Privacy Advocate Frustrated By Inertia
Tiger Team's Deven McGraw Calls for Regulatory Action
The Privacy and Security Tiger Team has made a long list of recommendations. But before the team works on new projects, Deven McGraw, the team's co-chair would like to see the Department of Health and Human Services take action on implementing the proposals the group already has made.
"I personally feel that we have given them a lot of good recommendations over the past year and few of them have been acted on yet," she says in an interview (transcript below). "My own view is that I'm a little bit reluctant to spend my own time, quite frankly, and the time of other people to continue to add to the pile until we get a sense of what HHS is willing to do with what we've already recommended."
McGraw expects many of the team's recommendations, such as those regarding obtaining patient consent to exchange data, will wind up in the proposed Nationwide Health Information Network governance rule, which will provide guidelines for health information exchange. She says that rule is likely to come out by next spring at about the same time as proposed rules for Stage 2 of the HITECH Act electronic health record incentive program. The EHR incentive rules likely also will incorporate some Tiger Team proposals, McGraw notes. For example, the team has recommended that EHRs provide patients with the ability to download records.
"If those rules came out as a package, particularly if they are actually consistent in terms of the expectations that were set, that would be ideal," McGraw says.
Once the NwHIN governance rule is issued, members of the tiger team will "have a better picture of what we might need to do going forward," she adds.
In the interview, McGraw also:
- Explains her recent testimony before Congress, during which she expressed frustration with delays in the release of an omnibus package of regulations to modify the Health Insurance Portability and Accountability Act's privacy and security provisions and finalize the HIPAA breach notification rule (see: HIPAA Updates: What's the Hold Up?).
- Discusses whether the departure of Donald Berwick, M.D., from the leadership post at the Centers for Medicare and Medicaid Services will have an impact on privacy and security issues;
- Predicts that Congress, despite pressures to slash the federal budget, will not cut any unspent HITECH Act funding for electronic health record incentives because it would be "politically very difficult for Congress to take those incentives off the table."
An attorney, McGraw is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization. She focuses on developing and promoting policies that ensure the privacy of personal health information that is electronically shared.
HOWARD ANDERSON: A few weeks back, you testified at a Senate hearing on healthcare privacy and security issues. What was the single most important message you wanted to give?
DEVEN MCGRAW: I testified about a lot of things, but I would say you could wrap them into one message, which is that health privacy and security policy issues should be a major priority for Congress as we move toward trying to turn the nation into one that ... collects and shares [electronic] data to improve individual and population health. You're not going to get there unless you really pay attention to privacy and security issues. And that means clarity in the law, which requires the release of the regulations [for which] we've been waiting for so long and enforcing the laws better. I think those messages came through. But the common theme is that this is a priority that needs the attention of both Congress and the regulators.
ANDERSON: Do we have a clearer expectation yet of when the long overdue omnibus regulation package containing the final version of the HIPAA modifications and HIPAA breach notification rule is likely to be released?
MCGRAW: Not really, unfortunately. I think the agency [HHS Office for Civil Rights] told Congress at the hearing that they are working very hard to get them out as expeditiously as possible ... but the agency has said nothing definitive in terms of committing to getting these things done by a certain time.
ANDERSON: And it hasn't gone to the Office of Management and Budget for final review, so that requires some extra time, right?
MCGRAW: Yes, it builds in some extra time there as well, so it's really going to require a commitment from both HHS [Department of health and Human Services] and the administration to expeditiously get this stuff out, and we know that when something is a priority for them, they can do it.
NwHIN Governance Rule
ANDERSON: What about the Nationwide Health Information Network governance rule? Could that be coming in the spring?
MCGRAW: I hope the governance rule will be out in the spring. What we are hearing is that they expect to release it around the same time as the proposed rules for Stage 2 meaningful use and certification of EHRs [the latest HITECH Act electronic health record incentive program rules], which would mean that it would come out sooner in 2012 rather than later. So whether that means the waning months of winter 2012 or early months of spring, I don't know. I think it would be really unfortunate for that [NwHIN] rule to be significantly delayed because you know a lot of health information technology infrastructure and the Direct Project have been waiting for the guidance about what is going to be expected of them above and beyond what might be legally required by HIPAA or state law, and to delay getting that out is hugely problematic.
ANDERSON: So the NwHIN Governance Rule could be about the same time as the Stage 2 meaningful use?
MCGRAW: Yes, that is our understanding. So if those rules came out as a package, particularly if they are actually consistent in terms of the expectations that are set, I think that would be most ideal.
ANDERSON: So you would like to see security provisions for HIE included in both right?
MCGRAW: Yes I would.
Accounting of Disclosures
ANDERSON: Is the Accounting of Disclosures rule going to come out much later?
MCGRAW: Yes I believe so. The [notice of proposed rulemaking] obviously was highly controversial. There were a number of issues raised by industry stakeholders. We raised some issues as well. We thought that the Office for Civil Rights took a very patient-forward approach to the rule in terms of trying to maximize what they thought the technology could produce in terms of giving patients more transparency about how their records are accessed, but the technology really can't deliver in the ways that we had hoped. We are convinced about that and I think they are going to have to scale back.
ANDERSON: You are talking about the access report provision that would require organizations to provide patients with full reports on who has accessed their electronic records?
MCGRAW: Yes the access reports.
Tiger Team Priorities
ANDERSON: As co-chair of the Privacy and Security Tiger Team that advises the Health IT Policy Committee, what do you see as the team's major tasks for next year?
MCGRAW: Well we are in the process of trying to figure that out, actually. I personally feel like we have given a lot of really good recommendations over the past year and few of them have been acted on yet. So my own view is that I'm a little bit reluctant to spend my own time, quite frankly, and the time of other people to continue to add to the pile until we get a sense of what HHS is willing to do with what we've already recommended.
To ask people to put in a significant amount of time for recommendations that just sit on somebody's desk -- I'm not willing to do that and I'm not willing to put anybody else through that process. I am confident at this stage that we will see some movement in the NwHIN governance rule, and then I think we'll have a better picture of what we might need to do going forward.
ANDERSON: So you think most of the Tiger Team recommendations will wind up in the Nationwide Health Information Network governance rule, or will they be in Stage 2 guidelines for the EHR incentive program as well?
MCGRAW: I think it's going to be a mix, because if you look at the recommendations, some of them are directly aimed at Stage 2 of meaningful use and [EHR software] certification and some of them are more general in nature. And then I think HHS has to figure out where is the best fit for acting on them, and in some cases it's going to be the governance rule. For example, the [patient] consent recommendations are better suited for the governance rule versus meaningful use or certification. On the other hand, the recommendations related to the patient view and download functionality should probably be part of meaningful use and certification.
ANDERSON: Donald Berwick has stepped down as head of Centers for Medicare and Medicaid Services replaced on an interim basis by Marilyn Tavenner. Do you have a perception yet of the impact that change might have if any on privacy and security issues or the EHR incentive program?
MCGRAW: CMS has -- based on some of the rulemakings that we've seen for data sharing with respect to healthcare reform initiatives like the accountable care organization rule and the release of data to entities that are going to do provider performance measurement -- shown a degree of sensitivity to privacy and security issues for Medicare beneficiaries. I'm not sure if that is coming from the top or if it's coming from ... staff within HHS or an overall emphasis within the different agencies at HHS. I certainly hope that the degree of sensitivity [to privacy and security] continues. To the extent that it is more embedded within the agency, it doesn't really matter who is at the top as much. How much Dr. Berwick was influential in those policies, I just don't know. I happen to think that he was doing a terrific job, but from what I've read about the woman who is taking his place, she is similarly dedicated to pushing for healthcare system change, and that, I think, is a good thing and the data flow issues go hand-in-hand with the change that we're seeking.
ANDERSON: Finally, are the HITECH Act funds that haven't been committed yet for EHR incentives in any jeopardy as a result of budget cutting that is still looming or, or are they safe?
MCGRAW: Nothing is ever completely safe. But I do think that for the unspent HITECH funds that have been committed to providers that adopt electronic medical records -- it would be politically very difficult for Congress to take those off the table, because essentially it is reimbursement for money that many providers have already spent. ... To tell ... these providers who have invested tens of thousands if not millions of dollars in health IT systems that the reimbursement is not going to be available to them anymore [would be a] very politically unpopular thing to do. So [although] it looks like easy pickings for deficit reduction because the money actually hasn't technically gone out the door yet, I think it is highly unlikely for Congress to peel that program back.