A Conversation with Suchi Pahi: Why HIPAA Compliance is Difficult
In this episode, Mike welcomes Suchi Pahi, a data privacy and cybersecurity attorney. Join us as they talk about the complexities of implementing and understanding HIPPA, particularly for organizations brand new to the healthcare space.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In today’s episode of In Scope, host Mike Murray welcomes guest Suchi Pahi. Suchi is a data privacy and cybersecurity attorney with extensive experience in health data privacy, biometric privacy, incident response, domestic and international data protection laws, data transfers, privacy by design, technology implementation, and more. When tech founders are interested in getting into the healthcare space, Suchi encourages them to really think about whether they want to be in healthcare or working outside of it.
HIPAA is not a checklist, rather it’s a baseline you’re supposed to meet and then scale up depending upon what your company is handling. Typically, her approach is to default to the most restrictive position, then you can revisit it once things are built. You have to manage the risk of what happens if you don’t do it and how many deals will fall through if you’re actually working with healthcare savvy people. Protected health information (PHI) can be difficult to define and needs to be carved out precisely. Healthcare tech companies cannot mix patient information, doctor codes, etc. and call it all PHI and protect it the same way. This would be too restrictive and thwart them from being able to use healthcare data to improve their tech in a meaningful way. Again, there is not a list of things that are PHI across countries, states, or even services.
On the other hand, when thinking about compliance, there are legal department policies and checklists that are in place to avoid falling out of compliance. There is not a lot of case law around this, but that means the regulators have broad authority to apply their terms. This is why there can be such a big learning curve for healthcare startup founders, and why it is important to make sure your legal team is equipped to handle the needs of the industry.
Both Suchi and Mike agree those needs are changing. HIPAA guidelines and PHI identifiers were written before we had the data processing capabilities that we do today. This means that just removing the 18 identifiers may not be enough to make sure you stay in compliance with healthcare privacy regulations. The space itself is very diverse with some healthcare tech companies only doing the bare minimum because it’s what they can understand or afford to do, while others have become very specific and targeted with their capabilities to protect data.
– Mike Murray welcomes guest Suchi Pahi and asks her to introduce herself.
– Do start-ups founders really want to be in healthcare?
– What does it mean to co-mingle data?
– Compliance in the healthcare space.
– Mike and Suchi discuss de-identification.
0:00:02.7 Speaker 1: Welcome to In Scope The Healthcare Security Podcast. Each episode, we bring you interviews technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.6 Mike Murray: Hi, and welcome to this week’s In Scope The Healthcare Security Podcast. As always in Mike Murray. And with me this week to talk about all kinds of fun legal topics is Suchi Pahi. I’m gonna let Suchi introduced herself. For those who follow the sort of healthcare security and healthcare privacy space, you’ve probably already heard of her, but Suchi, why don’t you give us a bit of your background, just ’cause I’m not gonna do your bio nearly the justice that you will.
0:00:48.2 Suchi Pahi: Yeah. Thanks so much, Mike, it’s great to be here and also, hello, all of y’all, guys, gals and non-binary pals who are listening, I’m looking forward to talking about healthcare security and legal stuff with you all. Briefly, I’m a long-time privacy and cyber security lawyer, and I most recently worked for a post… I’m gonna say acquisition startup that was a healthcare tech company, and so I’ve been around the healthcare tech start-up space as well as a general institutional healthcare and now I’m working in a cloud computing company doing some really fun, purely technical things that aren’t related to healthcare.
0:01:31.4 MM: It’s pretty exciting, and actually that’s one of the things that I’m most excited to talk to you about. If you’ve been following the VC space, the last couple of years have seen more investment in health tech companies, especially throughout 2020 in the pandemic coming into 2021. And so there’s a million start-up founders out there who are running around trying to learn how to sell the healthcare, trying to learn the challenges of healthcare, and especially the intricacies of dealing with patient data and protected health information. And I would just love to hear you riff on it, if you’re a… First, you’re a startup founder who’s used to building cloud computing things and you just got funded to build a healthcare startup, what would you wanna tell that person?
0:02:14.2 SP: I guess I would want that person to try and understand, so go talk to someone who knows the healthcare industry and understand whether they want to be a part of it or whether they wanna sit outside of it, and if they wanna sit outside of it, they can still collect health, what I’m going to call, what we generally would call health information, like the steps I’m walking, what my heart rate looks like, what my blood pressure is based on my nifty apparatus that I’m wearing around my wrist, and there’s some regulations around that, but that doesn’t necessarily put that particular start-up or company or a founder within the health tech start-up space the way you’d understand it when it’s regulated under HIPAA.
0:02:55.9 SP: And I think that’s what I want that person to really look into before they dove into whatever they were doing for the company, so it’s like, What’s your purpose? And does working with hospitals and insurance companies and other what we call covered entities under HIPAA actually fulfill that purpose for you, or is there some other route you can take where, unfortunately, you might be subject to a hodge-podge of privacy rules in the US, plus whatever is going on in Europe and Asia, or you can be under HIPAA, and that has its own requirements when it comes to contracting and several other things.
0:03:27.6 MM: So suppose I decided to build a cloud packs or I decided to build some new nifty medical device that delivers care in some way through a cloud back-end, you see hundreds of them popping up all the time. They don’t get to skirt the rules, right? There full on, at the very least, business associates, but probably even more than that in some cases. What do you do with that founder?
0:03:50.0 SP: I think that founder needs to have a really solid security and legal team, because when we get to this point, you’re really carving different areas out from or within HIPAA. So are you actually processing this health information, is there a way you can identify the people whose information is being processed, all of that stuff is quite nuanced, and so it might be that, yeah, you end up being a business associate, but you won’t have as much potentially insight as you need to fulfill some of the incident reporting requirements.
0:04:26.6 MM: This is the thing that I think so interesting is so many people who come into this space that start as start-up founders, the kind of traditional startup founder thinking… Most of them, the first thing you do is not hire an army of lawyers. My previous company that I started many, many years ago, was an ethical hacking training platform. We had lawyers who kind of helped us set up the business, but we never thought about these sorts of things, and starting Scope, I have a very different team of lawyers because of all of these challenges, and I think everyone wants to talk about… Everybody, HIPAA is the first thing on their mind, and I think most people are surprised when they get to HIPAA, because unlike PCI or FedRAMP or something like that, there’s not a checklist, and maybe you can educate the audience on that because I think it’ll be a surprise to a lot of people when they start to read HIPAA, they’re like, “Okay, where does it say two-factor authentication?”
0:05:22.0 SP: That’s probably the crux of the problem that I’ve encountered when I’m working with folks who aren’t native to the healthcare space, it’s… You’re right, HIPAA is not a checklist, and HIPAA compliance doesn’t mean that you can just read the regs and check off a bunch of box and say, “Yeah, I’m HIPAA compliant,” and go from there. Instead, HIPAA was set up as a floor or a baseline, and from there, you’re supposed to scale up your security and privacy practices based on the sensitivity of the data or the volume of data or what your potential threats look like from a security perspective, just for the type of company that you are, where are you based, what other stuff are you handling, how fast are you scaling, that can go from a company that barely has to do anything like meet the baseline, or it can be a company that really has to have a robust like insider threat program.
0:06:15.1 SP: And I think the reason that it gets complicated very quickly is because you have to have people who are able to think strategically leading your security team, and similarly for your price team to make sure that you’re tackling the stuff that would be of, I think the greatest sensitivity within your organization, which is true, I think across the board for security teams, whether you’re in healthcare or non-side of healthcare, but once you throw in the healthcare stuff, you have the added penalties that you’re going to get under HIPAA.
0:06:46.7 MM: But I think far too often, and especially, I know you’ve worked at this startup, I’ve definitely worked at this startup where the CEO says, “I just wanna check this box so I can go sell now please, let’s get me there as quickly as possible. Don’t make me think about it. Just go do it.” How do you even think about approaching that? Like you said, it’s a very strategic thought process that often requires a real understanding of the business and the regulations. Do you just go get a consultant and so start checking boxes?
0:07:15.1 SP: I think, which brings me to high trust, I think with high trust, I would go hire a consultant and get someone to work on those check boxes, because I don’t do high trust, it’s a security compliance measure or framework that has very specific requirements, and I don’t know anything about it, but if it was talking to the C-Suite about actually having HIPAA compliance and being able to pull in healthcare entities, then I might say, Hey, default to the most restrictive position, go with a BAA, bind yourself by all the rules and make sure we follow them and build it in from the get go, and then we can revisit this position later.
0:07:46.9 SP: That’s probably the safest way to go. It’s not exactly the easiest way to go. But otherwise I think typically my approach when dealing with trying to implement stuff that’s regulation-based is really framing up the risk of what happens if we don’t do it, and how many deals will fall through if we’re actually working with savvy healthcare people. And I’ve been on both sides of that conversation where it’s someone will say, “Hey, I can sign this business associate agreement with you guys, no problem.”
0:08:15.2 SP: And I’ll go talk to the lawyer a little bit more on the other side, a lawyer will say, “Well, I know this person said this to your technical person, but we actually do X, Y, Z, so we can sign the paperwork, but we wouldn’t be meaningfully complying.” And I’m like, “Well, now I know that we’re both infected with the knowledge, so let’s not go this route then, because it’s illegal.” [chuckle] I think you really have to be able to frame up those risks and understand also what your C-Suite’s risk profile is as well.
0:08:46.1 MM: By the way, that’s one of the things that you talked about the first road, and I’m living that first road because of my background in a lot of this stuff. We built our platform on the most restrictive idea, there is literally no way we can co-mingle data and physically separate instances of things where it would be impossible for us to accidentally co-mingle data. And we did it that way so that I could sign those BAAs and we could have those conversations, but frankly, the fact that we’re talking about co-mingling data like everyone else understands it, maybe you should explain why that’s actually an issue and what I’m even talking about. ’cause most people think, “Oh, I’m just gonna stick up a MySql database and it’ll be multi-tenant. We’ll have a different customer ID in the same table.” Right? I think that’s one of the biggest things that start-up founders and people who are coming into healthcare from the outside really don’t get.
0:09:37.9 SP: So protected health information is the key piece of this issue, and the definition of that, and the definition is pretty broad, it’s… I don’t remember it off the top of my head, but it’s basically health information or health-related information of a person, and it’s from, in a covered entity or business associate context. So me tweeting that I have a broken ankle is not covered under HIPAA, but my physician tweeting perhaps the date and time I was there and a photo of me along with my condition is definitely PHI. And so I think what a lot of people struggle with is trying to actually define what counts as PHI, and then understanding that it’s not just the diagnosis code or it’s not just the name of the physician, it’s anything attendant in that particular encounter or relationship.
0:10:28.6 SP: And you can’t just mix data that’s protected by one particular set of standards with PHI, because then you need to move that all to the PHI protection bar. Might as well just call it all PHI and protect it the same way, if that’s the highest level of protection you offer. In the end, if you treat everything as PHI, I think you have a lot less flexibility to do data analytics and things like that, especially if we wanna do analytics to make your product better, but not necessarily serve the same folks from whom you got the original PHI. And so one of the things that I would tell start-up folks is to make sure that you’re appropriately carving out your definition, so you say certain types of data for your internal analytics to be able to improve your products or optimize your services in a way that doesn’t affect PHI or isn’t a part of PHI.
0:11:22.0 MM: And that gets especially relevant when you’re talking about machine learning, because what we ultimately want to do, in most cases, if you’re building… I use the example of building a cloud packs, a cloud analytic engine for medical images earlier. If you’re building something like that, you wanna be able to take the data from every scan across all of your customers and train a machine learning algorithm on that. Well, suddenly putting all of those things in the same database, depending on the BAAs that you’ve signed and depending on the agreements you have with each health system, and like you said, how the agreements and your definitions are set up, that can be a very fraught exercise.
0:12:00.7 SP: I’m familiar with ML, and I say familiar, but not an expert, and here’s why. I would assume that if you’re training models across a large data set, that there’s a potential for accidentally revealing data if you’re using them across customers, and that is something that I find terrifying just on a regular data level, not PHI or other special categories of data. Like if I was a customer dealing with that particular scenario, I would definitely build into my contract that you could train models using my data set, but those models would only be used for whatever services you were offering me.
0:12:38.6 MM: And that’s where it gets tricky, and you and I actually had conversations about some of the stuff that we’re doing with machine learning. So this is my example earlier, is a very personal one to me and the folks at Scope, and I mentioned… Suchi said something about having to have a smart legal team, we have lawyers who are just experts in how to do that, and how to make sure that our BAAs and the things we sign with our customers align with our practices and then our practices for de-identifying certain data. I like to use the example when I’m talking to customers, if we’re looking at an EHR audit trail and trying to find malicious behavior in that, the patient’s name doesn’t matter to us, so we throw that out.
0:13:17.9 MM: We don’t ever need the patient’s name to identify bad behavior, we need an identifier, and so at certain times we’ll hash that data, and so we can say this record is the same as this record, but that we don’t know whose data it is, sometimes we do need the data. If we’re looking for malicious behavior from an IP address and an IP address is one of the 18 factors of PHI in the sort of traditional definition, if we’re looking for malicious behavior from IP addresses, we can’t hash the IP address, so we don’t know what computer the bad guy came from. And so these challenges are so difficult and literally your whole background is about dealing with stuff like this, and I think most people don’t think about how difficult some of these things are. I wanted to search directions ’cause you and I had an interesting conversation earlier about compliance, and this whole conversation has largely turned on compliance, and you said something so interesting before we started recording about compliance being different in the security industry than everywhere else. I wanted to go down that road a little bit.
0:14:19.0 SP: So compliance is a legal department, and within that legal department, or maybe it’s separately from legal, depends on how large your company is. You have AML, which is anti-money laundering, you have FCPA, which is the Foreign Corrupt Practices Act, which has anti-bribery and things like that. And these are regulations, I think there’s also forced labor is another one, and export import. So all of these things are within the scope of legal compliance. So when I think of compliance now, after speaking with a colleague who’s in legal compliance, I’m not thinking about high trust checklists or PCI. What I’m thinking about is what policies and controls do we have in place and how we socialize across the company to make sure that we don’t fall afoul of something like the anti-bribery regs.
0:15:12.8 SP: And that lawyer who’s working on this type of compliance is sitting there and looking at case law, where they’ve actually said, “Okay, this particular term in the regulation is really important and it means X, Y, Z.” And so then they go and take that case line, translate it back to, “We need to make sure we’re not doing A, B, C at our company, because that leads to X, Y, Z in this particular standard under the regs.” And so that’s what compliance is from a legal side, and it’s a completely different ball of wax than, “Hey, we need to answer these RFP questions from a customer about whether we have a data retention policy.” Like that actually has nothing to do with the legal compliance side of it.
0:15:54.1 SP: Well, I say nothing to do, but it has something to do with it, but it’s a minor part of that legal compliance practice, whereas if you have a high trust compliance effort that’s going on, or high trust certification effort that’s going on in your company, then you’re gonna need at least two people, like full head count, full-time working on that particular endeavor because they’re gonna have to corral folks into answering questions and get the right paperwork and do repeated interviews and stuff like that.
0:16:18.2 MM: But it’s such a different… Two things stand out to me is so different there, the first one being that there’s actually penalties. If I don’t have high trust, maybe I can’t close a deal, but I’m… As the CEO, I’m not going to jail.
0:16:31.7 SP: Right. And with the other legal compliance, you might be going to jail, [chuckle] and it’s a good chance that it won’t be just because of regulators in the US, it’s a good chance that you’re looking at international regulatory efforts to try to get you into compliance. So it gets pretty fascinating, and there is not a lot of case law, but that means that the regulators have a lot of freedom to enforce the regulations against you, however they’d like to.
0:16:58.8 MM: The other thing is, it sounds like you keep saying the word law, whereas what we talk about in compliance and security is, I don’t wanna deride it, but basically checklists of… It’s a task list. And actually something that came to mind as we were talking, and I think it’s so interesting when we talked a little bit a minute ago about how confusing HIPAA is for security people, and I think if you look at the history of a lot of our security compliance things, HIPAA was one of the first, and HIPAA seems to me, in the way you describe it, to be much more like legal compliance, and that you have to think strategically, you have to interpret the regulation, you have to do all of this stuff, whereas what we think of compliance traditionally in security is PCI and FedRAMP, and things where really is checking boxes off a task list, and I wonder if that’s why… This is me just throwing ideas off the top of my head, but I wonder if that’s why HIPAA is so hard for people.
0:17:55.2 SP: I think it is, we onboarded in a prior company, a lot of folks on the end side and the security side who weren’t from healthcare companies, and they typically have a little bit of a longer learning curve because what they were looking for was like a set list of what exactly is PHI and what can I do or not do with it. Like a very specific prescriptive set of things. And it didn’t exist, your attorney or actually whomever you have internally assigned to do this has to go look at HIPAA and its requirements and then take your business model and translate it over and then say, “Okay, we can do one, two, three things, and this is what counts as PHI and is protected.” And that’s endeavour that most companies don’t have to do because they’re dealing with stuff that’s really much more clearly laid out in any other regulation.
0:18:45.4 SP: And previously, if you were looking at cyber security incident response work, you’d pull up any states law, and then there would be one very specific section that would say, “Okay, when we say personal information, we mean social security number and first name, last name. Or first initial last name.” Very, very specific. And that isn’t what you get in HIPAA. And you briefly talked about de-identification, and one of the things that I find fascinating is de-identification… HIPAA, again, sets that really, I’m gonna say low, low bar for de-identification with the removal of those 18 identifiers, but as tech continues to progress, and as our capabilities continue to progress, there is something really de-identified when you’ve gotten rid of those 18 identifiers. Most folks, I think would look at a data set and say no. And at that point it’s, “What are you gonna do?”
0:19:36.9 MM: I have to tell you a story. So I will never forget my education in this, it was when I was at GE many, many, many years ago now. And I was sitting down with one of our privacy people and I’m gonna screw up what the specific statistic was, and the person across the table walked me through how if they had a gender, a zip code, and a date of a particular procedure, they could identify that patient to 99.999% of the time to a specific human being, and I was just like, “Okay.” So it’s not just the factors like you say, it’s actually the way they can be related together and statistical identification. It’s not just like I looked at a line in an Excel spreadsheet, can I figure out who it is?
0:20:25.3 MM: It’s all of this really complicated thought that has to go into it, and especially like you said, with machine learning and AI technologies, some of that stuff gets really intensely interesting and difficult all of a sudden, and I don’t think most people… As a security person, and I always say that as a security person, when I got to GE, I said a lot of really dumb things that people kept correcting me on that made sense to most security people, but that healthcare people are like, “Yeah, you don’t get it.” I think a lot of people in our industry, and I think a lot of people in the security industry as a whole, don’t really understand some of these challenges at that level.
0:21:05.5 SP: I think that’s spot on, and you can actually say that about the legal industry as well, because specifically in the privacy area, there’s a thought that, “Hey, you’re only under one reg, and so it’s a pretty easy reg, you don’t have to deal with all these other regulations, so it must be really easy being a health privacy lawyer,” and that’s actually not how that works. And really, one of the things I’d like to key in on is, you said sophisticated. And if we’re looking at the best, most ethical way of practicing privacy in health and cyber security in health, then we would be aware of those statistics and we would take the extra steps to make sure that we’re in the compliance of the spirit of whatever the regulation is.
0:21:49.6 SP: And based on all of my experiences back when I was at a law firm, I had several clients that I worked with, and I’ve seen what the industry actually looks like, and so there’s a little bit of catch-up going on. So we have the rest of the industry, these huge institutions, and folks who don’t have really great cyber security services they can rely on, or specifically they’ll rely on managed IT or something like that for security, and then you have your extremely sophisticated entities, and we’re all working off of this one regulation. And it’s going to be interesting to see in the next, I think, 10, 20 years, how these huge institutions and other companies using managed IT are going to be able to scale up their security practices or privacy practices to really keep meeting the spirit of the regs and the way that is supposed to be versus just stripping those 18 identifiers. Because that’s like the novice way of doing it. And if you can strip the 18 identifiers and get data, fine, that’s great. But I have strong suspicions that that’s not sufficient, even now.
0:22:55.5 MM: I completely agree. With my limited experience of those things, I think a lot of these regulations were written at a time that didn’t anticipate some of the algorithmic tools and analytics that we have. Suchi, thank you so much. So I always end with this question, where can people find more of you? People who wanna read your thoughts, hear what you have to say, where do they find you?
0:23:14.0 SP: Right now it’s on Twitter. [chuckle] I’ve been pretty quiet lately, but I’m expecting a paper out soon about privacy and extended reality, so try to catch me off Twitter then and happy to chat anytime. It is @SuchiPahi.
0:23:29.2 MM: Awesome. Well, thank you again, this has been incredible and very enlightening for everybody, and thanks for coming on. I hope we get to do this again.
0:23:37.4 SP: Yeah, thanks for having me, Mike.
0:23:42.8 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Suchi Pahi is a data privacy and cybersecurity attorney with a passion for tech. She has a depth of experience in managing incident response and health privacy regulatory issues, as well as in building effective cybersecurity and privacy programs, partnering with product teams to create products that embed privacy, and counseling clients on privacy and cybersecurity implications of new technologies or services.