Health-e Law Podcast Ep. 26, Part 1
AI Adoption in Healthcare: Managing Data Privacy, Vendor Relationships and Governance
Thank you for downloading this transcript.
Listen to the podcast episode released May 27, 2026.
Welcome to Health-e Law, Sheppard’s podcast exploring the fascinating health tech topics and trends of the day. In part one of this two-part episode, Cora Han, Chief Health Data Officer for University of California Health, joins partner and host Michael Orlando to discuss the adoption of Artificial Intelligence in healthcare, including the management of data privacy, vendor relationships, and AI governance.
About Cora Han
Cora Han is Chief Health Data Officer for University of California Health and Executive Director of the Center for Data-driven Insights and Innovation. She also serves as Co-Chair of the Health System and Provider Advisory Board for the Coalition for Health AI (CHAI).
Drawing on her extensive experience in AI strategy, regulatory advocacy, and data privacy, Cora leads efforts to establish consistent guardrails for the use of health data with AI vendors and third-party collaborators. Her work spans the full spectrum of health data challenges, from de-identification of clinical data to navigating HIPAA compliance and AI vendor relationships, making her a leading voice on responsible AI adoption in academic health systems.
Before joining UC Health, Cora spent over ten years at the Federal Trade Commission, most recently as Senior Attorney in the Division of Privacy and Identity Protection, where she focused on data privacy and consumer protection, including a term as Counsel to the Director of the Bureau of Consumer Protection. Prior to her tenure at the FTC, she practiced at a leading international law firm, where she counseled clients on copyright and trademark matters. Cora also served as an Adjunct Professor of Consumer Protection Law at George Mason University School of Law for five years.
Cora holds a BA in Government from Harvard University and a JD from the University of Chicago Law School.
About Michael Orlando
Michael Orlando is a partner in Sheppard’s San Diego (Del Mar) office. He is team leader of the firm’s Technology Transactions team, a member of the Life Sciences, Healthcare and Artificial Intelligence teams, and co-leader of the firm’s Digital Health & Innovation team. Michael has more than 20 years of experience advising health technology companies, insurers, healthcare systems and providers, academic medical centers and research institutions, medical device manufacturers, and pharmaceutical and wellness companies on intellectual property and business transactions in key strategic areas, including EHR systems procurement and integration, telehealth, mobile health applications, clinical decision support technologies, artificial intelligence, data use, wearable devices, remote patient monitoring, and other medical devices, research and collaborations, patent licenses, software licenses, joint ventures, mergers and acquisitions, revenue cycle management, and other outsourcing transactions.
Michael founded a software-as-a-service company before entering private practice and completed an in-house secondment at a publicly traded biotechnology company, an experience that informs his practical and business-focused approach to client engagements.
Transcript
Mike Orlando:
From hospital boardrooms to startup war rooms, this is Health-e Law. Powered by Sheppard’s digital health and innovation team, we bring you quick and candid conversations with industry leaders, bringing sharp analysis and critical insights into what’s next.
This is the first of a two-part episode with Cora Han, Chief Health Data Officer for University of California Health. In this episode, we will discuss AI and protected health data, contracting with AI vendors and AI governance.
Welcome to Health-e Law. I’m Mike Orlando, a partner at Sheppard, and your host of the episode today.
Drawing on her deep expertise in AI strategy, regulatory advocacy and data privacy, Cora leads efforts to establish consistent guardrails for the use of health data with AI vendors and third-party collaborators. Her work spans the full spectrum of health data challenges, from de-identification of clinical data to navigating HIPAA compliance and AI vendor relationships, making her a leading voice on responsible AI adoption in academic health systems.
Welcome to the podcast, Cora.
Cora Han:
Thank you, I’m delighted to be here.
Michael Orlando:
I think I want to talk about some of the AI tools you’re working with and ask a question about the data use and de-identification issues around that.
Obviously, there are challenges of sharing the protected health information with AI vendors, particularly when it comes to structured data, like clinical notes, was one of the things you mentioned. What does de-identification actually look like in practice?
Cora Han:
It is, I would say, context-specific. So, when I am thinking about de-identification, I am thinking to myself, what we want is for the strength of the de-identification to really be commensurate to the risk, understanding that we are always, always going to meet the HIPAA standard.
So, we are always going to satisfy either the HIPAA stripping method or the expert de-identification method.
And I think you are right on when you say that unstructured data presents challenges that structured data—so data that are the ones that are in the set tables, you know, demographics, medical codes, lab codes, those kinds of things—those are structured data, and unstructured data, which are, for example, in the clinician notes, present additional challenges. And so, because of that, I think they warrant, in many cases, extra attention and methods that may be more rigorous or differently applied than just the stripping methods.
So, and I’ll give an example of why. So, there may be in clinician notes, and this is what makes clinician notes so useful, additional observations about the patient. So, for example, the patient is a 38-year-old teacher in Contra Costa County who engages in these kinds of hobbies, and those pieces of information which add much-needed nuance also, I think, present additional risks of re-identification, which is really the concern that we’re thinking about when we’re thinking about de-identification.
And it can be harder to strip those out, because they are… they can be buried in different parts of those unstructured notes.
And that is really what the challenge, really what the challenge is. And while we’re not, I think, the goal is not to get to zero risk, the goal is to get to the level of risk of re-identification that is appropriate to really what you’re doing with the data.
It can be challenging with unstructured notes, and so we pay extra attention with those, and I think that we, and I’m sure we’re not alone in doing this, really kind of take what I would call a layered approach. So…
We’ll start with… you could start with an automated tool, for example, that can strip those identifiers out of the notes. But then you need to verify and validate.
Some of that could be done with additional automated tools, because they have those as well. And then, where appropriate and where needed, I think you need to insert a human in the loop to be able to do checking.
Then I would say, when you’ve reached that level of satisfaction, have a third party certify that that de-identification was done appropriately and under the expert determination method.
And then it is not a static situation, so… and this is, I think, common for us, that you will start off with a particular set of use cases for your de-identified data, and then as time goes on, those use cases might evolve, or there might be additional use cases that you are considering.
And when that happens, and usually there’s recognition of this in the de-identification process, then at the right, appropriate cadence, there should be a re-evaluation of your de-identification.
Michael Orlando:
I want to talk a little bit about how you effectively put in guardrails when you’re dealing with AI vendors from a contractual standpoint.
So, kind of what contract provisions or vendor protections would be found the most effective when you’re trying to protect PHI, when you’re dealing with an AI vendor for the health system.
Cora Han:
Strong contracts, to be sure, are critical parts of governance. In some ways, they’re where the rubber really hits the road. So, here are, I’d say, a few of the key… focusing on the data terms that we think about.
I think first, clear limits on data use. And so this could be downstream data use, putting limitations on downstream sharing, selling, utilizing of data.
But it also includes, and particularly something that has come to the forefront with AI, the utilization of health data to train models.
Sometimes we come across this, and it’s very obvious, because we want to buy an AI tool so we can deploy it.
But sometimes, it’s not that situation. So, for example, there are situations where there might be a vendor who desires to contract with us for a particular kind of tool, which is not an AI tool, but then because they have access to our data, they would like to utilize that for training a model that we might not get use out of. And so being able to notice those and put appropriate stringent limitations is important.
Another thing that I think we are sometimes seeing is that AI is becoming part of contracts and tools where it wasn’t there before.
Everyone wants to now create an AI tool in some sense or another. So, existing contracts where there’s a desire to add aspects of it that now involve AI is something else where we want to have those appropriate provisions in place.
De-identification, which I know we talked about, is another big area of having contract provisions that we look at. So, what is the standard for de-identification? Making sure that’s clearly delineated. Who is going to do the de-identification? And appropriate provisions based on context and level of risk for how we want to have insight and visibility into the how and the rigor, for example, of those de-identification processes. So all of those things. Data retention and deletion requirements. This is nothing new and always something that we think about. Security and audit rights are the other, I’d say, big ones.
So, those are the kinds of provisions. And I will say one of the things that is challenging with vendor contracting is that the marketplace is evolving so quickly. So, to take ambient scribes, just for example.
There’s not just two ambient scribes, but there are a number of ambient scribes, and then last year, Epic announced it was going to develop its own ambient scribe and make it available within the EHR.
And so, that is an interesting marketplace development, and I think it’s unclear, in this and many areas, who the marketplace leader might be and who might be the best vendor for your particular healthcare delivery system.
And so, one of the things I have noticed our contracting arms are doing, to stay nimble together with the business leaders, is to recognize that very long-term enterprise contracts might not be the most appropriate in all circumstances, that it may be better to have shorter-term contracts to enable that kind of nimbleness.
Michael Orlando:
So, one thing I wanted to talk about, which is a little different for UC than for other systems, is the federated governance structure you have. So, your health system operates on this federated model where you have individual locations that have autonomy, but operate within this larger system-wide guardrail.
I wanted to ask about how does that structure play out in practice for data governance and AI governance and the things you’ve been talking about, and what are the tensions that that model creates, particularly when you have sites that want to move faster than the system-wide framework allows for?
Cora Han:
So, I would say a federated model for us is definitely… it’s both a strength and it’s a challenge, because you’re absolutely right, the individual locations have a great deal of autonomy, and the need for them really to be responsive to their local needs.
At the same time, we operate within a larger system. So, what that really looks like in practice is that together, across the system, we set shared principles, and we’ve done this for both health data governance and also health AI governance. And those are principles including responsible stewardship, transparency, alignment with the academic mission, as well as recommendations for how to operationalize that.
And we do that with system-wide task forces that have representation from really across the system, as well as many different types of stakeholders. So we’re able to develop those together.
And then, when those are operationalized, it is explicitly written into, for example, a task force report that I led, that recognizes the need for flexibility and local autonomy in implementation. So, certainly, there is tension that comes up when the sites want to move faster than what the framework allows.
And I think things that help with that are escalation protocols and clear routes for decision making. And even with that, there is disagreement, and these are very complex issues, so it can feel, and it often is, very challenging to work through them.
But I joke that governance is not something to be checked off on a list or accomplished so much as it is really an ongoing chance to work together, but something that we really all want to participate in together.
And when the process does that, even though people are not always in agreement, I think that is a success.
Michael Orlando:
True. Good way to look… good way to look at it.
I also want to talk about how your health system thinks about the distinction between unsanctioned AI use and properly contracted AI tools.
We just talked a little bit about AI governance, and I know this is something that AI governance deals with, these unsanctioned uses: what’s a proper use, what tools are approved, what tools are not approved. How do you communicate that line clearly across a large, decentralized institution like UC?
Cora Han:
This is a challenge, I think, for us and probably across many industries, that those generative AI tools are widely accessible and easy to use, and so I think that does create a risk of shadow use.
My own view is that safe experimentation is really critical to knowing how to effectively utilize these tools. And because they are so new and the use cases really so varied, the goal is to really create a safe space for that experimentation to occur, because that is how people will grow the skills that they need to utilize them. And definitely all of these use cases are not going to come from the top down, because there is not a set way to actually utilize them appropriately.
So, what that means is, I think that the enterprise contracts are really important to get in place.
And I think the first goal is to work hard to get them in place, and then the second goal is to communicate that they are available across the organization.
And so that includes policy, but that’s not enough by itself. We also need education, guidance and a focus on the tools that may meet particular workforce needs.
Michael Orlando:
So, for attorneys and compliance professionals that are listening, what is the one thing you wish more health system legal teams understood about AI and data governance, and what should they be doing right now to better protect their organizations?
Cora Han:
I would guess that this is not so much something that I wish they understood, because I think that they understand it, but my one piece of advice would be to insert yourself early into the process, so that you’re not reacting to a contract gone awry, or an idea that has so much stakeholder buy-in that it’s impossible to make any adjustments to it.
But instead, be there at the start when people are talking about: What are the problems we’re trying to solve? How were we doing it before? What sorts of data policies did we have in place then? Because a lot of that is still very relevant to what AI would require as well.
Michael Orlando:
That’s a wrap on this episode of Health-e Law, powered by Sheppard’s Digital Health and Innovation team, where health innovation meets legal expertise. Until next time, stay healthy and stay informed.
* * *
Thank you for listening! Don’t forget to SUBSCRIBE to the show to receive new episodes delivered straight to your podcast player every month.
If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show on Apple Podcasts, Amazon Music, or Spotify. It helps other listeners find this show.
This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.