Bass, Berry & Sims attorney Roy Wyman was interviewed on the Speaking of Health Law podcast, produced by the American Health Law Association (AHLA), outlining how healthcare organizations can overcome emerging data privacy challenges and practical steps leaders can take to strengthen compliance programs as we prepare for 2026 and beyond.
In response to a question about foundational elements of a compliance program, Roy answered, “There absolutely are standards and guidelines for how a compliance program should be set up … One that I go to a lot on kind of the bigger process…is the sentencing guidelines. …These sentencing guidelines lay out some things that entities really need to think about and make sure are in place in setting up a compliance program.” Roy added, the “one that gets underrated but is critical to me is having a sanctions policy. If you break our rules, if you break our policies, there are real ramifications. And we don’t care what level of employee you are, we’re going to apply those across the board. If you don’t have that, you really don’t have an effective compliance program.”
But Roy noted the most important aspect of a compliance program is the frequent assessing of the risks and what is being done to mitigate those risks. He said undertaking this process annually, “creates a cadence and a culture” of compliance.
When asked about data inventory versus data mapping, Roy explained the differences by saying, “[A] data inventory is going to list out the data that you’ve got and maybe where it is. Whereas a data map is really following each of those so that we understand, for example, the use cases involved. So, it’s one thing to know that this data is on server X. It’s another to know how you collected that and whether you can then go back in. And if I’ve just got an inventory, I don’t necessarily know what contract and what contract provisions I need to have around that data. But a full data map is going let you put your arms around not only where the data is, but who can access it, to whom it’s disclosed. And then you can track your compliance. So it’s not just inventory, but it’s also systems and the broader picture.” Adding to the compliance aspect, Roy provided a list of questions that a data map helps organizations answer about the categories of data it collects. For example, “What are all of our use cases for each category of data? Where is each category of data stored? Where is it used? How do we manage it? And then with whom do we disclose it?”
The podcast conversation also included questions about the use of data for artificial intelligence (AI). Roy stated, “I would say for entities looking at these kinds of systems, just assume that if there isn’t a regulation on it now, there will be shortly, and start building in those processes so that at the individual level, they understand what’s appropriate use of this from the marketing department, from other departments, as well as just individual users, so that we don’t get overly reliant on it.”
The full episode, “Building and Sustaining an Effective Compliance Program in Today’s Health Care Environment,” was released by AHLA on October 31 as part of its Speaking of Health Law podcast series and is available online or wherever you get your podcast content.