, not infrastructure related your two health care providers and you're exchanging information for treatment, for example, right?

You're a hospital, and you're a lab, 

Justin Beals: right? 

Iliana Peters: Right? That doesn't make you business associates because you're both doing treatment stuff and you're sharing patient data and you're processing data. But it's not for each other because you're both doing your own thing. Yeah, that does not create a processing data process or business associate relationship.

Justin Beals: But both entities are responsible for the own data privacy of the data they own, even if it went from entity to entity. Correct. Absolutely 

Iliana Peters: right. 

Iliana Peters: But if that laboratory, if the, if the hospital said, you know what lab, we really love your laboratory. Structure application. 

Justin Beals: Yeah. 

Iliana Peters: Your technology. 

Justin Beals: Right. 

Iliana Peters: We want our physicians to be able to do all of their lab tests on their phones, and we like your technology better. 

Can we license all of your technology and use all of your software for our physicians? And the lab says, you know what? Yeah, let's do that. That's an infrastructure service. Yeah. And that. starts to make the lab a data processor for the covered entity because it's providing an infrastructure service now, whereby it has to provide the security related to the infrastructure for the covered entity's data.

Iliana Peters: Does that make sense? 

Justin Beals: It's really helpful. 

Iliana Peters: So if all we're doing is exchanging data, we're transmitting data, we're processing data related to shared patients because we're doing treatment together. That's not. infrastructure that's not a for or on behalf of kind of service. 

But if we start doing infrastructure stuff for each other, that usually helps people understand, okay, now we're talking about a situation where we have processing business associate relationship because that entity wouldn't have our data otherwise.

Justin Beals: Right. Okay. Let me ask you another aspect to this. Sure. The one that I've read over and over and over again, the janitor rule. Can you help us with the  your perspective on the janitor rule and, um, how to delineate when you're, Not, you need a BAA because it's not incidental or when you're like, this is, we don't necessarily need a BAA.

Iliana Peters: Right. I  think I don't like the term incidental. And I know that guidance is a little bit old because it's not, it's not really the way the rule thinks about incidental. Two disclosures. Yeah. They, I like to refer to them as incident to disclosures because incidental disclosures are really supposed to be incident to disclosures.

In other words, if you have a disclosure that's otherwise permitted under HIPAA and you have some kind of data leakage, even though you had all the safeguards in place, then it's probably okay.. And we're not going to worry about it too much. But those are in situations like, for example, if we have a treatment situation and we have, you know, the classic case is two physicians speaking in a hallway and, you know, they're, they're not screaming at each other. They're using lowered voices or whatever. 

And someone walks by who is completely unrelated to that case. And, you know, maybe they're pediatric physicians, and a cardiac physician walks by, and they don't need to know that information, and it's not relevant to what they do.

And we have role based access. Otherwise, and all that kind of stuff, but they need to have that treatment conversation in the middle of the hallway because, you know, that's what happens in a hospital, right? 

Iliana Peters: Yeah, exactly. And, and it's, and we're in a secure area of the facility and there aren't public members of the public there for all the reasons that, you know, we don't allow members because this information is flying everywhere, and this happens all the time with codes being called and information on whiteboards and like, that's why these are secure areas of hospitals, right? But someone walks by, that's an incident to disclosure, right? because we have a treatment discussion going on. But we can't prevent the data leakage to the cardiac physician. We can't prevent someone walking by a whiteboard that sees something we can't prevent someone overhearing the code call. But we're in a secure area of the facility. All of those people have been trained in HIPAA. They are all workforce members. They  know to protect this information. We do the best we can. 

 Right. When we have a janitor situation, I think the idea is that similarly, the janitor shouldn't have access to protected health information. There should be no PHI. anywhere for them to access. 

Justin Beals: Yes. 

Iliana Peters: And if that's the case, they're not a business associate because they're not accessing any because we should all have clean desks. All of the PHI paper should be locked away. All of our devices are going to be locked. Computers are shut. You know, all of the PHI is in shred bins and shredded.

You know, and if that's the case, which it should be, then our janitors aren't business associates because they don't access protected health information. 

Justin Beals: Right? 

Iliana Peters: If they're throwing any PHI out, it's because the shredded that PHI is shredded and it's, It's unusable, unreadable, or indistinguishable. So it's no longer PHI.

 Justin Beals: So if I interpret this a little bit, I think what you're pushing on is that the, the health care provider needs to have the proper data protections in place. That's the more important rule, right? And to, for your, for you to say, Hey, we're just going to make blanket anyone that comes You know, within 300 yards of the hospital become a BAA.

That's actually a poor control implementation, poor security implementation, as opposed to having good data protections in place in the first place. And probably health and human services from a breach perspective, it's not useful for them to go after the janitor. 

Iliana Peters: I absolutely agree with that analysis.

Justin Beals: Okay. 

Iliana Peters: I would, that would be my suggestion is because. You know, I think, you know, a janitor's not, they're not the kind of entity that is doing this on a regular basis. Yeah. And knows, you know, the difference between when they're in a, a law firm or corporate, you know, corporate firm versus a healthcare provider.

And we would hope that they have secure practices as well, but you know, the onus really should be on the cover entity to make sure that they are securing their data. Yeah. Not disclosing when they shouldn't disclose when it's not necessary because that is a requirement on them. 

Justin Beals: Yeah. What do you think are some of the the biggest shortcomings or softer areas that people, especially healthcare organizations, don't pay attention to in implementing HIPAA?

The biggest vulnerabilities and potential issues. 

Iliana Peters: Yeah, you know, they range so much. I think number one is risk analysis. And risk analysis is very hard, as you probably know. Enterprise risk analysis is really hard. 

Justin Beals: It is, but it is the best tool for scoping proper security. 

Iliana Peters: Absolutely. And so I think my, when you're talking about sort of like the low hanging fruit level for risk analysis, it's not necessarily, to your point, like a real accurate, thorough, comprehensive enterprise wide risk analysis.

It's the difference between a risk analysis and a gap analysis or an audit. Because a lot of times what I see is a controls audit, which again is also very helpful and important, but it's not also not an enterprise risk analysis because it's not looking at where the assets are, where the data is, where the risks are.

It's telling you, have you implemented the controls that are required by law, 

Aagain, very important. But not the same thing, right? And we really need that first exercise, really understanding where the assets are, where the data is, where the risks are to understand how to implement the right controls in the right way.

Whereas our evaluation, what we like to call in the HIPAA world [ and evaluation, which is our audit can tell us, okay, yes, we can, we have met the legal standard, which is a different question. So, there's a lot of confusion about that, and I think that's a low-hanging fruit issue is find a vendor that knows the difference, right? And then, workforce training. 

Justin Beals: Yes, it comes down to the gray matter so often. 

Iliana Peters: It's so often, and it's little things like, I'll have clients tell me, Oh, we do work, we do workforce training, and I'm, Okay, great. Well, can you tell me the last time this person was trained? Great. Oh, well, I don't think we have documentation about it.

Well, the proof's in the pudding. Right? If, if the regulator comes to me and asks me for the documentation, I have to be able to show them that Iliana was trained, you know, on an annual basis or whatever our training schedule is. Yeah. as dictated by our policies and procedures. And if I can't do that, her training is essentially worthless.

So it's, it's little things like that is, is, you know, have you implemented the legal requirement? Great. If you have, but can you prove to me that you've implemented the legal requirement? 

Justin Beals: Yeah. 

Iliana Peters: And that's really almost as important as implementing it because I have to be able to prove it. 

Justin Beals: Yeah. So when we're doing the risk analysis work, you know, we're looking at what type of data we store, what type of services we provide and, uh, broadly what we think, you know, the definition of security is around that.

You know, I have, I have a common story that I tell people You know, a risk analysis for our company, which is a B to B sass platform is something like availability, right? For us, it's high because we think the likelihood is maybe medium because we have a lot of redundancy in our cloud environments, but if it's down, we're, we're out and out, right?

So the impact is. Massive, right? And therefore, you know, we kind of start to get this. What are the things we're most scared about? Right? Question. Absolutely. But then to your point around the set, the evaluation or the audit, which we also do a lot of is we're looking at the controls that you implemented, 

How that maps to a standard, right? And then where are the receipts? And I think that's the third thing about the training. It's like, It's good that you're doing it, but if you're not collecting receipts in an investigation situation or even just a vendor-buyer relationship, if you can't validate that you operated the control, no one's going to believe you anymore, I don't think.

Iliana Peters: Absolutely right. Absolutely right. And I think that's a great point, is that at the end of the day, I look at it from a regulator perspective, because that's what I do all day long. But at the same time, from a supply chain perspective, from a B to B perspective, it's also a really important piece of the conversation and being able to, you know, say to your business partners.

Yes, we do that. And yes, we have the documentation to prove that we do. That is a really important part of that conversation. 

Justin Beals: Yeah, something I'm really curious about, and I've never been close to one of these. So, I know little about them, but how is the investigation process itself? Like, let's say that you do experience a breach, and, um, one of the things I like to say is that security is an adverse today is an adversarial issue. There, you know, it's like sports, you're going to lose some of the games, it's going to happen. And so let's say I'm at an organization, and a breach is happening. What do I need to be aware of? from health and human services perspective and preparing to engage with investigators?

Iliana Peters: It's a great question. And I think at the end of the day, it's about the documentation because it's not only important to document response from a regulatory perspective because you're required to under the law, but also from an industry best practice perspective. But finally, because the regulator is going to ask you for all of that. And on some level, you may or may not produce all of it because some of it might be privileged. 

And similarly with a litigation, you know, many, not most of these, these days end up in litigation. I see. And it's same thing. You may or may not produce all of that, but you need that documentation to inform how your litigation goes forward.

So whether or not you're having a conversation with a state or federal regulator or you're having a conversation with a plaintiff's attorney, you want to be prepared, and you need all of that documentation. So when you're in the middle of it, it is sometimes very hard to remember. to document everything.

Yeah. Because it's happening so quickly, and you're, you know, it's so stressful, and you're like, well, I'm never going to forget this. But I guarantee you two years from that point, people are going to have moved, practices will have changed, and It is likely that when you have a regulator interview and they can be two years later, or you're being deposed two years later, you're going to need to rely on documentation because you won't remember everything that happened in the heat of that.

You know, immediate two, three day, two week period when everything was sort of hit the fan. And so the documentation is extremely important for a variety of reasons. And then, you know, it's really interesting because you have that immediate sprint to respond to the incident itself. 

Justin Beals: Yes. 

 Iliana Peters: And then once that immediate sprint is over, that sprint usually lasts 30 to 60 days until you satisfy your notification obligations.

And then you have a marathon to complete your regulatory investigations and your litigation and whatever that looks like afterwards. And that can last up to six years. So it's a very, very long process. And a lot of times our clients don't understand that. So they finish that initial notifications and they're like, okay, we're done.

Well, not exactly, you know, hopefully, 

Justin Beals: sure. 

Iliana Peters: Hopefully we'll get an immediate closure letter from the state AGs that we notified the FTC if that's an issue and HHS if you're in the healthcare sector. But probably not.  So, you know, we need to be prepared to continue having conversations with regulators for two, three sometimes six years.  And that's tough.

Justin Beals: Yeah. And you have this vector of the regulators as well as lawsuits from the people whose data was breached and you're dealing with both almost at the same time. 

Iliana Peters: Absolutely. 

 Justin Beals: Yeah. 

Iliana Peters: That’s exactly right. And, you know, I've had a couple of conversations with reporters over the last few weeks about how frustrating these litigation matters are because, you know, these plaintiff's attorneys are relying on a letter you are required to send under the law.

In most cases, there's no evidence of harm, you know, whether or not a person is harmed by a breach these days is very difficult to prove. 

Justin Beals: It's all happening in very rare circumstances. opaque areas, 

Iliana Peters: right. 

Justin Beals: And to coin a term, to jure the dark web 

Iliana Peters: exactly. 

Justin Beals: Uh, and the data lives forever. So, the point at which harm could happen might be years later.

 Iliana Peters: Exactly. 

Justin Beals: Yeah. 

Iliana Peters: So, I mean, I Worked at HHS during the OPM breach. My data has been on the dark web and all of my data for a very long time. 

Justin Beals: Yeah. 

Iliana Peters: So whether or not I, if I have identity theft tomorrow, was that due to the Ticketmaster breach? And again, I'm not picking on Ticketmaster, but I, like everyone else, used Ticketmaster.

So is that yesterday's breach or is that the OPM breach 10 years ago, 15 years ago? You know, I mean, Where is the relationship? And it's very difficult to prove. And so whether or not these or all of these, maybe some of these class action lawsuits are meritorious. Maybe, but I think a lot of them aren't.

And again, they rely on a letter that an entity is required to send by other law. So, you know, there's no safe harbor once you send that letter. And so it's extremely frustrating because you have to send that letter. And then as a result of that letter, Then you get hit with these demand letters and, you know, sometimes it's just more efficient to settle and then that promotes the idea that the attorney is going to send another demand letter and, you know, I mean, it's a very difficult. Self-fulfilling prophecy.  

Justin Beals: It's hard because I think two things we wanted to do with the internet is that we wanted to make data, you know, precise and it, it doesn't degrade over time. Right? So, the data from the OPM leak can be exacting as it was when it was leaked. 

Iliana Peters: Right. 

Justin Beals: And also we wanted to make it very fluid to move the data around.

And so you're definitely ham. You can't put the genie back in the bottle once it's done. Right. 

Iliana Peters: Absolutely. Right. Yeah. 

Justin Beals: And of course we have, I think a lot of our colleagues that are suffering breaches, not because they didn't practice security. I couldn't point at them and be like, they weren't trying.

It's just that it's very fluid environment with the data itself. 

Iliana Peters: Right. 

Justin Beals: Yeah. How does one thing I'm just deeply curious about? How do you think, especially today, the state AGs or health and human services think about calculating a fine or a response to a breach? 

Iliana Peters: I think that is a very good question. I don't have a lot of visibility into that these days, 

Particularly with HIPAA, the Trump administration published an, an, a notice of enforcement discretion with regard to HIPAA penalties. So the penalties associated with alleged HIPAA violations are much lower than they had been previously, including when I was there, but, um, OCR is alleging violations in many more cases.

So, and it's not clear to me exactly the merits of all of those cases. 

Justin Beals: Yeah. 

Iliana Peters: Things have changed a lot since I was there. And again, I don't have a lot of visibility into that. So, you know, so it's hard to know exactly why the cases they're choosing something that, again, you know, I've talked with several reporters, I've talked with staffers on the Hill about is that the only cases OCR investigates are the cases about which entities file breach notification, 

Justin Beals: right? 

Iliana Peters: So we don't have any visibility into entities that aren't filing breach notification. So arguably to your point, something went wrong for sure, but you could be Fort Knox and still have a breach and you're still going to be investigated.

The mom-and-pop shop down the street never had any security and had a breach and didn't file a breach notification. You're never going to be investigated and that doesn't feel right. 

Justin Beals: Yeah. That's a tough situation. 

Iliana Peters: So, and again, not all of these entities had good security, you know, all of those things.

So again, there is that, but it's very hard to tell from the cases that OCR publishes, and they publish all of them, where we are, which are the cases that we're talking about since they are investigating all of them and what that looks like. And so I would argue that OCR really needs to get, HHS really needs to get better visibility into entities that aren't filing breach reports, not only from an enforcement perspective but if we're going to raise the bar because we are such an interconnected industry. We have to get to those. It's business partners.

Justin Beals: that 

Iliana Peters: arguably aren't doing what they're supposed to be doing, in my opinion. 

Justin Beals: Yeah. Spreading out the enforcement footprint a little bit, or at least making the, the broader market smaller, big, aware of their responsibilities.

You know, one area that we see a lot of growth in the health innovation space is medical software and devices is expanding quite a bit. And of course, we see a lot of venture capital investment into these areas. Which is usually chase it regulation. You know, they want to go fast. Is there any, you know, the law?

I think your point is not very specific. But as these younger organizations were highly fast-growing organizations are coming in the marketplace. Is there any advice you would give them to think about, you know, regulatory compliance? 

Iliana Peters: Yes. I mean, I think at the end of the day, it's, it's what we were talking about at the beginning, so we really come full circle with our conversation is that to build a really great product and whatever that product is, if it's a thing, a widget, a device, an application or whatever, or a business process, you know,  if we're talking about business processing process, or we're talking about, you know, process whereby we acquire Companies that build widgets or whatever that looks like.

It's about thinking about the best way to build robust data security in from the beginning, because number one, it helps you meet your legal requirements, which is always a good thing from my perspective, but also because it makes you much more resilient. It just does. It makes you ethically resilient. It makes you look good to your business partners and the consumers with whom you work.

Justin Beals: Yeah. 

Iliana Peters: And it makes you resilient to things like cybersecurity attacks, you know, to, you know, practices involving data just generally. So it may cost more money. It may take slightly longer. Although that's debatable. I think I think you have a good team. I think that's debatable. So I think if you really think about it in a robust way from the beginning, it helps you create a much better environment, whatever that means for your business, and it helps you be strategic long term.

Justin Beals: I have one last question for you. This Iliana, you're a deep expert. The, I recently re read the current state of the American Data Privacy Act. What's your prediction on us actually getting something like that passed? 

Iliana Peters: I'm still very skeptical, mostly because of the fact that we have so many state legislators that have so many concerns about their own state protection.

And I think to get to a really robust federal comprehensive law; we are going to need to push some of those state protections by the wayside. Because it's just not going to be, at least in my opinion, it's not going to be possible to try and deal with multiple federal protections and multiple state protections.

And in order to get to a robust federal benchmark for everyone, we have to, we have to give up the state level stuff. And I think that's going to be really hard for some of our state folks to let go of. And I just am not sure it's going to be able to, to get there. 

Justin Beals: Yeah. It's a constant cultural tension here in the United States between certain states driving.

It's a big issue. It's a big country. We have a lot of different communities in it and in certain communities are driving it things that they find very important, certain communities are reacting that they don't like it. It makes it hard for things to happen at a federal level. 

 Iliana Peters: I absolutely agree. 

Justin Beals: Yeah.

Ileana, I have learned so much. I know myself and our listeners are deeply grateful for the work you do both with health and human services in that Polsinelli and we appreciate you educating us on these issues. 

Iliana Peters: Oh, I'm happy to help. I love the conversation. Thanks so much. 

Justin Beals: All right. Uh, thanks, everybody, for joining us.