Clearing the HIPAA Cobwebs: New ONC Chief Privacy Officer Lucia Savage Focuses on Balancing Privacy and Security with Expanding Interoperable EHR Exchange

While privacy rules like HITECH-HIPAA may need to be modified in order to keep up with emerging health IT and treatment technology, Savage says the key to better interoperability isn’t necessarily in changing federal privacy regulations but by achieving interoperability through a clearer use of the current rules. “We are going to go back to basics a little bit and talk about how to get interoperability in the rules environment that we actually have,” she says. “And part of that is permitted uses. We’ve had for 17 years the ability of physicians and payers to share information about their patient/members in common; that PHI at its core can be exchanged for appropriate treatment, payment, and healthcare operations purposes.”

The Journal of AHIMA spoke with Savage about her upcoming priorities at ONC, how HIPAA is still being used as a scapegoat to deny release of health information, and what she feels is the biggest threat to protecting patient privacy in healthcare today.

JAHIMA: As you start down the Interoperability Roadmap, and as information becomes easier to exchange, how do you feel the privacy and security regulations should be modified? How do you walk the line between fostering exchange with health IT and maintaining patient privacy?

Savage: I think that for everyday healthcare we have pretty good background rules right now that we can get a lot accomplished with, and in fact we can get a lot more accomplished than we have. What we do know, however, is that with the advent of all this amazing computing power we couldn’t possibly have imagined 17 years ago [when HIPAA was implemented], and some people imagined when HITECH was passed, but most people were unfamiliar with mobile health, APIs, the smartphone. Most of us ordinary people did not imagine that [this change] would be coming. I think we have an opportunity to make sure that we are keeping abreast with technology as it is developing.

So for treatment, payment, and operations for health, we have pretty good background privacy rules. As we move into spaces like precision medicine, and part of that might be repeated long-term use of particular DNA samples, we need to have rules that accommodate our needs for science and knowledge in that space. And the rules we have now come from a time when it wasn’t all done through computers and people didn’t make choices with radio buttons on their tablets and computers. So we definitely have an opportunity to structure understanding to meet the growing technology needs. And in particular what we need to do is look ahead so that we are always keeping pace and we don’t fall behind where technology is taking us.

JAHIMA: Do you feel HIPAA-HITECH goes far enough right now to protect patient privacy, or are there gaps that could be tightened, either currently or as future technologies develop?

Savage: I think our problem isn’t really with the nationwide rules that were established in the original HIPAA enactment and the HITECH amendments. I think HITECH did some great housekeeping by clarifying, for example, the role of health information exchanges as business associates or adding protections about marketing rules that had become really onerous and burdensome for consumers as the Internet advanced. But I think we have some work to do with regards to being able to take advantage of computer technology while fostering the special protections that states have enacted.

JAHIMA: What needs to change at the state and federal level to foster more health information exchange?

Savage: We have a situation where HIPAA is really a floor, it is the basic rule and states are not only allowed to, but do, enact laws that are more privacy-protected than HIPAA. And those enactments come because of real experiences real people have had where bad things have happened to them. For example, because their personal information, health or not, has been used in a way they didn’t anticipate. One older example is at one time children [were] being sent home from school because their parents were HIV positive. So we have enacted these rules to protect people’s privacy in these special circumstances after very robust public debate in state legislature.

The problem we have is while those rules are philosophically aiming at the same things, the words used on the page vary so much that we can’t efficiently use machine learning because we are worried that if we program it to meet the rule of state A, we won’t quite meet the philosophically similar but content-different rule of state B.

And so I think we have some work to do to harmonize how we deploy these special protections [at the state level]. I’m in no way saying they should be removed. I’m saying let’s harmonize them so that we can take advantage of computerized abilities to capture, consent, tag data with consent, persist that choice through the data. And if you think about something like telemedicine, where the intent is to have a provider in one state and a patient in another state, you have got to figure out a way to have the patients’ expectations and the providers’ understanding match across the state line.

JAHIMA: As EHRs developed, a lot of interoperability issues came with the technology. But there was once a time when privacy was one of the big issues hindering interoperability.

Savage: That is right, and ONC has done some task support on that, even the HISPC work before HITECH that really documents the nature of the problem and even documents potential solutions. And I’m really hoping to go back to that as a discussion point.

I think now that we have had such a great run of getting physicians to adopt electronic health record systems and we are moving toward how do we make those systems exchange data for healthcare, it gives us a new chance to look at this in light of what now science is telling us about how effective coordinated care can be, and what we can do on the social determinants of health to improve health in communities, keep people out of the emergency room that don’t belong there, etc.

There is a really important part of this that we can’t lose sight of. A key part of this privacy formula is the patient or person whose data are collected needs to understand what is happening to it. If we have harmonized laws, it is easier to explain privacy rights to a person. And we have a situation where we have many different languages and different levels of literacy in America. The easier it is to explain the easier it is to get that word out in our diverse population.

JAHIMA: It would definitely simplify things from a health information release standpoint. But whose job is that? It is a big job to harmonize all the various state privacy laws, and harmonize them in a way that at least information exchange can happen. Are you seeing this as ONC’s role?

I think ONC’s job here, and my job in particular, is to be a subject matter expert and a resource. So it is really that sort of expert/coordinator capacity. At the end of the day public policy choices made by states really have to be made by the states. So, you know, states have a wide variety of health situations, they have a wide variety of political environments, they have a wide variety of budget situations, they have priorities that may be different than this priority. And what we can bring to the conversation is ‘Here are our expert observations, here are some resources we can make available. Do you want to try and tackle this, if so how can we help you tackle it?’

We have done a lot of research to identify the issue, and it is definitely something that as a matter of health and safety needs to be addressed, and engaging in this harmonization process has to be a priority for the states that want to take up that baton.

JAHIMA: Other than state law, what do you feel is the biggest obstacle to private and secure health information exchange and EHR interoperability right now?

Cybersecurity. I think people are very concerned about it, and rightfully so. Those of us who work in the industry have been waiting for what happened to Anthem to happen. [Editor’s note: The day before this interview was conducted health insurer Anthem announced it had suffered a data breach by hackers affecting 80 million people.] We knew that a large health company was going to get hit, we didn’t know when or where. I think that as a society every time there is a big hack we are not to the point where we are really immune to them. We all actually think about it and worry about it. ‘Gosh was I covered by Anthem, was my data in there, did they get my Social Security number, did they get my e-mail address? Did they get my home address?’ And I think that in order to have interoperability we have to have really good solutions and advice on cybersecurity in a way that keeps interoperability going.

Then there was that large Brooklyn warehouse fire [in February] and guess what burned up? Medical records. Many, many, many hospitals worth. So this gives the opportunity to talk about, for both paper and cyber threats, is cloud computing really the best solution? Because it is a time share in a facility that can apply standard industry tools at an economy of scale that an individual person can’t. We need to have that conversation if we think about cybersecurity and facilitating interoperability.

JAHIMA: After digital data breaches, what is the biggest threat to protecting health information today?

I think actually it is misunderstandings. I’ll give you a story from my personal life. A family member falls down and needs to go to the ER. They get the stitches, and we ask for the visit summary to be sent to a physician who is in a different system. And we are told, ‘Well we are not allowed to send data outside our system… because of HIPAA.” Well I know different, but the fact that somebody could say that and the consuming public is told that and they want to believe their physicians’ offices and take what they say to heart, [the public likely] doesn’t understand the rules well enough to say ‘Wait a minute, I don’t think that is quite right.’ So, we have these misunderstandings that are making the data not move as much as it could.

JAHIMA: Do you feel HIPAA is still being used as a scapegoat to deny people access to their records?

I think there is some of that going on. I was just talking to a physician on staff and I said ‘Don’t you remember when in your primary care practice you had to talk to XYZ specialist about a patient in common and you just picked up the phone?’ HIPAA is media-neutral and OCR [Office for Civil Rights] will tell you that. It is the same privacy rule for phone calls, for faxes, for pictures, for e-mail. Or information exchange, it is media-neutral, and we really need to make sure everyone knows that.