Clearing the HIPAA Cobwebs: New ONC Chief Privacy Officer Lucia Savage Focuses on Balancing Privacy and Security with Expanding Interoperable EHR Exchange

By Chris Dimick

The spiders of time have been hard at work on the US healthcare privacy and security rules, to the point that their place in health IT interoperability has become fogged and is inhibiting their proper role in the meaningful exchange of health information, according to Lucia Savage, JD, the Office of the National Coordinator for Health IT’s (ONC’s) new chief privacy officer. Savage wants to clear the cobwebs and foster better electronic health record (EHR) exchange and interoperability.

“Because we have permitted uses we actually have the [privacy and security] rules we need [for interoperability],” Savage says. “And in some ways I sort of see myself as putting on my head scarf and getting out the broom and getting the cobwebs off the ceiling. So that is really my focus.”

Harmonizing federal and state-level privacy and security rules and their interpretations in order to allow better information exchange and EHR interoperability is a top agenda item for Savage. Taking over for the first chief privacy officer, Joy Pritts, in October 2014, Savage says one of her first priorities has been fostering the interoperable use of electronic health information—through programs like the “meaningful use” EHR Incentive Program and guidance like ONC’s Interoperability Roadmap—in a private and secure way.

A draft of the 10-year roadmap, which in part aims to clarify HIPAA to reduce confusion and misconceptions about HIPAA restrictions and entitlements, was released by ONC in February. (See this month’s [...] for a graphic depicting roadmap milestones.)

While privacy rules like HITECH-HIPAA may need to be modified in order to keep up with emerging health IT and treatment technology, Savage says the key to better interoperability isn’t necessarily in changing federal privacy regulations but by achieving interoperability through a clearer use of the current rules. “We are going to go back to basics a little bit and talk about how to get interoperability in the rules environment that we actually have,” she says. “And part of that is permitted uses. We’ve had for 17 years the ability of physicians and payers to share information about their patient/members in common; that PHI at its core can be exchanged for appropriate treatment, payment, and healthcare operations purposes.”

Who is Lucia Savage?

Always looking for a challenge, Savage says she was first attracted to healthcare compliance and law because the industry was “so messed up” that she felt she would enjoy trying to fix it. In the 20 years since entering the field, there is still plenty to fix in healthcare, which Savage hopes to help accomplish as the new ONC chief privacy officer.

“The thing that really attracted me to healthcare was that it was so messed up, there was so much work to be done, and I really like a challenge,” Savage says. “It was at the tail of the last wave of managed care in the late ‘90s, people couldn’t figure out how to do benefit appeals, prior authorization was not being handled in a very good way. HIPAA was a new law; it was a chance to really dig in on something new and build from it.”

Graduating with her Juris Doctor from the New York University School of Law in 1989, Savage started her career as an employee benefits attorney. But she soon expanded her practice to include healthcare regulation, healthcare reform, and HIPAA implementation. Before coming to ONC in October 2014 she worked at insurer UnitedHealthcare as the senior associate general counsel, focusing on large data transactions related to health information exchanges, healthcare transparency projects, and other data-driven healthcare work. Savage also served on the governance board of the Centers for Medicare and Medicaid Services’ Multi-Payer Claims Database Project from 2011 to 2013, and collaborated with health information exchanges and state agencies in their planning with payers, according to ONC’s website.

One of her next challenges is helping the country achieve private, secure, and interoperable health information exchange, as well as becoming a grandmother—at least, in time. She feels the first step has been taken with the recent ONC Interoperability Roadmap, of which she was a co-author.

“I always hoped that I’ll have completely interoperable data by the time I’m a grandmother, and hopefully that is 10 years out, so I think that this 10-year [ONC interoperability] roadmap is about right,” she says.

The Journal of AHIMA spoke with Savage about her upcoming priorities at ONC, how HIPAA is still being used as a scapegoat to deny release of health information, and what she feels is the biggest threat to protecting patient privacy in healthcare today.

JAHIMA: As you start down the Interoperability Roadmap, and as information becomes easier to exchange, how do you feel the privacy and security regulations should be modified? How do you walk the line between fostering exchange with health IT and maintaining patient privacy?

Savage: I think that for everyday healthcare we have pretty good background rules right now that we can get a lot accomplished with, and in fact we can get a lot more accomplished than we have. What we do know, however, is that with the advent of all this amazing computing power we couldn’t possibly have imagined 17 years ago [when HIPAA was implemented], and some people imagined when HITECH was passed, but most people were unfamiliar with mobile health, APIs, the smartphone. Most of us ordinary people did not imagine that [this change] would be coming. I think we have an opportunity to make sure that we are keeping abreast with technology as it is developing.

So for treatment, payment, and operations for health, we have pretty good background privacy rules. As we move into spaces like precision medicine, and part of that might be repeated long-term use of particular DNA samples, we need to have rules that accommodate our needs for science and knowledge in that space. And the rules we have now come from a time when it wasn’t all done through computers and people didn’t make choices with radio buttons on their tablets and computers. So we definitely have an opportunity to structure understanding to meet the growing technology needs. And in particular what we need to do is look ahead so that we are always keeping pace and we don’t fall behind where technology is taking us.

JAHIMA: Do you feel HIPAA-HITECH goes far enough right now to protect patient privacy, or are there gaps that could be tightened, either currently or as future technologies develop?

Savage: I think our problem isn’t really with the nationwide rules that were established in the original HIPAA enactment and the HITECH amendments. I think HITECH did some great housekeeping by clarifying, for example, the role of health information exchanges as business associates or adding protections about marketing rules that had become really onerous and burdensome for consumers as the Internet advanced. But I think we have some work to do with regards to being able to take advantage of computer technology while fostering the special protections that states have enacted.

JAHIMA: What needs to change at the state and federal level to foster more health information exchange?

Savage: We have a situation where HIPAA is really a floor, it is the basic rule and states are not only allowed to, but do, enact laws that are more privacy-protected than HIPAA. And those enactments come because of real experiences real people have had where bad things have happened to them. For example, because their personal information, health or not, has been used in a way they didn’t anticipate. One older example is at one time children [were] being sent home from school because their parents were HIV positive. So we have enacted these rules to protect people’s privacy in these special circumstances after very robust public debate in state legislature.

The problem we have is while those rules are philosophically aiming at the same things, the words used on the page vary so much that we can’t efficiently use machine learning because we are worried that if we program it to meet the rule of state A, we won’t quite meet the philosophically similar but content-different rule of state B.

And so I think we have some work to do to harmonize how we deploy these special protections [at the state level]. I’m in no way saying they should be removed. I’m saying let’s harmonize them so that we can take advantage of computerized abilities to capture, consent, tag data with consent, persist that choice through the data. And if you think about something like telemedicine, where the intent is to have a provider in one state and a patient in another state, you have got to figure out a way to have the patients’ expectations and the providers’ understanding match across the state line.

JAHIMA: As EHRs developed, a lot of interoperability issues came with the technology. But there was once a time when privacy was one of the big issues hindering interoperability.

Savage: That is right, and ONC has done some task support on that, even the HISPC work before HITECH that really documents the nature of the problem and even documents potential solutions. And I’m really hoping to go back to that as a discussion point.

I think now that we have had such a great run of getting physicians to adopt electronic health record systems and we are moving toward how do we make those systems exchange data for healthcare, it gives us a new chance to look at this in light of what now science is telling us about how effective coordinated care can be, and what we can do on the social determinants of health to improve health in communities, keep people out of the emergency room that don’t belong there, etc.

There is a really important part of this that we can’t lose sight of. A key part of this privacy formula is the patient or person whose data are collected needs to understand what is happening to it. If we have harmonized laws, it is easier to explain privacy rights to a person. And we have a situation where we have many different languages and different levels of literacy in America. The easier it is to explain the easier it is to get that word out in our diverse population.

JAHIMA: It would definitely simplify things from a health information release standpoint. But whose job is that? It is a big job to harmonize all the various state privacy laws, and harmonize them in a way that at least information exchange can happen. Are you seeing this as ONC’s role?

I think ONC’s job here, and my job in particular, is to be a subject matter expert and a resource. So it is really that sort of expert/coordinator capacity. At the end of the day public policy choices made by states really have to be made by the states. So, you know, states have a wide variety of health situations, they have a wide variety of political environments, they have a wide variety of budget situations, they have priorities that may be different than this priority. And what we can bring to the conversation is ‘Here are our expert observations, here are some resources we can make available. Do you want to try and tackle this, if so how can we help you tackle it?’

We have done a lot of research to identify the issue, and it is definitely something that as a matter of health and safety needs to be addressed, and engaging in this harmonization process has to be a priority for the states that want to take up that baton.

What is a Typical Work Day for the Chief Privacy Officer?

“It is a real mix of internal meetings that are both strategic and tactical as we plan stuff out. I do a lot of writing and editing. I was working on a privacy guide today. I have meetings with other agencies of the government as we try to lend our expertise on topics like cybersecurity and precision medicine. And then I meet a lot with external stakeholders, sometimes in person and sometimes by phone and sometimes in a sort of public presentation setting. So every day is kind of a mix that way.” – Lucia Savage

JAHIMA: Other than state law, what do you feel is the biggest obstacle to private and secure health information exchange and EHR interoperability right now?

Cybersecurity. I think people are very concerned about it, and rightfully so. Those of us who work in the industry have been waiting for what happened to Anthem to happen. [Editor’s note: The day before this interview was conducted health insurer Anthem announced it had suffered a data breach by hackers affecting 80 million people.] We knew that a large health company was going to get hit, we didn’t know when or where. I think that as a society every time there is a big hack we are not to the point where we are really immune to them. We all actually think about it and worry about it. ‘Gosh was I covered by Anthem, was my data in there, did they get my Social Security number, did they get my e-mail address? Did they get my home address?’ And I think that in order to have interoperability we have to have really good solutions and advice on cybersecurity in a way that keeps interoperability going.

Then there was that large Brooklyn warehouse fire [in February] and guess what burned up? Medical records. Many, many, many hospitals worth. So this gives the opportunity to talk about, for both paper and cyber threats, is cloud computing really the best solution? Because it is a time share in a facility that can apply standard industry tools at an economy of scale that an individual person can’t. We need to have that conversation if we think about cybersecurity and facilitating interoperability.

JAHIMA: After digital data breaches, what is the biggest threat to protecting health information today?

I think actually it is misunderstandings. I’ll give you a story from my personal life. A family member falls down and needs to go to the ER. They get the stitches, and we ask for the visit summary to be sent to a physician who is in a different system. And we are told, ‘Well we are not allowed to send data outside our system… because of HIPAA.” Well I know different, but the fact that somebody could say that and the consuming public is told that and they want to believe their physicians’ offices and take what they say to heart, [the public likely] doesn’t understand the rules well enough to say ‘Wait a minute, I don’t think that is quite right.’ So, we have these misunderstandings that are making the data not move as much as it could.

JAHIMA: Do you feel HIPAA is still being used as a scapegoat to deny people access to their records?

I think there is some of that going on. I was just talking to a physician on staff and I said ‘Don’t you remember when in your primary care practice you had to talk to XYZ specialist about a patient in common and you just picked up the phone?’ HIPAA is media-neutral and OCR [Office for Civil Rights] will tell you that. It is the same privacy rule for phone calls, for faxes, for pictures, for e-mail. Or information exchange, it is media-neutral, and we really need to make sure everyone knows that.

Chris Dimick ( is editor-in-chief of the Journal of AHIMA.

Article citation:
Dimick, Chris. "Clearing the HIPAA Cobwebs: New ONC Chief Privacy Officer Lucia Savage Focuses on Balancing Privacy and Security with Expanding Interoperable EHR Exchange" Journal of AHIMA 86, no.4 (April 2015): 36-39.