As ONC searches for a chief privacy officer, new priorities put the agency at a crossroads

hhs
HITECH requires HHS to appoint a chief privacy officer to ONC, but the position has remained empty since Deven McGraw's departure. (Sarah Stierch CC BY 4.0).

Nearly three months after losing its chief privacy officer, the Office of the National Coordinator for Health IT says it is actively looking for a replacement in order to comply with a legislative mandate that requires the federal agency to fill the leadership position. 

But ONC also finds itself at a crossroads, facing a potentially slimmer budget along with new privacy considerations that have evolved over the past decade, according to several privacy experts and former government officials who spoke with FierceHealthcare.

Some, like former chief privacy officer Deven McGraw, said the agency could replace the position with ongoing collaboration with OCR, while others said the agency would benefit from a "seasoned" leader who can navigate new data privacy concerns associated with mobile devices, precision medicine and consumer access.

Current officials said the agency is actively looking to fill the leadership role. Genevieve Morris, ONC's principal deputy national coordinator for health information technology, told FierceHealthcare the agency is "currently finding the right individual to fill the position," but declined to specify when the agency planned to make that appointment.

Some question "priorities of the office"

A provision buried in the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, requires the HHS secretary to appoint a chief privacy officer “to advise the national coordinator on privacy, security and data stewardship of electronic health information and to coordinate with other federal agencies.”

McGraw, who left her post as deputy director of health information policy at the Department of Health and Human Services’ Office for Civil Rights in October, had been filling in as ONC’s chief privacy officer after Lucia Savage joined Omada Health at the beginning of 2017.

The position has remained vacant since McGraw's departure, leading some to question whether the agency is dragging its feet.

“I can only extrapolate that looking at the priorities of the office, filling the position is not a priority,” Jeff Smith, vice president of public policy at the American Medical Informatics Association, told FierceHealthcare. 

ONC officials are quick to downplay those concerns. 

“Dr. Rucker speaks often about the importance of privacy and security in health IT,” ONC spokesperson Peter Ashkenaz said in an email to FierceHealthcare. “ONC continues to ensure that privacy and security of health IT remains a key focus as we work to implement the provisions of the 21st Century Cures Act.”

RELATED: ONC plans to lean on OCR for privacy support, which could shift the dynamics of the agency

"We take security and patient privacy really, really seriously," Morris added. "None of this works if we don’t have security guaranteed to patients, so we need the right individual to do the job."

ONC pursues "more focused set of goals"

Although HITECH requires ONC to name a privacy officer, fostering a more a collaborative approach with OCR may be the optimal approach moving forward, said McGraw, who is now the chief regulatory officer at a medical records startup called Ciitizen.

During HITECH's development in 2008, McGraw served as the director of the Health Privacy Project at the Center for Democracy and Technology, where she advocated for creating a chief privacy officer position at ONC.

At the time, OCR was not actively engaged in releasing industry guidance, and many felt the position was necessary to confront confusion about existing privacy laws like HIPAA that would inhibit the transition to EHRs.

“There was very strong sense that privacy was an obstacle to EHR adoption,” she told FierceHealthcare.

RELATED: Former HHS privacy head Deven McGraw joins Silicon Valley medical record startup

Since then, OCR has been more proactive in helping the industry navigate complex privacy laws. At the same time, ONC’s priorities have evolved from facilitating EHR adoption and overseeing Meaningful Use to nurturing interoperability and usability.

Now, McGraw argues that the privacy role could be adequately fulfilled through ongoing coordination between the two agencies.

“I can understand why [ONC is] thinking through how to best use that privacy role going forward,” she said.

But HITECH still requires that someone hold the position. After President Donald Trump proposed cutting ONC's budget by $22 million last year, officials outlined plans to shut down the Office of the Chief Privacy Officer while maintaining “limited support” for the chief privacy officer position. Rucker later said the agency plans to work jointly with OCR to support privacy functions.

The ideal solution may be one that was in place before McGraw left: Appoint a representative from OCR, which allows HIPAA’s enforcement agency to weigh in on privacy issues as ONC grapples with interoperability, data exchange and EHR usability.

“It’s really easy to spin this as, ‘ONC doesn’t care about privacy,’” she said. “I think they are trying to think through how they fulfill a much more focused set of goals while assuring that any privacy questions that come up as part of that pursuit are appropriately addressed.”

New challenges demand a “seasoned” leader

Other former federal officials say there is a growing need for a designated privacy leader at ONC given the slew of new challenges facing the agency. Consumer-mediated data exchange and precision medicine initiatives are just two of the many ongoing efforts that require "ongoing attention" from a chief privacy officer, said former national coordinator Karen DeSalvo, M.D.

Lucia Savage
Former CPO Lucia Savage
“There is a small group of career staff who are likely to continue the work for a short time in the absence of a leader,” she said in an email to FierceHealthcare. “The policy work would benefit from a seasoned, experienced individual with deep expertise in health IT and privacy policy.”

Savage, who served as ONC’s chief privacy officer for more than two years, says regardless of the direction ONC decides to take the office, it needs to continue providing industry support to explain how HIPAA supports federal policies “to ensure innovation, digital health innovation, interoperable health information exchange and patient access to their own data electronically, without unreasonable information blocking.”

But not all entities that collect or exchange health information are regulated by HIPAA.

A growing number of new mobile apps, software applications, wearables and online health management tools that collect health data are not subject to HIPAA’s privacy rules. That was a primary concern highlighted in a 2016 report (PDF) to ONC that found privacy and security protections have not kept up with the “extraordinary pace” of technological innovation.

The "proliferation of sensitive health information being handled by non-covered entities" will be an ongoing challenge for the federal government, and ONC in particular, Smith said. 

“I think what you lose by not replacing the chief privacy officer is someone whose purview is not constrained by HIPAA,” he said.