January 22, 2026: Healthcare privacy laws just got flipped on their head, and most leaders don't realize it. Privacy Law Attorney Helen Oscislawski, Founder and Managing Partner at Attorneys at Oscislawski, reveals how information blocking rules fundamentally changed the game. But here's the twist: this shift is creating massive unintentional risks. Helen shares why even she had to escalate to legal when trying to access her own mother's medical records as a proxy, exposing the gap between policy and practice. From consumer apps that aren't actually HIPAA-compliant to de-identification mistakes that could trigger lawsuits, this conversation uncovers the privacy paradox every healthcare leader needs to understand right now.

Golf Tournament Registration:  https://carahevents.carahsoft.com/Event/Details/686801-ThisWeekHealth

Key Points:

• 01:26 The Privacy Paradox in Healthcare
• 06:34 Challenges in Data Governance
• 12:03 Consumer Apps and Data Privacy
• 19:07 AI in Healthcare: Risks and Opportunities

X: This Week Health

LinkedIn: This Week Health

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong

Flourish Sound Bytes: Attorney Insights on Navigating Privacy with Helen Oscislawski

Sarah Richardson: I'm Sarah Richardson, a principal here at this week Health where our mission is healthcare transformation, powered by community. This is Flourish Soundbites, unfiltered Conversations with healthcare leaders. Let's get real,

Welcome back to Flourish Soundbites. I'm your host, Sarah Richardson, and today we're talking about a topic that sits at the heart of every transformation story in healthcare trust as innovation accelerates interoperability, digital identity, ai, the laws governing patient privacy.

Are being tested like never before, and few people understand that evolution better than today's guest, Helen Osofsky. Helen is nationally recognized healthcare attorney and founder of attorneys at Osofsky LLC For more than two decades. She has guided health systems, payers, innovators, and policy makers through hipaa, HITECH information blocking and the ever expanding space of digital data rights.

Helen Oscislawski: Thank you for having me.

Sarah Richardson: Yeah. I am so happy to have you because your panel at Bluebird during Soar was incredible and how many things that people did not know that I feel like everybody should know, so I was like, Hey, come on the show and let's chat about this. You have literally spent your career helping organizations advance interoperability while still protecting patient data.

What's the privacy paradox that leaders are facing right now?

And so it becomes. A huge challenge to be honest.

Sarah Richardson: Well, and you mentioned that regulation often lags technology. Where do you see the biggest gaps today?

Helen Oscislawski: I think that's the, the, the point is many of the privacy regulations and confidentiality regulations um, that. Have defined confidentiality over the years, have been in the books for decades.

To move, as I had mentioned in my just previous comment, that we're expecting instant liquidity of data. [00:03:00] And so it's just really important that those laws are either updated. We really need to look at, you know, privacy by design. Making sure that we're building systems to honor the privacy as we're allowing the information to move quickly.

It needs to have guardrails in place that also requires the technology, but it also requires the legal framework for doing that and the governance structures for doing that. This way, if we design privacy or we refer to it as privacy by design and the interoperability is by design. Then the trust factor becomes the engine of how the information moves rather than being perceived as a barrier or an afterthought.

Sarah Richardson: And you've been on the front lines of HIPAA since the early days, then through HITECH and now information blocking roles. When you look across 20 years of evolution, what stands out to you as the biggest shift?

You may have had the experience, I've had the experience where we've gone to the doctor's office and we wanted a copy of our own paper record, and they would make us sign paper forms consenting to them, releasing the information to ourselves. And so the point is, is that the healthcare sector, this is the way.

That people thought about data privacy. It is important to keep healthcare data private and confidential, but we now are seeing the laws change and I think one of the most. The biggest seismic shifts in the, healthcare industry right now is the in information blocking rule. And that was a legislation that I like to refer to it as turned HIPAA and privacy on its head because it said, rather than protecting and preventing information from flowing, it says you must share electronic health information.

That's not the case, but it has forced organizations to look at their governance structures and you can no longer just simply rely and fall back on a baseline or a default of, well, I'm just not gonna give it to them because it could be a disadvantage to my organization that will no longer flies under the information blocking framework.

You can no longer claim things like inconvenience or just generalize risk concerns. You have to have those things pinned to an actual legal restriction for not allowing the information to go. So on the one hand, I think that's. Sort of good, right? Because patients should have access to the information.

And so it's gonna be very, I think many of us are gonna be watching to see how that all pans out, because it's gonna pin everybody who hasn't been paying as close attention to IBB and pay attention to these rules even more. It's a seismic shift in the healthcare industry.

Sarah Richardson: How has that lended itself to leaders, maybe unintentionally then creating risk simply because the regulations are so nuanced and change in ways that are maybe hard for organizations to keep up with?

Helen Oscislawski: many organizations have looked at this as technology problems, whatever.

So I think one of the risk factors is that organizations and the individuals who are responsible for these frameworks and how their information is released, may rely on general understandings of things. And when you rely on a general understanding of a concept, it's more.

Risky to get it wrong or to begin structuring frameworks that just don't match what you're supposed to be doing. So I think it was Steve Jobs that said something like simple can be harder than complex. You have to work really hard to get your thinking really clean and simple. But once you do, you can move mountains or something.

Many people look at that term and are like, oh, we can send that information because it's anonymous. It doesn't have the patient's name, but that's not technically true. Anonymized information that doesn't have patient's name does not legally de-identified. You actually have to understand how to create a legally de-identified data set before you can actually.

Release that without any potential legal consequences, without a consent in many instances. And so that's a great example to illustrate how somebody who's looking at these issues may apply an oversimplified understanding of something. Then allow for a governance or release of information structure that doesn't match what actually does.

Sarah Richardson: And you shared with me a real life example of being a proxy for your mom.

Mm-hmm. And even as an expert. You had to escalate the situation to get the information that was needed. What did that experience teach you and what does it need to teach us about the gap between policy and practice?

Helen Oscislawski: Yeah. Absolutely. We won't name names of who the organization was, but it was a very frustrating experience as you know, and it's okay for me to share.

I'm in the thralls of taking care of my elderly parents, and my mom had a hospitalization scenario, and as you mentioned, I was a legal proxy for my mother. I had. A very confident law firm that I worked at draft those documents. I had input on it and all, and suffice it to say that I had 100% certainty that the language contained in those documents allowed me to essentially stand in the shoes of my mother during her debilitated state.

They were telling me I had her to get to. I had to ask my debilitated essentially comatose, not comatose, but she was, you know, she was, struggling with pain to have to sign forms in order before. And I knew that wasn't the case and I had to escalate it all the way to the legal department, which eventually agreed with me.

But, you know, to answer your question directly, you asked what did it teach me? It taught me that organizations internally. Have a lot more work to do to implement the actual accurate you know, guardrails and rules, I should say, to operationalize things the correct way. Where, when a.

So I think organizations have a lot of work to do. They Look at the complexity and then simplify. And then once you've gotten the right answer for the use case, if you will, then you have to operationalize how do you pull this through to your organization? So every single workflow and every single individual and touch point is getting the answer correctly and relaying that.

And so you have. Optimal interaction and optimal operationalizing of that use case and that situation in accordance with the law and, what needs to be done. So,

Sarah Richardson: Yeah, not everybody has the either. Understanding of our ability to escalate all the way to the legal team just to get what they need for their family.

I mean, that

Helen Oscislawski: right,

That's rarely true.

Helen Oscislawski: Yeah, it is. So many individuals and patients still don't realize that once your record leaves the custodian healthcare provider and goes into any third party that you're controlling those. Those consumer applications are not regulated by that federal privacy law that we refer to as hipaa.

All, I think we're getting to like 45 states or something that maybe 40, 45 that have their own data. Consumer privacy laws. And the FTC gets into this space. And the bottom line is if you are using any kind of consumer app to transmit your medical record into that application, or even generating your own health information into a wearable device or any kind of consumer app, you need to read the terms and conditions.

That's really what controls and if those terms and conditions. Say we can, you know, use your data. We can use, learn things about you with your data that we're gonna use for our own internal, commercial purposes. We're gonna sell your data. These are all red flags for that kind of product that may.

Sarah Richardson: Yeah, I mean, most consumer apps we're talking wellness trackers, fertility apps, mental health schools, medication reminders, genetic kits, a whole nother ballgame.

None of them are covered by hipaa and there's no single federal law that protects health data once it leaves that ecosystem. So if you've got all of these things that are known. And then without a B, a, A, the app has zero obligation for hipaa. What should CIOs and CISOs, and even an everyday consumer be thinking about when choosing or recommending a health app?

Helen Oscislawski: Absolutely. So I did wanna add one point is just last week there is a Congre Congress Cassidy. The Cassidy bill was just proposed. So they are attempting to apply hipaa. And HIPAA's protection standards to these apps and these consumers. But that's just been introduced just for your audience out there.

The first bucket is if your organization is looking to partner with a company that is going to provide this as a a feature or some sort of positive, product that. Your patients now can use as a convenient, portable way of, downloading their information and maybe having it portable to other places or other providers, and that's something your organization is directly holding out as a.

They wanna partner. Again, it goes back to things like terms and conditions and so forth. But it also will go back to now the requiring that app vendor to align at this point contractually align with HIPAA standards. And you do need to take some. Points there and make sure, because there are many apps out there saying, oh, we're HIPAA compliant, but they actually have no idea what they're talking about.

So you definitely wanna do some due diligence there. And CIOs, are generally pretty good about vetting those things in the second bucket though. When. You ask the question about CIOs and vetting apps, you have to be a little bit more careful because if the patient's coming to your organization with an app of their choice and that patient is exercising his or her right to access under HIPAA and under information blocking and saying, I have a right.

Tied to certain certification criteria and that is gonna require almost an instantaneous fire based API access that Connect can connect to any app. And at that point it becomes a challenge because you really legally cannot say no if that's what the patient. Wants where they want their data to go. So, does the organization have a legal duty to inform patients, how to make the decision about good apps versus predatory apps or whatever?

Things like sale of data or you know. Scrubbing or scanning the data for things that reveal things about you and then selling that, say, for example, to health insurance companies, which is very concerning. So definitely I think organizations, while they can't prohibit an app interface connection that is of patient choice, I think that there's room opportunity that, and organizations as stakeholders have a place.

Sarah Richardson: Giving people an opportunity to make an informed decision, which you would expect to a degree from your healthcare provider.

And now with AI, accelerating faster than regulation, interoperability is expanding identities becoming fully digital. From your vantage point, what worries you the most, but also what gives you hope?

Helen Oscislawski: I mean, ai, as we all know, we're sort of drinking from a fire hose here as the saying goes, right, it's it's just coming fast.

What the data you know, how are they processing the data? Where are they processing the data? Are they reselling that learned that intellectual property to organizations like insurance plans or pharma or whatever. And I'm not I'm not meaning to pick on insurance plans and pharma because there's a lot of good information that can be shared, should be shared with insurance companies and pharmaceutical companies and whatnot for research and, and whatever.

But the point is, again. Understanding the complexity of what the AI does and then making those decisions. Back to your point about like informed decisions like, the understanding. Underpins all of that. And I do have hope because, you know, there are some amazing things, you've probably seen it too.

The efficiencies that are being gained in, healthcare even accuracy in terms of quality of data, potential for improving the delivery, improving, early detection. There are so many opportunities, and I do think there's a lot of good people looking at the issues and trying to reel it in.

Sarah Richardson: For sure the slow and steady like this told us, like the informed decision, the different aspects of being able to actually thoughtfully determine how you wanna utilize the technologies, even if you don't understand how all of them work, to understand what that could mean for you as a patient right.

And a consumer. So before we wrap, I wanna have a little fun with, a quick speed round. Are you ready?

Helen Oscislawski: Okay.

Sarah Richardson: If you were not a healthcare attorney, what completely unexpected career would you have chosen instead?

Helen Oscislawski: I think probably a clinical psychologist because all the people who are in the interoperability, space need therapy. So I'd just be on the other side of the couch. I guess in that sense, I actually intended to go to become a clinical psychologist and ended up in law school somehow.

So that's part of my answer there. So.

Helen Oscislawski: Well, I would say, the federal websites are not bad, so, um, so the assistant Secretary of Technology, A STP has a great website regarding information blocking the department of Health and Human Services.

You can go onto their website for hipaa and there's. Quite a bit of information, both for providers and for patients, uh, explaining hipaa, explaining the all the elements of it. That's actually quite good as well. Another really great resource is the Sequoia Project. They have, numerous resources now, specifically aimed at interoperability.

Sarah Richardson: Which is always something to look after because you're constantly staying up to date. So follow her blog when you get a chance. Helen, your insights remind us. Innovation does not move healthcare forward unless trust comes with it, and privacy is not a break on progress. It's a foundation that allows us to build boldly and responsibly.

Thank you for bringing clarity to such a complex and increasingly urgent part of healthcare.

Helen Oscislawski: It was my pleasure.

Sarah Richardson: And for our listeners, if today's episode sparked questions about digital privacy, consumer data rights, or interoperability, share this conversation with a colleague. These are discussions every organization should be having right now.

Until then, keep flourishing.

that's flourish soundbites, find your community at this week, health.com/subscribe. Every healthcare leader needs a community to learn from and lean on. Share the wisdom.

That's all for now.