Physicians Reclaiming the Narrative on Patient Privacy

Introduction

Dr. Kevin Halow: Hi, I’m Dr. Kevin Halow. I’m a surgeon and the managing partner at Carson Surgical Group, as well as the founder of ClinicianCore. Today I am talking with Maria Pearson, Director of Corporate Responsibility and Enterprise Risk at Carson Tahoe Regional Medical Center.

Maria is an expert in HIPAA compliance, and we appreciate her participation in this discussion on HIPAA compliance in everyday clinical communication.

Patient privacy is not just a compliance box that we have to check. It’s an equal part of patient safety and quality care. Physicians must be responsible for, and lead, this narrative.

In this webinar, we discuss how secure communication tools—such as controlled platform access, smart data retention policies, and Business Associate Agreements (also known as BAAs)—protect patients in real-world clinical workflows and empower physicians to take back control of patient privacy.

Secure Architecture & HIPAA

Dr. Kevin Halow: One of the things that ClinicianCore does is that it uses unique identifiers, it uses two-factor identification, and it uses end-to-end encryption. So, how do these specific things that we’ve set up in ClinicianCore help with HIPAA compliance?

Maria Pearson: It is a communication method that is just part of our world. And so, why not use technology that is going to guarantee HIPAA compliance and can still be used in texting—sending written messages? Because that is something we want to be doing in today’s time.

The Business Associate Agreement (BAA)

Dr. Kevin Halow: The other thing I want to talk about is this concept of a Business Associate Agreement. For those listening… Maria introduced me to this concept. Anyone who goes onto our ClinicianCore platform has to sign a Business Associate Agreement. How is that an important legal step for HIPAA?

Maria Pearson: So, the way the federal rule is set up is that it only applies to healthcare providers who are actually doing treatments. So HIPAA doesn’t apply to, say, banks.

HIPAA is very specific to healthcare. What HIPAA is saying is: if you are providing a service and you are not a healthcare provider, you have to have Business Associate Agreements in place to transfer that HIPAA obligation to non-healthcare providers.

So in this case, you’re a vendor who has a product; they are not delivering healthcare specifically. So there needs to be a Business Associate Agreement so that we can contractually see that the organization will be required to comply with HIPAA via the contract.

Dr. Kevin Halow: So it’s the contract—that Business Associate Agreement is the contract that basically says: “Look, you’re now in a HIPAA world. You have to obey by the rules.”

Maria Pearson: Yes. So everyone we contract with—a bank, technology service, anyone doing coding services—we require a Business Associate Agreement. And what that basically says is: You are now equally responsible to comply with HIPAA, just like the healthcare provider needs to.

Invite-Only Access & The “Minimum Necessary” Rule

Dr. Kevin Halow: We take privacy and security very seriously, and the foundation base of this platform is privacy. But we’ve made it “invite-only.” ClinicianCore has to vet every single person that goes on the platform. How does this invite-only model support HIPAA compliance?

Maria Pearson: HIPAA requires you to only share information in the setting of a provider world for treatment purposes. You can’t technically share what we call PII (Personal Identifiable Information). Even a name, an address, or a medical record number is considered an identifier.

Dr. Kevin Halow: That’s interesting. I’ve actually received texts—probably shouldn’t admit this—but I’ve received texts with a patient’s medical record number. So that’s violating HIPAA?

Maria Pearson: Yes. No patient identifiers should be shared in an unencrypted manner.

In my opinion, going back to why this “invite-only” is necessary: You’re adhering to a very important part of the privacy rule called the Minimum Necessary Rule. You’re only sharing minimum necessary information with another provider to do the consult. It’s kind of your attestation to say, “I need you, and you are invited to collaborate with me.”

Dr. Kevin Halow: So the concept being that anyone can download the app, but only those people that are invited can actually use it.

Data Retention & Liability

Dr. Kevin Halow: The other aspect we like to showcase is that all the data auto-deletes after 30 days. There is no permanent record on ClinicianCore. How does that feature relate to risk reduction?

Maria Pearson: That kind of practice… you’re basically saying that this data is not part of the medical record. This is communication that will be documented in the medical record.

The medical record has record retention rules on how long you have to keep those records. If your product is not being considered an actual medical record, then you can use a retention schedule different from what HIPAA requires. It would be more like a business record log, telephone log, or email log.

What you’re really saying is: The less data you have, the less likelihood that you’ll experience a breach in your data.

Artificial Intelligence (AI) in Healthcare

Dr. Kevin Halow: I want to switch gears a little bit and talk about AI and HIPAA. We use AI to triage messages and assist with notes. How is HIPAA keeping up with AI?

Maria Pearson: Not a whole lot in a regulatory fashion, not yet anyway. I think integrity of the data is really important. HIPAA will hone in on any weaknesses that AI could impact the data with. For example, we hear about biases that could be created out of AI data and predictive analytics.

Dr. Kevin Halow: The idea is that AI needs data to become smarter. But on the other hand, are we willing to give AI that patient data? We have to keep it private, right?

Maria Pearson: Again, your AI software company would have to sign that Business Associate Agreement. And right now, HIPAA has opened the door to say: You can use AI as long as it’s being used for treatment purposes. But you have to do it in a very structured manner, just like any other technology.

Moderator Q&A: Data Ownership & Epic

Neeraj Jain: Doctor, if I may… If you are using Epic, Epic is now a repository of all patient data and history. Can Epic allow all that data to be given to an OpenAI or Gemini for them to learn?

Maria Pearson: That’s where it gets really problematic. I will say: No. This is my patient data. I am responsible to control, manage, and secure it. It is Carson Tahoe data. A hospital would be responsible for their data. Epic can’t just take it and give it to whoever they want.

Interviewer: But what Dr. Halow is saying is that if you have an AI tool for taking dictation and converting that into a patient record… you do allow that?

Maria Pearson: We do allow the AI transcription product. We encourage transparency from the provider directly to their patient—to gain consent to use it. To bring that patient into the conversation of why they are using it. It is not simply good enough for us to have it in a consent form or a posting somewhere.

Cybersecurity & Shared Responsibility

Dr. Kevin Halow: Last thing I want to cover is cybersecurity. ClinicianCore has a very strong stance against phishing and malware. How does that aid in compliance?

Maria Pearson: I think training of the users on how to identify phishing and malware is really important. Phishing is so sophisticated it could fool the most intelligent person out there.

Dr. Kevin Halow: If I had a breach because of phishing or malware, is it the physician’s fault? Who is held responsible?

Maria Pearson: It could be both. The way liability works is that anyone can be put on that lawsuit. But what it comes down to is: Who was negligent? Who was careless? Who was given the information to follow the rules and didn’t? You could be held liable not just under HIPAA, but in an actual negligence lawsuit, because protecting patient privacy is a standard of care.

Dr. Kevin Halow: We appreciate you joining this webinar. We demonstrated how secure communication technology can strengthen both compliance and the relationships that define quality patient care.