While the director of the Department of Health and Human Services' Office for Civil Rights says HIPAA enforcement remains a top priority for the agency, obtaining enough resources to carry out its mission is an ongoing battle, says former OCR official Deven McGraw (see 'No Slowdown' for HIPAA Enforcement, But Audits Ending).
"The struggle for OCR is that they're part of an administration that is trying to downsize the size of federal government. You see that in OCR's budget from the White House," says McGraw, who late last year left OCR, where she served as deputy director of health information privacy, to join Silicon Valley start-up Ciitizen as chief regulatory officer.
The Trump administration's proposed fiscal 2019 budget would cut the agency's budget by about $8 million - or about 20 percent - to $31 million, down from the FY 2018 Continuing Resolution level of $39 million. As a result of the proposed cuts, OCR's full-time headcount would drop to 147 in FY 2019 from 152 in FY 2018.
"I believe [OCR] director [Roger] Severino's commitment to enforcement is a strong one," McGraw says in an interview with Information Security Media Group at the recent HIMSS18 conference in Las Vegas. "He comes from a law enforcement background. He appreciates and fully endorses his role HIPAA enforcer," she says, noting that HIPAA enforcement actions so far in fiscal 2018 "are not that far behind" settlements in fiscal 2017.
"It takes two to three years for these cases to wind through the pipeline and get settled or result in civil monetary penalties," she says. "I think that's going to remain, but I think they are doing that in an environment that's made arguably a little more hostile than the one I faced when I was deputy director [at OCR.] If someone is telling you 'you can't hire people' and their budget is constantly being crunched ... it's hard to hire full-time employees on uncertain dollars."
In her new role at start-up Ciitizen, McGraw will aid patients in exercising their HIPAA rights. The company's upcoming tools and services aim to empower patients to access, collect, use and share their health data - including complex genetic information that can be used to aid treatment decisions as well as contribute to research for serious illnesses, such as cancer.
"We understand that they need a lot more data than what is available through a [patient health record] portal or exposed by an application programming interface," she says. "So, it's a deep data need ... And patients have a right to this data."
In the interview (see audio link below photo), McGraw also discusses:
- How her experience as a top HIPAA enforcer at OCR will help her in her work at Ciitizen;
- The timeline of first offerings from the start-up company.
Privacy attorney McGraw is chief regulatory officer at Ciitizen. She previously was deputy director of health information privacy at OCR for about two years, playing a key role in HIPAA enforcement efforts. Before joining OCR, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. McGraw also served for six years as an adviser to HHS on health data privacy and security issues.