Mark Swearingen: Protecting Patient Data in a Digital World

On a recent episode of How Health Systems Work, hosts Jim Burke and Steve Pratt sat down with Mark Swearengin — a longtime privacy and security attorney at Hall Render and, fun fact, a talented rock-and-roll-turned-jazz-fusion drummer. Between stories of open-mic nights and drum solos, Mark unpacked two decades of change in healthcare privacy, cybersecurity, and the fast-approaching future of data and AI.

Mark explained that while securing data sounds simple in theory, the reality is filled with challenges. Human error continues to be one of the biggest threats — phishing emails, simple mistakes, or a missed software update can open the door to attackers. Healthcare organizations are especially attractive targets because their data is uniquely valuable, combining personal, financial, and medical information. And cyberattacks aren’t just about stolen data; ransomware events can shut down access to patient records, creating risk to patient care itself.

Many people assume the “I” in HIPAA stands for “information,” but Mark reminded us that it originally stood for Health Insurance Portability and Accountability Act. The law was born out of the shift toward electronic insurance transactions and the need to secure the sensitive data being exchanged.

The discussion also highlights how Memorial tackled two of rural healthcare’s biggest challenges: obstetrics and behavioral health. After closing its labor and delivery unit, Bair ensured continuity of care through partnerships with regional hospitals. Meanwhile, her team expanded behavioral health access through mobile units serving local schools — cutting no-show rates dramatically. By combining community support, flexible leadership, and smart operational models, Bair demonstrates how purpose and innovation can sustain rural health systems and inspire a new generation of healthcare leaders.The conversation also touched on what happens when things go wrong. Mark discussed how the Office for Civil Rights (OCR), which enforces HIPAA, investigates incidents and determines penalties. Fines can range from a few thousand dollars for small providers to multimillion-dollar settlements for large breaches. But Mark emphasized that OCR often focuses more on whether organizations had reasonable policies and safeguards in place before the incident, rather than simply punishing every breach.

Looking ahead, Mark sees a new frontier: the explosive growth of AI and the increasing value of healthcare data. Health systems want to innovate, monetize de-identified data, and develop new tools, but many struggle with basic data governance — they don’t fully know what data they have or where it lives. He predicted growing pressure for stronger, more unified privacy laws, especially as the U.S. lags behind global frameworks like GDPR. As healthcare accelerates into an AI-driven future, organizations will need clearer rules, better data management, and more robust safeguards to keep pace.

Chapters

00:00 Introduction to Healthcare Privacy and Security

01:03 The Evolution of HIPAA and Its Impact

04:20 Challenges in Securing Healthcare Data

06:42 Consequences of Data Breaches in Healthcare

08:29 The Rise of Class Action Lawsuits

08:45 Enforcement and Penalties by OCR

12:24 The Value of Data and Emerging Trends

16:10 The Future of Healthcare Operations

20:10 Navigating Third-Party Risks in Healthcare

26:38 Balancing Patient Access and Provider Communication

26:43 Essential Advice for New Healthcare CEOs