ONC plans to lean on OCR for privacy support, which could shift the dynamics of the agency

Facing a $22 million budget cut in 2018, the Office of the National Coordinator for Health IT (ONC) is planning to defund the office that oversees privacy and instead tap a federal enforcement agency as its primary resource for privacy and security issues.

During a media briefing on Tuesday, ONC National Coordinator Don Rucker, M.D., acknowledged that privacy and security are “at the heart of interoperability,” which senior administrators highlighted as a key focal point for the agency in the coming years.

RELATED: ONC prepares for its biggest challenge yet: EHR interoperability and usability

But the agency is also dealing with a 37% budget cut in 2018. In a Congressional Justification report released in May, Rucker indicated that the ONC would close out the Office of the Chief Privacy Officer while maintaining “limited support” for the Chief Privacy Officer position, which is mandated by the HITECH Act.  

Instead, Rucker told reporters on Tuesday that the ONC will be working jointly with Office for Civil Rights to provide support for privacy functions. A primary focus will be helping providers get a better grasp on HIPAA regulations.

“Patients have a right to their electronic record under HIPAA,” he said. “As we speak today, that’s not fully understood.”

RELATED: Under Trump’s budget, ONC would eliminate health IT adoption programs, shift priorities

Currently, Deven McGraw, who serves as the deputy director for health information privacy at OCR, is also filling the role as ONC’s acting chief privacy officer. Although the HITECH Act requires the HHS secretary to appoint a chief privacy officer, it also permits the national coordinator to request personnel from another HHS agency for assistance.

However, that approach could change the dynamics within the agency since the ONC’s chief privacy resource also functions as the agency tasked with conducting audits and investigations surrounding data breaches. It also eliminates a dedicated resource to address privacy and security as ONC builds health IT policy. Because OCR is primarily an enforcement agency, there are fewer resources devoted to policymaking.

“To me, it’s about are we bringing the right resources to the problems that we need to address to improve the rate of information exchange?” said Lucia Savage, the chief privacy and regulatory officer at Omada Health, who served as the ONC’s chief privacy officer from 2014 to until January. During her tenure, Savage oversaw a staff of 13 devoted entirely to providing privacy and security policy support.  

RELATED: HHS is considering changes to OCR’s 'wall of shame'—and experts are divided on the impact

And, while OCR is acutely focused on HIPAA regulations, the agency devotes less time to the thousands of state privacy laws that could impact health IT policy.

Integrating an enforcement agency into health IT policy decisions may create additional complications. OCR’s primary function is to investigate data breaches, whereas ONC’s privacy office provided an opportunity to discuss privacy and security challenges with the provider community without a regulator in the room.

“It was more about creating a space where people who need to get stuff off their chest can do so,” Savage said.

On a broader level, eliminating a dedicated staff of privacy professionals could impact the agency’s ability to maintain outreach efforts. In the past, ONC’s chief privacy officer has made appearances at various national conferences as a resource for providers. As the agency shifts gears to tackle complex issues like information blocking and governance, it will have to do so without a dedicated privacy office.

“The biggest risk is undermining the perception that they can really help explain this stuff to people,” Savage said.