Pritts on ONC's Next Big Privacy ChallengeOutgoing Privacy Chief Discusses Emerging Issues
Ensuring patient privacy is protected as more electronic health records are exchanged will be a top challenge for the Office of the National Coordinator for Health IT's next chief privacy officer, says ONC's former privacy chief, Joy Pritts.
"There are a number of implementation issues that are emerging as more providers adopt [electronic health records], and I would say the heightened interoperability of information ... and the different modes for exchanging information is a challenge," Pritts says in a recent interview with Information Security Media Group (transcript below).
"Whenever you're looking at information from a privacy and security perspective, what you want to do is look at how the information is flowing, who has it, how they're sharing it and to assess what the vulnerabilities are for that information," says Pritts, the first chief privacy officer at ONC, who stepped down on July 12. ONC, a unit of the Department of Health and Human Services, is responsible for setting policies and standards for the HITECH Act electronic health records financial incentive program, as well as national, secure health information exchange.
Pritts' ONC replacement will be appointed by HHS Secretary Sylvia Mathews Burwell. HHS has not yet offered an update on when a new ONC chief privacy officer will be named, an ONC spokesperson says.
"There are all these new means of sharing information that are coming into play, and it's a very new field," Pritts says. "Those are probably the areas that will be most challenging for the next chief privacy officer. Continuing to look at these emerging ways of sharing information and trying to keep up with them from a privacy and security perspective."
In the interview, Pritts also discusses:
- Why she decided to leave ONC;
- What health IT vendors can do to improve security and privacy of patient data;
- Her advice for ONC's next chief privacy officer.
Pritts joined ONC in 2010 as the office's first chief privacy officer. In that role, Pritts provided advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC's privacy and security programs under HITECH. Pritts also worked closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute, Georgetown University.
Reason for Departure
MARIANNE KOBALSUK MCGEE: Why did you decide to leave ONC and where are you headed?
JOY PRITTS: I decided to leave ONC because it's just time. I [had] been there for four and a half years. The average tenure of a political appointee is two years. So I have outpaced them by more than twice the amount of time most people stay in a job like this. I didn't have to do it. I feel like I've made a lot of progress with some very good people on my team, and that on this up-note, it's a good time for me to be stepping down.
MCGEE: Where are you headed?
PRITTS: I have no idea. It is almost impossible to look for another job while you are still employed as a political employee.
MCGEE: Once the HITECH money runs out, how optimistic are you that doctors and hospitals will continue to use and exchange electronic patient data in a secure way and why?
PRITTS: The incentive money was really meant to be that - an incentive to start adopting and using electronic health records. As we were paying providers to adopt this technology, we made sure we put into place encouragement also to make sure that the information was treated securely. There are requirements under the HIPAA privacy and security rules for providers and health plans to continue to keep the information safe and secure. If you've been reading the news lately, you will have noticed that there is an increasing number of civil monetary penalties that are being imposed or settled by the Office for Civil Rights. The bottom line that you're required to do this and there is heightened enforcement activity including what was recently announced as a continuation of the audit program by OCR. I am fairly confident that most providers and plans will be paying very close attention and will be trying to keep that information safe and secure.
Health IT Vendors
MCGEE: Do you think health IT vendors are doing enough to enable healthcare providers to use and exchange health data security?
PRITTS: Security is always a moving target. The technology continues to advance, and security has to advance with it. So it's very important that the vendors continue to assess how things are changing, not only with the technology, but with the threats that are coming up. [They need to] build into their products these features that will help make EHR and other electronic health information remain secure. There is a real market opportunity here to help providers keep their information secure, because there is of course every incentive to not have to face any of those civil monetary penalties.
ONC's Next CPO
MCGEE: What do you think will be the biggest challenges facing ONC's next chief privacy officer?
PRITTS: There are a number of implementation issues that are emerging as more providers adopt, and I would say the heightened interoperability of information and a greater network that is created for the information to be exchanged and different modes of exchanging information is a challenge. Whenever you're looking at information from both a privacy and security perspective, what you want to do is you want to look at how the information is flowing. Who has it? How they are sharing it? [You also need] to assess what the vulnerabilities are for that information. As you know, in the last few years there are all these new means of sharing information that are coming into play, and it's a very new field. Those are probably the areas where it's going to be most challenging for the next chief privacy officer; to continue to look at these emerging ways of sharing information and try to keep up with them from a privacy and security perspective.
MCGEE: What are you most proud of and do you have any regrets or disappointments?
PRITTS: It would be really hard for me to choose just one thing that I'm most proud of because I really feel like my team has been able to do a lot of very good work in a short amount of time. I think overall, though, one of the things that we've really been able to do, along with the help of many others, is change the conversation about privacy and security. [It was ] always one of, "Well that is something we have to do," or looking at it as a barrier...to one where people recognize that these are things that are essential and can be helpful in developing a network for sharing health information across the country.
It still is frustrating that after all these years we've had privacy and security rules in place that apply to providers and health plans, and many of them are still unaware of what it is that is required of them. The amount of education you can or need to do in this area really just can't be overestimated.
MCGEE: Awareness isn't always the best among healthcare providers. Any suggestions on what can be done to improve that?
PRITTS: We're working on it and I'm sure ONC and HHS will continue working on establishing more networks with more other organizations to help get that word out. There are a lot of people and organizations that need to get this message, and I don't think we'll rest until we are able to get to every one of them.
MCGEE: Do you have any advice for the next ONC chief privacy officer?
PRITTS: Be persistent, be aware and have a good sense of humor.