AI in Healthcare: What Compliance Teams Should Be Paying Attention To

Healthcare organizations are moving fast on AI adoption, digital transformation, and integrated care coordination. At the same time, regulators are increasing scrutiny around HIPAA, privacy protections, data governance, and 42 CFR Part 2 compliance.

That combination is creating a new level of pressure for compliance, legal, privacy, and operational teams trying to balance innovation with risk management.

That’s exactly what CJ Wolf explored in a recent episode of Compliance Conversations with healthcare attorney Debbie Cmielewski, who works extensively with healthcare organizations navigating HIPAA, substance use disorder privacy protections, AI vendor agreements, and healthcare compliance risk.

What makes Debbie’s perspective particularly valuable is that she sees these issues from multiple angles — advising providers, healthcare facilities, and vendors operating throughout the healthcare ecosystem. The conversation focuses not just on regulatory requirements, but on the operational reality healthcare organizations are facing right now.

Why This Conversation Matters for Compliance Professionals

Healthcare privacy requirements are evolving quickly.

Organizations are simultaneously navigating updated 42 CFR Part 2 requirements, increased OCR enforcement expectations, expanding AI adoption, and more complex vendor relationships — all while operational pressure on healthcare teams continues to grow.

For compliance officers, privacy leaders, and healthcare executives, that creates difficult practical questions. How should organizations evaluate AI vendor agreements? What happens when staff don’t fully understand privacy obligations? How do organizations operationalize Part 2 requirements? And what does OCR enforcement likely look like moving forward?

One of the biggest themes throughout the episode is that compliance can no longer operate in silos. Privacy, legal, IT, compliance, leadership, and operational teams increasingly need to work together as healthcare technology and regulatory expectations continue to evolve.

What the Episode Covers

Understanding 42 CFR Part 2 and Why It Exists

One of the most important parts of the discussion focuses on the intent behind 42 CFR Part 2 protections.

Debbie explains that the regulations were designed to encourage individuals to seek substance use disorder treatment without fear of discrimination, employment consequences, housing issues, or loss of custody rights. Those heightened confidentiality protections still remain central to the regulation today.

The conversation also explores how regulators are now trying to better align Part 2 requirements with HIPAA while still preserving additional protections for highly sensitive patient information.

What Changed Under the Recent Part 2 Updates

Debbie walks through several major updates organizations should understand, including expanded care coordination flexibility, single patient consent for treatment and payment activities, OCR enforcement authority, and new breach notification expectations.

One of the key takeaways is that organizations can no longer treat Part 2 as a niche issue isolated to certain providers. As healthcare data sharing and care coordination continue to expand, more organizations may find themselves affected by these requirements than they initially realize.

Why AI Vendor Agreements Are Becoming a Major Compliance Risk

One of the most eye-opening sections of the episode centers around AI vendor agreements and healthcare data usage.

Debbie discusses how many organizations are rushing to adopt AI tools without fully understanding how vendor agreements handle data, whether HIPAA protections are adequate, or what rights vendors may retain related to healthcare information.

She also highlights a growing operational challenge: legal and compliance teams are often brought into AI conversations too late — sometimes after agreements have already been signed.

For compliance professionals, this raises an important practical reminder: AI governance is no longer just an IT issue.

The Operational Challenges Organizations Are Facing

Another strong theme throughout the episode is that many healthcare organizations simply feel overwhelmed.

Debbie discusses how smaller providers often struggle with understanding whether Part 2 applies to them, updating policies and consent forms, training staff appropriately, conducting risk assessments, and assigning ownership and accountability.

Her advice is practical and realistic: start somewhere.

Rather than avoiding the work entirely because the scope feels too large, organizations should begin building compliance infrastructure incrementally and consistently.

Why Cross-Functional Collaboration Matters More Than Ever

The episode closes with a broader operational point that will likely resonate with many healthcare compliance teams.

Debbie emphasizes that compliance, HR, IT, legal, leadership, and operational departments all need to be part of these conversations moving forward. Privacy oversight, AI governance, security, and compliance expectations are becoming too interconnected for organizations to manage independently.

That may ultimately be one of the biggest themes of this conversation: healthcare compliance is becoming increasingly operational, collaborative, and technology-driven.

Looking Ahead

AI adoption is accelerating. OCR enforcement expectations are increasing. Privacy requirements are evolving. And healthcare organizations are trying to operationalize all of it simultaneously.

This episode offers a grounded, practical conversation for healthcare leaders trying to navigate that complexity without losing sight of patient privacy, organizational risk, and operational reality.

Whether your organization is actively implementing AI tools or still evaluating what comes next, the discussion offers valuable insight into where healthcare compliance and privacy oversight are heading — and why governance conversations need to happen earlier, not later.

ABOUT DEBBIE A. CMIELEWSKI:

Debbie A. Cmielewski is a member of the Health Care Law and Corporate Practice Groups and co-chair of the Firm's Pharmaceutical Industry and Pharmacy Practice Group. Debbie has also served as a member of the Firm's Management Committee.

Debbie advises and counsels health care providers, including hospital systems; physicians; providers of services to the intellectually and developmentally disabled; mental health and substance use disorder facilities; long term care facilities and home care agencies. She also advises pharmaceutical manufacturers and myriad vendors in the healthcare space. Debbie has significant experience in the representation of regulated professionals before administrative agencies in both health and non-health related professions. She also lectures frequently on health care and human resources topics and provides workplace compliance training in a variety of areas, including HIPAA and 42 CFR Part 2.

Debbie previously served as Vice President, General Counsel of Armada Health Care LLC (n/k/a Asembia), where she also oversaw the compliance and human resources functions in the organization. She has over 20 years' experience as a practicing attorney, holding key positions in health care corporate law and commercial/bankruptcy litigation. Early in her legal career, Debbie served as Chief of Regulatory Affairs for the New Jersey State Division of Consumer Affairs. Debbie holds a B.B.A in Finance from Pace University, and a J.D from Seton Hall University.

ABOUT SCHENCK, PRICE, SMITH & KING:

Schenck, Price, Smith & King is a full-service law firm with offices in Northern New Jersey and Manhattan, serving closely held, growing companies. For 112 years, Schenck Price has represented commercial businesses, individuals, public institutions and charitable organizations with excellence and integrity. We are proud that, in addition to their expertise and experience as legal practitioners, our attorneys have served in positions of leadership in public institutions, as well as community and charitable organizations.

Founded in 1912 as a two-person law firm in Morristown, Schenck Price has entered its second century of service as a firm of 80+ attorneys, serving virtually all legal needs of businesses and individuals. Our Firm’s long history of legal excellence in the areas of health care, education, construction, trust and estate planning, corporate law, real estate, insurance defense, banking and commercial litigation, has expanded as the Firm has grown. Our areas of practice also include telecommunications, technology, environmental law, corporate governance, labor and employment law, and family law. Many of our attorneys have been recognized as leaders in their respective practice areas.

Episode Chapters & Transcript

Introduction to Debbie Cmielewski and Her Healthcare Privacy Practice
Timestamp: 0:05 – 2:15

What 42 CFR Part 2 Covers and Why the Regulations Exist
Timestamp: 2:26 – 3:49

CARES Act Updates and Major Part 2 Regulatory Changes
Timestamp: 4:01 – 8:37

Heightened Privacy Protections for Sensitive Patient Information
Timestamp: 9:31 – 12:10

Common Provider Challenges With Part 2 Compliance and Staff Training
Timestamp: 12:23 – 15:00

OCR Enforcement Expectations and Why Organizations Should Prepare Now
Timestamp: 15:23 – 18:20

AI Vendor Agreements, HIPAA Risks, and Data Governance Concerns
Timestamp: 18:24 – 23:25

Practical Advice for Organizations That Feel Overwhelmed
Timestamp: 24:37 – 28:05

Final Thoughts on Collaboration, Governance, and Compliance Readiness
Timestamp: 28:25 – 29:28

CJ Wolf: 00:00
Hello, everyone. Welcome to another episode of Compliance Conversations. I am CJ Wolf with Healthicity. And today we're going to talk about some HIPAA and privacy things with an expert, Debbie Cmielewski. Welcome to the show, Debbie.

Debbie Cmielewski: 00:18
Thank you so much, CJ. Thank you so much for having me.

CJ Wolf: 00:22
Absolutely. We're excited to talk to you because you are an expert in this area as well as of many others. But before we get into that detailed information, we'd love to hear a little bit about yourself. What do you do? What kind of work do you do? And those sorts of things.

Debbie Cmielewski: 00:36
Okay, so I am with, I am a partner in a law firm in New Jersey. Schenck, Price, Smith & King, our main offices in Florence Park, and we have a couple of other satellite offices. We're a full service firm. And I am in the healthcare group. And my practice is working with predominantly healthcare facilities, hospitals, substance use disorder facilities, intellectual and developmental disability agencies. So like group homes that provide services to people with intellectual and developmental disabilities. And we represent some of the larger health systems and some of the smaller ones in New Jersey as well. So a mixed bag of very interesting facility-based work. And I also represent vendors in the healthcare space, which is helpful to my clients because I see both sides of transactions. I see both sides of data breaches. And I, you know, I can kind of anticipate the arguments on the other side, which is helpful.

CJ Wolf: 01:42
Excellent. What a great background. And we'll include some of uh Debbie's information in the show notes. So if you want to reach out to her uh or their firm, um, then you'll have that contact information. So um we wanted to talk about 42 CFR part two. Now, I'm giving this chapter in verse, and some of our experts listening will know, but tell us first what that is um before we kind of jump into uh some of the details about what's going on with it.

Debbie Cmielewski: 02:12
So 42 CFR part two, or we call it just part two with the vernacular, uh, are the federal regulations that protect the confidentiality of substance use disorder regulations. And they're interesting, CJ, because before these were implemented, there were people who were being who were afraid to look uh to pursue treatment for substance use disorder because people were being discriminated against in terms of getting a job. They had a hard time getting housing, they people were losing their kids and not able to get them back because there was no confidentiality around this treatment. So it really was life-changing for people to have this put into place.

CJ Wolf: 03:03
Yeah, it's a you know, it's a very vulnerable population. Folks are trying to do better, right? And so if they're seeking treatment and they're trying to get help, um it's a way to make sure that they're protected to a certain extent. And so um, well, excellent. So with that as kind of a as a foundation, uh I understand there may be some, there may have been some uh mean some changes uh recently and uh some recent dates. Tell us a little bit about what you know about those changes and and what people should have been doing or should be doing.

Debbie Cmielewski: 03:35
So the CARES Act in 2020 had uh some confidentiality provisions that needed to be implemented. And so there was a regulatory proposal in 2022 to modify uh the 42 CFR Part 2 regulations. And there was a proposal that was put out. There were, I was surprised that there were 20, 220 comments. I think I in my mind I would have expected more, but there were 220 comments, and there was an adoption of those regulations in 2024, and by February 16th of 2026, you had certain changes that had to be implemented. So those included uh well, let me tell you generally what the regulations, you know, what changed in the regulations. So the providers of substance use disorder or SUD SUD services, as we call it, can now use a single consent form for all future uses of treatment, payment, healthcare operations, um, without going back and getting individual consent every single time they want to share information. And even if you're not a provider in this area and you're just a lay person, I think it's obvious that care coordination is happening in healthcare, and that's to everybody's benefit, you know, for yourself or for any of the listeners. If you go to a doctor now, many times your doctor's electronic medical record is linked with other providers, and that's to your benefit because your doctor doesn't have to wonder what happened during your visit to the pulmonologist or the visit to the hematologist. He or she can see, you know, have visibility into the record, and they can make quicker decisions and are able to coordinate care among providers. So it's really been game-changing. And that to allow a single patient consent is wonderful because it enables people to get the services that they need and to arrange for treatment and arrange for payment without having to go through a lot of red tape the way they did before. Um, so and then once that information is shared, providers, covered entities, and business associates can share the information the same way that they can under HIPAA. There is uh a change with respect to records to be used for civil, criminal, and administrative proceedings, and you've got to have a separate standalone consent form for that. And this is this is intuitive, right? If somebody's records are going to be used to prosecute them for something or you know, uh take legal action against them in any respect, we want them to fully understand what that means. They don't we don't want that language to be buried in another consent form that they sign off on, and then all of a sudden, you know, they've they've signed off on this thing that's making them subjected to fines, penalties, jail time, you name it. So, you know, that was a good and positive change, I think. Um so the part two penalties are now aligned with HIPAA, and you know, they're stringent. They they are. Um, there's a new enforcement program that allows so the HIPAA regulations are implemented and carried out by the Office of Civil Rights under HHS. The Office of Civil Rights has been implementing HIPAA regulations forever and fining and penalizing people for a long time. So they understand how to do this. And now, if you've got a substance use disorder issue, the OCR is also going to be responsible for looking at those investigating investigating them and you know, potentially penalizing people, you know, for that sort of thing. You, as a provider or a covered entity under HIPAA or a sudden provider, if you have a data breach, you've now got to make notification the same way that you would a HIPAA breach. And if you you want a file, if you've ever gone through this process, you can even play around and pull it up and look at the portal. It's very easy for people to report a data breach against somebody. All you need is a computer and a Google bar, and you can get to that screen.

CJ Wolf: 08:24
Yep.

Debbie Cmielewski: 08:25
You know, so and it's very user-friendly. If you pull it up, it says report a HIPAA breach, report a you know, 42 CFR part two breach. And you click, I've gone through it just to play around, and I've gone through it actually for clients with them. And believe me, if you're if you're a provider in this area, you know that it's very simple for people to do this. And if you're not mining your P's and Q's, there's you know, there's risk there. So those are some of the major, you know, major things.

CJ Wolf: 09:01
Yeah, really good to know. And and um, you know, I I'm I understand this regulation a little bit, but I am by no means an expert in in it day to day. So there are additional protections, right? Against um uh records where uh SUD, and I maybe you can help me out here when it's mentioned in the record or when it's an active treatment or something, where there is there's additional permissions that are necessary to release that. Is am I saying that right or have I misunderstood?

Debbie Cmielewski: 09:34
No, you're correct. So it's the regulators are trying to align SUD confidentiality of SUD records under 42 CFR Part 2 with HIPAA to make things easier, but there is a heightened protection around records like HIV records, SUD records, super sensitive information, right? So you don't necessarily want, I mean, under HIPAA, you can share information, you know, for treatment, payment, healthcare operations purposes. I go to a doctor, he's gonna refer me somewhere, and we call it TPO. Under the TPO exception, they can turn that information over. So, you know, we want people to be comfortable comfortable that if they seek treatment for this, that everybody's not gonna find out about it. You know, I mean, I think every one of us, whether it's you yourself or a relative or a friend or somebody in your office or a neighbor, we all know at least one person, and I'm being conservative, who has battled with something like this. And think about how many people you know who were really afraid or their kids were afraid to go get treatment because everybody's gonna know that I have a drug addiction. Everybody is gonna know that I'm, you know, have an alcohol problem. And so these, you know, this body of regulations tries to respect that in people. And also under the Great American Recovery Initiative, which is something that the Trump administration is, you know, committed to, which is why I think we're gonna see enforcement be stepped up, they want people to go into treatment, they want people to be able to clean themselves up and have the tools to do that without fear that I'm gonna lose my kids or I'm gonna lose my job.

CJ Wolf: 11:39
Exactly. So, what do you see? Um, what are some of the things that you see providers struggling with um in in view of these changes or uh with these regulations in general?

Debbie Cmielewski: 11:51
You know, it's interesting. It's this is not an easy body of law and regulation to understand. You know, it's it's gonna be a little better now, I think, than it was because everything is aligned. So I say that to mean providers don't understand, just like as attorneys, we have to really analyze these to try to understand. And it takes several pairs of eyes sometimes. So trying providers trying to understand what their obligations are, what they need to do. Uh, I have providers who contact me and say, I'm not sure if I'm a part two program. I'm not sure if these regulations apply to me. How do I analyze that? And it's interesting because there are actually webinars out there and you know, seminars you can take and tear sheets and all kinds of things to run you through an analysis to determine whether you are a person or entity that these regulations apply to. So they still struggle with that, you know. Even being in business for many years, I've had clients say to me, you know, we assume that this applies to us, but we're not we're not really sure if we're being too conservative, you know.

CJ Wolf: 13:04
Right, right, right.

Debbie Cmielewski: 13:05
You know, um they struggle. Some of the the my clients are struggling with how to train people, right? Because they had to make changes to their consent forms, explaining things to their patients and training people to understand what the agency's obligations are and what their obligations are, so that their workers can actually interact with the people that this applies to, right? So play it out. You know, you're sitting with a patient, okay, John, we're going to or Mary, you know, we're we're at the start of treatment. I want to just explain this consent form so that you understand what's going to happen here. In order to do that adequately, your staff has to understand what they're talking about, right? It's pretty difficult to fake that, right? You know, and and I have clients who have people who try, and it's the blowback is the patient says, Okay, I signed that, but I never really knew what I was looking at. I didn't really authorize this. My mother told me to, my mother signed it, I should have been allowed to.

CJ Wolf: 14:14
Right.

Debbie Cmielewski: 14:15
You know, minors and their rights, which are very complicated because different states have different implications. And so, you know, there's there's just a lot at play here. So great.

CJ Wolf: 14:31
Excellent things to to think of. And um, and I know uh, you know, a lot of our listeners are compliance officers, they're privacy officers, and so I know this is ringing true to a lot of them. It's it's been a great discussion so far. We're gonna take a quick break, everybody. We'll come back and we'll talk some more with Debbie uh about these regulations. Welcome back from the break, everybody. We're talking about 42 CFR part two. Um, and you you know, you read before the break, you were mentioning a little bit about what about enforcement. Uh, you mentioned OCR. Is there anything else you would add about what you anticipate uh in regards to in enforcement um and and these changes?

Debbie Cmielewski: 15:12
Because this is part uh of a major initiative, you know, in the US, we and we as attorneys in this area anticipate that there's probably going to be some pretty hefty, you know, enforcement in this area. Uh if you look at certain things under HIPAA, like patient access to records, there have been tons of fines and penalties, and there's a lot of enforcement in this area. And I think if I had a crystal ball, we can expect this to be something that we'll see a lot of enforcement in because OCR is going to want to make an example out of people who do the wrong thing, right? Right. And so the way to do that, the way to make people nervous is you know, if you're a practitioner in this area or an attorney in this area, we're, you know, we're all geeks. We subscribe to every listserv that we possibly can get our hands on because it's interesting who got fined, who's on the you know, wall of shame at this point. Right, right. In order to make people understand what's at stake here if they don't get their houses in order when a fine or a penalty comes out and there's an enforcement and the and and there and we see action taken by the OCR. There's gonna be a press release, you know, there's gonna be a document, a settlement document that's going to be online, it's gonna be available. We're all gonna read about the bad thing that they say you did that you now, you know, are are paying a penalty for. And so I would anticipate that we're going to see uh, you know, an uptick. I don't know when it will start. It's probably not gonna be a long time.

CJ Wolf: 16:60
Gotcha.

Debbie Cmielewski: 17:01
No, yeah, because now we're just in the, you know, we're in the we're in the time period where everybody should be doing what they're supposed to be doing. But all along people have been trying to run their businesses, so you know, not every agency has 10, 20, 30, 50, 100 people sitting around to donate time to this, especially with small providers. And I represent providers from very small to very large. Very small providers have each person in the organization having 10, 12 different roles.

CJ Wolf: 17:37
Exactly.

Debbie Cmielewski: 17:38
You know, so trying to find time to update the consent form when you haven't when you don't even have time to, you know, pay attention because you've been in meetings for six hours straight is really difficult. I don't have the answer there, but exactly.

CJ Wolf: 17:52
Well, and you know, one thing that's on a lot of people's minds, we've had um multiple episodes on the podcast about artificial intelligence. Everyone's talking about it, and and so everyone is like, how does this apply? How does this affect us? Do you see any um unique privacy challenges, not just with you know, uh part two, but also maybe with HIPAA, uh, because you work in that space as well, um, as you're seeing uh relevant relative to providers who might be contracting with AI vendors. Any unique challenges you're seeing there?

Debbie Cmielewski: 18:22
Yes. And let me start by saying I was nobody's more surprised than me that AI is now taking over the world. I I probably shouldn't admit that. Everything centers around this now. If I think about the last bunch of times that I was asked to speak on a topic, the large majority of the things over the course of the past 12 months have been regarding AI. And the rooms are always filled with people because everybody thinks I'm gonna subscribe to an AI tool and now I don't have to do notes anymore. You know, patient I'm gonna subscribe to an AI tool, and all of a sudden it's gonna tell me who to hire in my business. So, as far as privacy challenges are concerned, so I see the agreements, right? I do general count outside general counsel services for a lot of different clients. And as an attorney working with these organizations, and I was in-house for a period of time during my career, too. The one thing that you have to remember as an attorney, you don't want to, you know, lawyer yourself out of the business transaction by being so hard and fast and not wanting to, you know, move off your position. But business people are so excited to subscribe to these tools. They want them so badly because they think they're going to change the world once we get them in the organization. They're going to be efficient, they're going to help, they're going to help the bottom line. We're all thrilled to use them. And a lot of times, legal doesn't get the agreement until the end, or they don't get it at all because somebody who has signing authority or thinks they do will just, you know, click on the terms and conditions, and now they have signed off and allowed a vendor of an AI tool have access to potentially their data. Okay. So worst case scenario is you've got a vendor who's new to the space, because we see a lot of vendors coming into this space now. They may not have HIPAA protections, they may not have their houses in order, and you as a provider are putting your data into the system. We don't know if they're HIPAA compliant. Did you get a business associate agreement? And one thing you know that people lose sight of is the small print on a lot of the agreements allows them to use your data for internal training, but also for marketing, for you know, business development, for tools. So some of the conversations that you need to be having as a provider are you know, first of all, legal or whoever signs off on your agreements should be talking to the business people. And everybody's got to communicate. All the departments have to work together. You know, before you guys or girls sign, you know, contract with a vendor, let me take a look at the paper because we need to make sure that we're not giving them rights to things that are dangerous, that you know, are giving them intellectual property rights to things that we don't even have the right to give them to.

CJ Wolf: 21:46
Correct.

Debbie Cmielewski: 21:47
Want to make sure that they're not taking our data and storing it in a country that or a you know, some sort of a location that doesn't have the security in place that we have. Here, or that doesn't have its house in order. So there's just so many moving parts. And as a trusted provider, a general counsel to many of these entities, you want to say to them, I really want to help you do this. I know you want to do this, but let's just look at these key things and let's look it up, let's look at it at the front end or at least train your people to know what to look for. Because the business people that are going to go out and meet with these vendors and get really all revved up about signing onto this tool and bringing it in-house onto our systems need to understand the dangers as well. Without, you know, I don't want to suck the air out of the balloon.

CJ Wolf: 22:43
Right, right. Right. Yeah. And you're, you know, you're our listeners are compliance officers that are in a similar situation where we're often known as the department of no. Um, and um, to your point, we we need to be flexible enough to allow you know uh operations to occur, but to also inform people of these are the risks, right? So that no one is surprised after the fact if if if something happens and they're like, well, legal or compliance. You never told me this could happen, right? Um, so it it those types of things I think our listeners are really uh used to. And in hearing you speak about AI, it it's very similar to a lot of things we do in healthcare and in other compliance regulations, just making sure that everyone communicates, like you said. Um, and you know, like you said, AI, you know, there's all this, there's this promise of, you know, we can reduce staff levels, we can, you know, improve the bottom line, our margins are so thin already. And so, like you said, everyone's excited about it, which is good, but you got to also know what are the potential risks of going into that. So I really appreciate you sharing uh that perspective. Um, what would you say? So a lot of people, so we have really experienced compliance officers listening today. Um, we will have some that are kind of in a semi-mature program, and then some that are just starting. So, what would you say to clients or or somebody who's they're just not they're not where they need to be in terms of maybe both HIPAA and the part two compliance we've been talking about? Where do you start in in terms of trying to address it? Because it feels overwhelming sometimes.

Debbie Cmielewski: 24:30
There's so much. And I've had, I'd be lying if I said if I said I never had a client who's done nothing because I've had clients who are smaller and have not developed anything, and they're almost afraid to make the phone call to you know, a consultant or an attorney who does what I do. And I start asking questions. I think the most important thing to remember is you have to start somewhere. Putting your head in the sand is not going to work because compliance and enforcement is going in the opposite direction. And you may be able to stick your head in the sand and fly underneath the radar, but all you need is one angry patient with a computer and a Google bar, or I don't want to say it too loud, you know, an insider with a bone to pick, or a competitor with a bone to pick, you know, and so what where I have started with clients who are in that position is I have a whole litany of things I go through, and I'll usually say, you know what, let's just sit down and I'll take you through my list of things. We'll see what you have and what you don't. And how do you eat an elephant, right? Bit by bit. Exactly. I can't just tell them here, here's this list, go with God.

CJ Wolf: 25:55
Exactly.

Debbie Cmielewski: 25:56
You know, that will never get done. Everyone will say, it will become CJ, you know the least desirable task? That's that thing on your desk. It could burn a hole in your desk and you never ever, ever want to touch it. It's the last thing you want to do. Yeah. I have uh a friend who every single year will make her New Year's resolution. I'm going to do the least desirable task on my desk first. And that's what I tell them. You know, this is ugly, let's do it. And again, if you have five people on staff and you're subject to HIPAA, you've got to figure this out. You have to figure out who your compliance officer is. You've got to do a risk analysis. Right. You know, the OCR and HHS now has a risk assessment, a risk analysis tool online. You can no longer say an outside risk analysis is going to cost me tens of thousands of dollars, so I'm not going to do it. Well, they developed one that makes it really easy. And it's very user-free. I've played with it myself. My clients who are small have used it, so they don't want to hear it. So you'll be okay. It's all okay for you to fly underneath the radar until it's not. And then you potentially get like the two-page, single space, 50 question letter from the OCR asking you, you know, to produce or provide all these things like in 30 days.

CJ Wolf: 27:23
Exactly. Yeah, such good points. Uh, Debbie, this has really been a great conversation. We're getting uh close to the end of our time, but I always like to have our guests uh have an opportunity to share anything else that maybe I didn't ask, or if you have last-minute thoughts or or guidance. Um, anything come to mind as we come close to the end here?

Debbie Cmielewski: 27:44
I think I would just say to everyone, you know, think about doing your checkup. You know, whether you're the least compliant or the most compliant, schedule a checkup. Get somebody from HR, somebody from IT, compliance, and somebody from senior leadership in a room. You know, all of these departments have to start working together. This is not gonna be fun for some people. It's fun for me. It's probably fun for the people who listen to you.

CJ Wolf: 28:10
Right.

Debbie Cmielewski: 28:11
And it's like herding cattle, you know. And you're gonna have some of you who want it, you know, the staff's gonna want to do it and some don't, but you have to, you don't have a choice. So, you know, and then put regular meetings on the calendar and advance them. And, you know, people's attention spans are short.

CJ Wolf: 28:28
Right.

Debbie Cmielewski: 28:29
So don't put them in the room for three hours and expect them to do 10 policies, draft them together. Because somebody's phone will ring, somebody will have to go to the bathroom, somebody else will get hungry, and then it's over, you know, like this in small bits and and just commit to get it done and develop a timeline.

CJ Wolf: 28:47
Excellent. Debbie, great advice and great expertise. Again, thank you so much for being willing to take some time and share this with our listeners. Really appreciate it.

Debbie Cmielewski: 28:57
Thank you so much for having me. It's been great.

CJ Wolf: 28:59
Absolutely. And and to our listeners, um, as always, at the end of our podcast, we love to remind you if if you know of an expert like Debbie, uh, maybe in another topic uh that you would love to have on and hear from, uh, please let us know. Or if there are certain topics you might not know the expert yet, but there might be a topic you want to hear about, and we can go try to find somebody who's an expert on that topic. So um, until next time, everyone, uh, take care and thanks for listening.

Debbie Cmielewski: 29:24
Take care.