Caveat 5.5.22
Ep 124 | 5.5.22

Modernizing healthcare regulation?


Patrick Sullivan: Maybe new regulation isn't what's needed, but maybe the market, through third-party certification, through other mechanisms, can really help hold itself accountable to doing the right thing and creating what we really want to create.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben covers an eye-opening footnote from a ninth circuit court case about internet content collection. I've got the tally of the number of warrantless searches the FBI conducted last year. And later in the show, my conversation with Patrick Sullivan. He's from A-LIGN Compliance and Security. We're discussing the privacy implications of the attempts to modernize HIPAA. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into our stories here. Why don't you start things off for us? You are - you're in character this week, aren't you? You were right (laughter)... 

Ben Yelin: I am. I called this on Twitter a Kerr bomb... 

Dave Bittner: (Laughter) OK. 

Ben Yelin: ...Because it was a story alerted to me by my imaginary friend. Well, he's a real person... 

Dave Bittner: Right. 

Ben Yelin: ...But our friendship is imaginary. 

Dave Bittner: Right, right. 

Ben Yelin: And that's Professor Orin Kerr... 

Dave Bittner: Yeah. 

Ben Yelin: ...From the University of California, Berkeley. And he alerted me to kind of a throwaway provision in a ninth circuit case, so that's the federal appeals court located on the West Coast. The case is U.S. v. Rosenow. It's a case about an individual who was arrested returning from the Philippines, where he engaged in sex tourism with minors. And he arranged these meetups with these minors through online messaging services by Yahoo! and Facebook. And so the questions raised in this case were Fourth Amendment questions about whether he had a reasonable expectation of privacy in those communications. The people who are briefing this case on actually both sides of the divide raised a whole bunch of potential issues. Sometimes, lawyers are going to do that in a case. You don't know which issue is going to be the one that the members of the panel glom onto for the decision, so you write a brief kind of covering all of your bases. And one issue that was mentioned in the briefs is whether internet contact - content preservation is or is not a seizure under the Fourth Amendment. So the Fourth Amendment prohibits unreasonable searches and seizures. 

Dave Bittner: Right. 

Ben Yelin: As the court said in this passage, in this case, a seizure of property requires some meaningful interference by the government was - with an individual's possessory interest in this property. Here, where the preservation requests themselves, which only apply retrospectively - that didn't interfere with the defendant's possessory interest in his own digital data because they did not prevent Rosenow, the defendant, from accessing his own account, nor did they provide the government with access to any of Rosenow's digital information without further legal process. Furthermore, he consented to the internet service - the messaging service providers honoring preservation requests from law enforcement. 

Dave Bittner: OK (laughter). 

Ben Yelin: So this is... 

Dave Bittner: Give it to me in plain English, Ben (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Unpack it for me (laughter). 

Ben Yelin: So I realize I just spoke a lot of legalese there. What this means is the preservation of internet content as part of a government's - some sort of government inquiry would not count as a seizure of property for Fourth Amendment purposes. Therefore, a person doesn't have any Fourth Amendment interest in the seized information. So to put this in more layman's terms, the internet content, according to this provision, is not yours - you have put it out into the ether of the internet - for a couple of reasons. One, you've agreed to the terms of service, which explicitly say that the government can request this information from service providers. So that's one way in which you no longer have a possessory interest, but also because the fact that this information gets into government hands doesn't affect the defendant's current possessory interests in his data. That person, Rosenow, is still able to access his own account, so he's not being deprived of getting access to his own online communications. 

Dave Bittner: So that - so help me understand. So that is the - that is how they're parsing the word seizure - that seizure means taking something away from someone? 

Ben Yelin: Exactly. So here they're saying his electronic communications haven't been taken away from him because he can still access them. 

Dave Bittner: Interesting. 

Ben Yelin: So what Professor Kerr notes about this case, which I think is particularly apt, is this was sort of a throwaway sentence in a much longer case. They spent much more time on different Fourth Amendment issues, different legal theories, but I don't think they - the three-judge panel nor the parties - recognized the significance of this type of holding. And what Professor Kerr says is that this is a nightmare for our legal system and for judges and attorneys across the country. You have a major issue, like whether seizures of online communications count as seizures under the Fourth Amendment. It's raised in passing by counsel. A federal court of appeals doesn't really know what it does - has not really confronted this problem in the past, but they decide the issue anyway without having seemingly considered it. It wasn't something that was raised, for example, at great length in oral arguments. And now that becomes precedent in the 9th Circuit, and it becomes persuasive authority in other circuits. I think what Professor Kerr is saying is if there was a debate on the merits of this issue - and there had been dueling law review articles about whether this type of content collection would count as a seizure for Fourth Amendment purposes, and it was adjudicated at oral arguments - if the counsels, you know, we're arguing about it and the judges were asking questions, then, you know, even if you don't like the result, the process still would have been sound. But what actually happened here is the 9th Circuit perhaps inadvertently came down with a decision that has major precedential value without going through the fullest consideration. So I think that's what's problematic here. 

Dave Bittner: Is there any way to backpedal on this? 

Ben Yelin: So there are a couple of ways to backpedal on it. One is other circuits are not bound by this. So if you get, from any of the other federal - if you get a decision from any of the other federal circuits, they could explicitly critique what the 9th Circuit has said, and they could say our reading of relevant Fourth Amendment case law, relevant statutes like the Stored Communications Act - we go the other way on this. And eventually, if that dispute becomes interesting enough for the Supreme Court, they could take it up and could reverse the 9th Circuit's argument. And this is certainly something that Rosenow - if he wanted to petition to the Supreme Court, he could. I mean, he could certainly appeal this case. The Supreme Court has no obligation to take it, and I don't think they would take it unless there is some sort of split among federal circuits. There is sort of another out here. If you read the opening merits brief from the defendants, it's not at all clear that he raised the issue. He actually addressed it in his reply brief, which is not his original case brief. 

Dave Bittner: Who's he? 

Ben Yelin: The defendant. 

Dave Bittner: OK. 

Ben Yelin: Sorry. 

Dave Bittner: Yep. 

Ben Yelin: More accurately, the defendant's attorney. 

Dave Bittner: Yeah. 

Ben Yelin: And under precedent in that circuit, if you don't raise the issue in his - in your opening merits brief, then that's not an issue that could be adjudicated. So he could try and get re-consideration in front of the full 9th Circuit Court of Appeals en banc. It's a large court. There are something like 20 judges on the 9th Circuit, so that could take a long time. There's certainly no guarantee that they would reconsider the case en banc, but that is certainly an option, and they might decide that, regardless of where you come down on the merits, you can't make a binding decision when it wasn't raised by the defendant in the original merit brief. So that would be kind of a procedural way out. 

Dave Bittner: Is there or would there ever be any acknowledgement from the 9th Circuit Court that, oh, hey, you know, we didn't mean to make - to have something with such implications happen in such an offhanded way? 

Ben Yelin: Judges generally don't do that. I mean, they like to think of themselves as sages. They like to think we have the best law clerks imaginable. They combed through every relevant legal issue. You know, it'd be kind of embarrassing for a judge to admit that they got the law wrong because... 

Dave Bittner: (Laughter). 

Ben Yelin: ...They just weren't paying attention closely enough. 

Dave Bittner: Right. Right. 

Ben Yelin: And this has happened at various points throughout our history, where major judicial doctrines that end up developing over decades, centuries, originate from a throwaway line in a case. I mean, the most famous one, from my perspective, is what was called Carolene Products footnote four. It was a footnote in a 1930s decision about when certain laws merit stricter scrutiny from courts, and it said laws that either deal with fundamental rights, like those rights listed in the Bill of Rights, or those that affect discrete and insular minorities - those types of decisions merit strict scrutiny in our judicial system. That was written by a law clerk in a footnote, and that became the standard of jurisprudence in equal protection cases and all different types of constitutional cases for the next 90 years - since it was decided. And, again, that was a footnote written by an enterprising law clerk. 

Dave Bittner: (Laughter). 

Ben Yelin: So sometimes this happens. 

Dave Bittner: Yeah. 

Ben Yelin: It's almost like an accident of history, but it does go to - I think the broader lesson here is even if a court hasn't gone through the meticulous process of considering every issue, it's still binding precedent once it's written out on paper - once it's decided - and it becomes harder to undo because courts like to, in most circumstances, rely on their previous decisions when making new decisions. 

Dave Bittner: Yeah. I mean, I guess it's a reminder that the court is made up of people, and they are imperfect, right? 

Ben Yelin: Yes. They are certainly... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Human beings. They are also overburdened with hundreds of live cases at any given time. I like to think that they're paying attention at every single oral argument, but they are human beings just like the rest of us. They probably are also distracted on their smartphones. So it happens. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: They are imperfect individuals. 

Dave Bittner: Yeah, that's fascinating. All right. Well, we will have a link to that actually tweet from Professor Kerr on our show notes. My story this week - this comes from the folks over at CyberScoop. This is a story written by Suzanne Smalley, and it's titled "Spy Report: 3.4 Million Warrantless Searches of U.S. Data Under FISA Last Year." So the federal government puts out a report every year that - a transparency report to kind of tally what has been going on in terms of the warrantless searches under FISA. And this year's report just came out, and they said the FBI conducted as many as 3.4 million warrantless searches of U.S. citizens' data last year that the NSA collected. This is part of the FISA Act. Interesting that this is a spike from the previous year, which was at 1.3 million - so went from 1.3 to 3.4. The feds point out that 2 million of the searches stemmed from an investigation of alleged Russian hackers that were part of an attempt to identify and protect victims as opposed to investigate American citizens. Is - does that matter, Ben? Like, does... 

Ben Yelin: That stuck out to me. I mean, is that supposed to make us feel better? 

Dave Bittner: (Laughter). 

Ben Yelin: They were still conducting these searches... 

Dave Bittner: Right. 

Ben Yelin: ...And it was still encompassing a lot of U.S. person data. And that's going to happen under Section 702. 

Dave Bittner: Yeah. 

Ben Yelin: So the purpose of the law is to leverage the fact that most major tech companies exist in the United States. We can use them to gather information on overseas targets. But for all different types of things - international terrorism being one of them, but also whatever the Russians are doing - inevitably, some of those overseas targets are going to be communicating with U.S. persons. And if those communications are captured in that dragnet, they go into a database that can be searched without a warrant unless it's part of a predicated criminal investigation. 

Dave Bittner: Yeah. 

Ben Yelin: So just because it was part of an investigation for something seemingly important, like a Russian hack, it doesn't necessarily - it doesn't make me feel better because we saw the same number of people - or same number of records that have been collected. Whether it was for good reasons or not, I think it's the sheer volume that's problematic here. 

Dave Bittner: They quote Ashley Gorski, who is a senior staff attorney at the ACLU on their National Security Project, and Ashley Gorski says, FBI agents are collecting and then searching through Americans' international emails, text messages and other communications on an enormous scale, all without a warrant. Today's report sheds light on the extent of these unconstitutional backdoor searches and underscores the urgency of the problem. It's past time for Congress to step in to protect Americans' Fourth Amendment rights. So there's your opposing opinion there (laughter). 

Ben Yelin: Notable quotable. 

Dave Bittner: Right. 

Ben Yelin: Two comments there - one, I actually don't like it when civil liberties advocates pin this on agents. So I find it a little problematic in the first sentence when she says FBI agents are collecting and then searching through Americans' international emails. This is programmatic. Yes, it is individual agents who are doing the searching... 

Dave Bittner: Right. 

Ben Yelin: ...But this is a policy matter that's been decided by our elected representatives. That's what she gets out of the second part of the statement here, is there is a way to close this loophole and to shut down backdoor searches. It's been proposed a number of times in Congress, and that is require a warrant for any search of the Section 702 database or any database that exists due to foreign intelligence surveillance activities. 

Dave Bittner: Yeah. 

Ben Yelin: Congress has been reluctant to do that. Their compromise in 2017 was to only require a warrant in very specific circumstances. As this article makes clear, we are up for reauthorization at the end of this year, 2022. So I think there is going to be a robust debate about FISA going forward. I will note that intelligence officials from the Trump administration, from the Biden administration - basically everybody who's in the leadership of the intelligence community has said Section 702 is the crown jewel of our counterterrorism tools. And so it's not going to be an easy fight for people who want to eliminate these backdoor searches, despite the volume of searches that we've seen here, just because I think when leaders of the intelligence community come in front of Congress and say, don't handicap us; we want to make sure that we have the most important surveillance tools at our disposal to stop bad things from happening... 

Dave Bittner: Right. 

Ben Yelin: ...It's hard to say no to that. 

Dave Bittner: Yeah. And I can - you know, if you're an elected official, you don't want to be the one who took away the ability to protect ourselves from terrorists or - you know, like, that - you could see that being the opposing candidate's ad, you know, when it's time for reelection. 

Ben Yelin: Right. Exactly, although it's such a niche issue that... 

Dave Bittner: Yeah. 

Ben Yelin: ...In very few circumstances is this ever going to show up in a political advertisement, which is kind of funny - although, there was a little snippet at a 2016 Republican presidential debate about surveillance where Ted Cruz and Marco Rubio, who are on opposite sides of the USA Freedom Act, which was a surveillance reform law, fought about it for 10 minutes while (laughter) all the other candidates just kind of stood there and... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Pretended they were interested. 

Dave Bittner: Right. 

Ben Yelin: So it does come up occasionally... 

Dave Bittner: Right. 

Ben Yelin: ...But this is not fodder for individual advertisements. One other really interesting aspect of the story - it wasn't mentioned in this article, but in other articles I saw - is there was actually a decrease in traditional FISA searches, so the ones where you go to the FISA court to get authorization to surveil U.S. persons who are either foreign powers or agents of foreign powers. So we have this increase in records collected under Section 702, which targets foreigners, non-U.S. persons, but we actually have a decrease of FISA court searches, which are designed to target largely U.S. persons. So there are kind of two theories for that that are in - varying levels of plausible, at least from my perspective. The first is because of the pandemic, even the terrorists have stayed home. It was harder to travel to the United States. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: So for bad guys who might have in the past tried to make it into the U.S., our borders for much of the past two years have been relatively hard to penetrate... 

Dave Bittner: Yeah. 

Ben Yelin: ...Because of the pandemic. So that's one theory. And then the other is the FBI is submitting fewer requests because there was that Horowitz report in 2019 which analyzed some of the kind of the shoddy process that went into traditional FISA warrants, as represented by the Carter Page warrants and the whole Russiagate investigation. So I just thought that was another really interesting element to the story. 

Dave Bittner: You know, to me, this suffers from kind of the fog of very large numbers. Like, OK, you know, 3.4 million warrantless searches. The year before, 1.3 million warrantless searches. Eh, like, it's a big number. 

Ben Yelin: So hard to conceptualize, yeah. 

Dave Bittner: Well, but - and also, there's really no explanation of what that means. I mean, so let's say there's a - I don't know, a bad guy or gal out there who the FBI is interested in. And they say, we're going to collect all of their emails over this period of time, and that's 2,000 emails. Does that count as 2,000 warrantless searches or does it - or is it one? I don't know. 

Ben Yelin: Yeah. 

Dave Bittner: Does it - you know, so it's sort of - it's a large number. It's a number that I think makes us all go, whoa. But without really any details, it's hard to know - is it really a large number? 

Ben Yelin: Right. It's so hard to conceptualize. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, all we know is compared to previous years. 

Dave Bittner: Right. 

Ben Yelin: So it's been raised compared to previous years. What we might see happen is - let's say we get a report in 2023 that says it's actually decreased. Maybe that will really be an indication that there was a large-scale investigation where they had to collect a bunch of records. If I had to guess, I don't think that's going to happen. 

Dave Bittner: Yeah. 

Ben Yelin: Surveillance programs tend to expand over time, absent some type of intervening event. And for that, you know, we'd need Congress to step in and make a decision that you need to have a warrant to search the Section 702 database. 

Dave Bittner: Yeah. All right. Well, again, this article comes from CyberScoop, written by Suzanne Smalley. We will have a link to that in the show notes. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Patrick Sullivan. He's from an organization called A-LIGN. And our conversation centers on attempts to modernize HIPAA and the potential for that to affect health care. Here's my conversation with Patrick Sullivan. 

Patrick Sullivan: You know, as we think about HIPAA - HIPAA is an acronym for Health Insurance Portability and Accountability Act, which in '96 when it was signed into law was exactly what it was intended to provide mechanisms to do - make health insurance portable across providers and across payment systems. You know, originally the focus of HIPAA really centered on information exchange. That was it. Can we get health care data from here to here in a meaningful way that doesn't slow down the process of taking care of our patients? 

Patrick Sullivan: Now, what we've seen is that as we think about continuous improvement and revelation as time goes on, what we've seen is that over the years, really in two- or three-year increments, we see modifications, proposals for changes to shore up various areas that we hadn't necessarily considered in the past. In other words, early on, shortly after '96, we recognized that though we had made provision to transition data, we hadn't necessarily considered protecting the privacy of that information. And so early '98, '99, we started to see pushes, really from the top down, to implement controls around protecting the privacy of that information as well. 

Dave Bittner: So where are the areas where HIPAA is finding itself a little creaky or rough around the edges? 

Patrick Sullivan: Well - and, Dave, that's the thing. And Moore's Law - you know, I think Moore's Law plays out outside of technology as well, in that the technology is advancing so quickly that regulation just can't keep up. You know, early on, some of the controls, as we mentioned, were implemented to begin really focusing on protecting privacy and security of information. But what we see is that cycle - that evaluation, review and revision cycle for regulation and recommendation just can't keep up with the speed with which things change from a technological perspective. So really and truly, across the board, we see opportunities for improvement, which is exactly why the proposal for this new legislation makes so much sense. 

Dave Bittner: Well, let's switch gears and talk about that new legislation. We have some senators who have a proposal here. What are they up to? 

Patrick Sullivan: So what they are up to is effectively stepping back and saying, let's stop and think about what we really want to create. You know, until now, as I mentioned before, we've gone through, really, increments of the Deming loop where, every two or three years, we recognize that things need to be done, so we'll bolt on some new mechanism or we'll add on some tangential process that's meant to address some very specific use case. And so there's an old saying where I'm from that a camel is a horse by committee. Very much, we're working with a camel today as it relates to how we think about protecting the security and privacy of patient information. What our senators are proposing is that we take a step back and we think about what we really want to create based on what we know about where the market is and where technology is today. So, ultimately, their goal isn't to burn everything down to rebuild it from scrap. But if their idea plays out, hopefully that's where we'll end up - with new regulation, new recommendation, new guidance to protect the security and privacy of ePHI as it exists today and then into the future. 

Dave Bittner: Well, I should mention that this is bipartisan legislation coming from Senator Bill Cassidy, a Republican from Louisiana, and Tammy Baldwin, who's a Democrat from Wisconsin. Are there any specifics here that have caught your eye? 

Patrick Sullivan: Well, I think, first and foremost, the fact that their proposals just make sense. You know, what they would like to do is really obvious in a lot of ways. You know, as I mentioned before, we've gotten to a place that we have bolted on so many mechanisms to account for things that we just hadn't considered before. Their proposal is that, again, we pump the brakes, we take a step back out of the chaos and think about what we really want to create based on that - based on our evaluation - driven by lots of folks that actually have skin in this game - have skin in the game of providing patient care very well. Let's step back. Let's address risk as we know it today, in this new world. As we know, the risk today is fundamentally different than what they were seeing in 1996. Let's think about the effectiveness of these requirements that we're proposing as it relates to doing what we really want to do, which is allowing patient autonomy to the extent that we can still ensure that we're protecting the privacy and confidentiality of their data. And then the last big thing that should come as an output from this legislation is recommendations on how to move forward. You know, I think there's a natural assumption that the path forward will include more regulation. What the senators are saying, however, is, look, we need to be open to the idea that maybe the market can drive some of this. Maybe new regulation isn't what's needed, but maybe the market - through third-party certification, through other mechanisms - can really help hold itself accountable to doing the right thing and creating what we really want to create. 

Dave Bittner: Have you seen any shift in the way that this sort of legislation is approached? And I guess what I'm getting at is the recognition that we are in an age of rapid change. As you mentioned, it's hard for any legislation to keep up with the rate of change that we see in technology, so does that affect the way that legislators approach this sort of thing? Do they deal more in possibilities rather than specifics? Because those specifics may change. 

Patrick Sullivan: And I think they have to now, Dave, you know, quite simply. And, of course, this is me trying to mind-read for the legislators. But I think, to be effective, they have to consider that we don't necessarily know what we don't know. And so, largely, we need to be directionally correct with new regulation that's employed - that's rolled out across the nation - as opposed to being specifically direct because specifics change, to your point, so rapidly that we just can't move quickly enough to stay in front of the changes. 

Dave Bittner: Are we at a point where there's agreement on the types of things that we need to see here? Is there agreement on the types of privacy that we need and balancing that with the ability to - and I believe patients' desire to - have their information, you know, flow between their health care providers? 

Patrick Sullivan: Sure. And, unfortunately, I would say no (laughter). 

Dave Bittner: Huh. 

Patrick Sullivan: And I would say no because, you know, historically, as we think about patient care from a clinical perspective, there have really been two philosophies that we've all dealt with. So the first philosophy is one that I think you and I grew up with, which is something referred to as physician paternalism, wherein the doctor is right. We don't question. We simply do what the doctor tells us to do as best we can. The second philosophy is something referred to as patient autonomy, wherein the patient is correct. And the patient takes ownership of really driving that doctor-patient relationship. So that, the battle of those philosophies, you know, the cross-purposes, the goals of those two philosophies, have kind of worked their way through the clinical setting and are really bubbling their way up to the legislative setting today. You know, as an example, interoperability and blocking became a significant portion of the 21st Century CARES Act. In fact, some 2022 changes to the HIPAA privacy rule are going to have more strict compliance regulations related to the speed with which a provider can release medical records. Now, this generated a lot of news back in 2020 when these proposed changes were first released, generated a lot of pushback from significant players in the game. 

Patrick Sullivan: As an example, Judy Faulkner, the CEO and founder of Epic Systems, came out and said, look; we need to stop and think about what it is we're about to require because the patients, the people who want to use their own data, don't necessarily know what they're getting into. So she took a lot of heat and took a lot of pushback for those comments. But ultimately, her point is, we are rolling out new legislation that's intended to make interoperability easier for everyone. But in doing so, we're not necessarily thinking about the unintended consequences. As an example, one of the rule changes requires that covered entities, those practices that have patient medical records, will have to be able to port that information to a personal health application of the patient's choice. That application has no requirement to carry any sort of certification, no attestation, no security controls in any way, shape or form. The new legislation is requiring that people that can control and secure the confidentiality of patient data are now being required to shoot it out to anyone who wants to receive it, whether or not that data can maintain its confidentiality once it's received. So in a lot of ways, I think, common sense still has to be tested. And in a lot of ways, you know, I think we're working through that battle of physician paternalism and patient autonomy. 

Dave Bittner: Yeah. That's a really fascinating point, you know? It seems to me, you know, having come as far as we have with COVID, I've certainly seen that there's a lot of misunderstanding out there on the part of consumers as to what exactly, you know, HIPAA covers and - I don't know - kind of like the First Amendment, you know? Some people think, you know, that HIPAA covers whatever it is that they don't like, you know (laughter)? 

Patrick Sullivan: Yeah, it's the other. It's always the other. Yes. 

Dave Bittner: Right. Right. And it's simply not true. And I guess my question is, you know, to what degree do we have a responsibility as consumers to be educated as to exactly what our obligations are, our responsibilities are when it comes to our own privacy of our health care information? 

Patrick Sullivan: And that's a great question, Dave. And, you know, I don't know that I have an answer. I do think the sister to that question, however, is to what degree may we as a consumer continue to hold accountable providers who give us our own data? In other words, if my provider gives me my personal data at my request and that data is then compromised, whose responsibility is it, you know? Those are questions that seem so obvious, the answers to which seem so obvious, but we've not yet thought through, you know? We've not yet created really specific response plans for those scenarios. 

Dave Bittner: Do you have any sense for what kind of timeline we might be on with this, you know? When might we expect to see real change here? 

Patrick Sullivan: And so what we'll see very likely is a two to three-year cycle of working through the process, even getting this legislation passed. So from there, you know, maybe another two to three-year cycle of actually walking through the process of understanding what it is we're trying to accomplish. You know, I think in the Senators' public comment, they make a statement that within six months of selecting their commission, they hope to have feedback ready for Congress. But, Dave, I would say, even if this is greenlit within the next six months, we're probably still a good four to five years away from seeing any meaningful change. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: So I think we kind of think of HIPAA as static. It's been a law on the books for almost 40 years now. But what I got out of the interview is it's actually pretty dynamic. I think there's a lot of promise in the proposed legislation that you mentioned, the Cassidy-Baldwin bill, where they would set up a commission to determine some of these data privacy issues. I know people are going to roll their eyes that it's a commission and they're not actually coming up with the rules themselves for how - when and in what circumstances data can be collected. But I think a commission would be the start. 

Dave Bittner: Yeah. 

Ben Yelin: So I think there are some promising developments there. 

Dave Bittner: Yeah. Absolutely. All right. Well, our thanks to Patrick Sullivan for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. The Caveat podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.