New ONC Privacy Chief's Rallying CryLucia Savage Calls for Clarifying EHR, HIE Privacy Explanations
The secure national exchange of patients' health information for use in treatment will make progress once "we simplify what we say when we're explaining privacy to people," says Lucia Savage, new chief privacy officer at the Office of the National Coordinator for Health IT.
Although the HITECH Act financial incentive program over the last five years has propelled tens of thousands of healthcare organizations into "the brave new world of electronic health records," it's still difficult for many providers and patients to understand the basics of how privacy will be protected as more information is electronically accessed and exchanged, Savage says in an interview with Information Security Media Group.
Patients and providers often don't understand "what's happening, and not happening with their data," says Savage, who joined ONC last month and was previously an attorney at insurer United Healthcare.
"The [privacy] rules of HIPAA ... are really agnostic in how information is being transacted. They are the same for paper, faxes, and secure e-mail - the rules themselves, they care about who and what, and not about how," she says.
Savage knows from the frontlines about some of the misunderstandings when it comes to healthcare data exchange. In her work at United Healthcare, she served on the governance board of the Centers for Medicare & Medicaid Services' Multi-Payer Claims database project from 2011 to 2013 and collaborated with health information exchanges and state agencies in their planning with payers.
One of the biggest obstacles in achieving secure health information exchange that honors patients' privacy preferences, Savage says, is "the complicated rules environment."
"I'm not suggesting that rules be weakened at all," she says. But HIPAA, as well as various state laws, need to be much more clearly explained, she stresses. "You'll be hearing a lot more about that as we get into our interoperability roadmap," she says.
As funding for HITECH programs winds down, ONC's 10-year vision is shifting to a focus on building secure nationwide health information exchange based on the interoperability of electronic health records.
Savage recently succeeded Joy Pritts, who left the privacy post at ONC, a unit of the Department of Health and Human Services, in July after serving in the role for four years.
In this interview, Savage also discusses:
- The importance of encryption in safeguarding data;
- What's on her near-term agenda;
- The mood at ONC, which has seen the recent departure of several senior officials, plus its leader, Karen DeSalvo, M.D., taking on additional duties, including Ebola response work, in her new position as HHS acting assistant secretary of health (see ONC's DeSalvo Stays On: Questions Arise).
Savage was appointed ONC chief privacy officer in October by HHS Secretary Sylvia Mathews Burwell. Before joining ONC, Savage was senior associate general counsel at United Healthcare, where she supervised a team that represents the insurer in its work in large data transactions related to health information exchanges, healthcare transparency projects, and other data-driven healthcare innovation projects. Previously, Savage was general counsel at the Pacific Business Group on Health and compliance manager at Stanford University.