Privacy Chief Joy Pritts Leaving ONCDeparture Comes as Office Makes Post-HITECH Plans
See Also: HIPAA Audits: A Revised Game Plan
Pritts joined ONC, a unit of the Department of Health and Human Services, in 2010. As chief privacy officer, she provided advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC's privacy and security programs under the HITECH Act. Pritts also worked closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues.
In a June 12 memo to ONC staff announcing Pritts' departure, ONC's leader, Karen DeSalvo, M.D. wrote, "Thanks to [Pritts'] efforts, privacy and security have become engrained in the ONC culture and are increasingly being recognized as crucial elements of health IT by our stakeholders."
DeSalvo, who joined ONC in January, wrote that Pritts "made it clear to me and the [former HHS] Secretary [Kathleen Sebelius] that she was committed to seeing me through my beginning tenure as national coordinator, and has been an invaluable advisor to me over the last five months. She has served not only as ONC's point person on privacy and security, but, as a practical matter, has served as a key adviser to the [HHS] secretary and across the federal government on these crucial issues."
During her tenure at ONC, Pritts has been a strong advocate for patient data confidentiality, patient rights to access their health information, secure health information exchange, and data segmentation for protecting sensitive information.
Pritts was also ONC's liaison to sister HHS agency, the Office for Civil Rights, in developing various HIPAA privacy and security tools and guidance for the healthcare industry, including risk assessment tools and mobile security education materials.
"Under Joy's leadership, ONC has had a significant impact on improving the privacy of health information and patients' rights to their information," DeSalvo wrote.
"She helped in the development of regulations that give patients direct access to their lab test results. Joy and her team have made great strides in furthering policy and technology that improves individuals' ability to choose when and how their health information may be electronically exchanged. Thanks to Joy's perseverance, for the first time the Secretary's Strategic Initiatives include a distinct initiative addressing privacy and security."
Deven McGraw, chair of the HIT Policy Committee's Privacy and Security Tiger Team, says Pritts was instrumental in ONC's support of important privacy and security matters.
"If you look at the recommendations of the Health IT Policy Committee on privacy that were translated into action, and there are many, Joy provided the push within ONC and HHS to make them happen," McGraw says. "For example, state guidance to ONC-funded HIEs included, almost verbatim, the Policy Committee's recommendations on consent, which went above and beyond what was required by HIPAA.
"The Policy Committee urged ONC to do pilots of technologies to do data segmentation, and that happened - and the outcome is that we have piloted standards that we can now move forward to consideration in EHR certification. One thing I have seen with the Policy Committee's recommendations is that if there isn't someone within ONC or [the] Center for Medicare and Medicaid Services who is willing to take those recommendations, evaluate them, and try to make them happen, they go nowhere."
Pritts helped knock down roadblocks, says David Holtzman, who joined security consulting firm CynergisTek as vice president of compliance after serving at OCR for several years. "The hallmark of Joy's tenure as chief privacy officer was overcoming the perception that privacy was an obstacle to the development of electronic health records and health information exchange," he says. "The challenge for the next chief privacy official will be to assure that as new technologies are developed that privacy is integrated into by design."
Pritts will leave ONC on July 12, but will assist ONC to identify an acting chief privacy officer, as well as a permanent replacement.
Pritts' departure comes in the midst of ONC undergoing a major revamp as it plans for the next decade. ONC is streamlining its 17 subunits to only 10, though one of the survivors is the Office of the Chief Privacy Officer, which was headed by Pritts (see New ONC: Impact on Privacy, Security).
ONC is also cutting in half the number of workgroups that provide recommendations on health IT standards and policies. But a key advisory panel, the HIT Policy Committee's Privacy and Security Tiger Team, will survive, although it may get a new name. Meanwhile, ONC's HIT Standard Committee's privacy and security workgroup is expected to be re-launched as the security and transport workgroup, reflecting ONC's emphasis on system interoperability and secure national health information exchange.
ONC also last week unveiled a 10-year game plan, which focuses on building an interoperable, nationwide health IT infrastructure to pave the way for the secure exchange of patient information; it includes privacy and security among five core building blocks. (see A Look At ONC's 10-Year Plan).
The moves by ONC are aimed at repositioning the agency as HITECH Act funding for electronic health records incentives, as well as other projects, including start-up statewide health information exchanges and regional extension centers offering EHR support, is winding down. However, ONC has its own budget for other projects.
The realignment of ONC also comes at a time of other big leadership changes at HHS, including a new Secretary, Sylvia Mathews Burwell, who was sworn in on June 9, replacing Sebelius, who announced her resignation in April in the wake of the troubled launch of the Affordable Care Act HealthCare.gov website (see Burwell Confirmed As HHS Secretary.)
The next ONC privacy officer will face new challenges, says privacy attorney Adam Greene, partner at Davis Wright Tremaine, and a former OCR attorney who worked with Pritts while both were at HHS.
"I think that one challenge that lies ahead for the next ONC chief privacy officer is providing much needed assistance to small healthcare providers and business associates who struggle to understand how HIPAA and other privacy and security laws apply to them," Greene says. "Because ONC has limited regulatory authority in the area of privacy and security and much of the HITECH Act funding has expired, the new chief privacy officer will have to think creatively about how best to promote privacy and security, using tool such as EHR certification criteria.
"Joy's tenure as chief privacy officer has helped ensure that privacy and security is built in HHS' HIT initiative, rather than treated as an afterthought."
Pritts' parting also deepens a growing gap in seasoned privacy and security leadership within HHS, McGraw notes.
"Joy's departure, and the pending departure of the head of OCR, Leon Rodriguez, coupled with the retirement of OCR's deputy director, Sue McAndrew, leaves a bit of a vacuum on privacy leadership," McGraw says (see HIPAA Enforcement Leadership Changes). "In addition, the departure of Secretary Sebelius contributes to uncertainty with respect to the direction of HHS programs on privacy issues. This provides both a challenge and an opportunity for the next ONC CPO to move privacy forward during a time of transition in the final years of an administration. "
Pritts was unavailable for comment on her decision to leave ONC. However, an ONC spokesman notes that Pritts had held the politically appointed job for nearly twice as long as most others at ONC. That includes the ONC's top leaders, including Farzad Mostashari, David Blumenthal, Robert Kolodner and David Brailer, who each held the job for two to three years.
Before joining ONC, Pritts held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute, Georgetown University.