Next month, Deven McGraw, a 43-year-old lawyer with a background in healthcare law, policy and privacy as well as in not-for-profit organizational management, will get a chance to focus on privacy for a while.
"It's going to feel really good," said McGraw, who was named to be the director of the Health Privacy Project. The 11-year-old not-for-profit organization will move from its current status as a free-standing entity to become part of the not-for-profit Center for Democracy & Technology, a Washington think tank specializing in computer technology, privacy and national security issues.
According to its Web site, over the years the center has received funding from a host of both not-for-profit and corporate sources, including the Ford, MacArthur and Markle foundations; telecommunications providers AT&T and Verizon Communications; computer software, hardware and Internet service providers, AOL, Google, Hewlett-Packard Co., Intel Corp., Microsoft Corp., VeriSign and Yahoo; data-miners, Acxiom Corp., ChoicePoint and LexisNexis Group; and credit card companies American Express Co. and Visa.
McGraw currently serves as chief operating officer of the National Partnership for Women & Families, a position she'll relinquish April 11 before starting at her new job April 14.
"It's already starting to feel good," McGraw said in a telephone interview soon after the appointment was announced. "The National Partnership has known for about a month now, so we've been doing some transitioning. I've been able to spend more time on this issue than I've done two months ago. It's really refreshing. Hopefully, that (feeling) will continue."
McGraw will take over for Janlori Goldman, also a lawyer and the founder of the Health Privacy Project in 1997. She is a research scholar at the Center on Medicine as a Profession at the Columbia College of Physicians & Surgeons in New York. Goldman will serve an adviser to the organization.
Since mid-2006, McGraw has been a founding member of the Confidentiality, Privacy & Security Workgroup of the American Health Information Community, which was created by HHS Secretary Mike Leavitt to advise him on healthcare information technology policy. She was named co-chair of the work group after former co-chairman Paul Feldman resigned in February 2007, citing his frustration over a lack of progress by the federal government in setting healthcare privacy policy. He was echoing criticism of the Government Accountability Office, which had just issued a report chastising HHS for failing to have an integrated approach to developing a national privacy policy for healthcare IT. At the time, Feldman was deputy director of the Health Privacy Project.
Despite Feldman's protest, McGraw said she plans to stick with the confidentiality work group as the AHIC attempts to transition this year from a federally controlled advisory panel to a private-sector entity before the end of 2008.
"I think that this situation is a little bit different, if only because Paul didn't have the director of Health Privacy Project title," McGraw said. "At the time he resigned, I think Janlori wanted to make a pretty bold statement that the privacy work group wasn't moving fast enough.
"We're at the state now where we're being months from the end of the (Bush) administration," McGraw said. "We don't know where it (the AHIC) is going, and I'm committed to staying with the work group and helping it wrap up and get a few more recommendations out before the end of the year." McGraw said it is possible at some future date that she could similarly disengage with the AHIC as Feldman did, "but I believe the work group is heading in a good direction, so I have no plans to stop doing what I've been doing."
McGraw said the Health Privacy Project will be working under agreements with the Markle Foundation and the California HealthCare Foundation to fund the program for two years. The Center for Democracy & Technology did not disclose the amount of the grants.
McGraw said those continuing deliberations with the AHIC privacy work group could be covered by two tracks. One is discussions on the scope of federal privacy regulations under the Health Insurance Portability and Accountability Act of 1996, and whether HIPAA privacy requirements should be extended to apply to health information exchanges, regional health information organizations and personal health records. The second track is, "once you've got them covered, is there something about the new environment that suggests we need some (privacy) standards that are higher than HIPAA?" she said.
McGraw made a presentation to the AHIC at a meeting held last month in Orlando, Fla., during the Healthcare Information and Management Systems Society convention.
"We said some of the HIPAA rules should not apply to these HIEs or RHIOs because they don't have direct relationships with patients," McGraw said. For example, she said, HIEs and RHIOs shouldn't have to comply with the obligation to give patients a notice of their privacy policies and have that acknowledged as required under HIPAA.
"I got a good reception, but the request from Secretary Leavitt was he said, 'Come back to us with these recommendations worded in a way that is more clear,' " McGraw said.
According to McGraw, without the legalese, the gist of the work group's proposal is to make HIEs and RHIOs equivalent to so-called "covered entities"which under HIPAA are healthcare providers, health plans and claims clearinghousesand to carve out exceptions for HIEs and RHIOs on the privacy notice requirements.
PHRs are another matter. Both Microsoft and Google have launched PHR efforts in recent months, and both have partnered with big-name healthcare organizations, Microsoft with the Mayo Clinic and Google with the Cleveland Clinic. But neither software developer has signed HIPAA business associate agreements with its corresponding healthcare provider, although Cleveland Clinic's Chief Information Officer C. Martin Harris, said his organization would insist that Google does once the pilot project, now under way, is completed.
McGraw said PHRs represent new territory for privacy.
"The application of HIPAA to the PHR space could be a difficult question. A lot of the major PHR vendors are going far beyond what HIPAA requires and giving their patients a high degree of control beyond what is provided under HIPAA," she said. "HIPAA may not be the right statutory or regulatory vehicle for covering PHRs. Having said that, it doesn't mean they should operate without any standards at all."
The question is, McGraw said, what standards or laws should apply to those PHR suppliers such as Microsoft and Google and others that are not covered entities?
"It's consistent with their business interests, right now, to have that set of privacy policies," such as requiring patient consent before data can be shared or transferred, she said. "But where is the guarantee beyond market forcesthat it's going to be in their interest to do that in a year or two from now? That's why CDT (the Center for Democracy & Technology) is in this space, to give some thought to these quite difficult questions to set some standards in this area without presenting obstacles to innovation while protecting patient privacy."
Last week, the National Committee on Vital and Health Statistics at HHS issued a letter containing a list of privacy recommendations to Leavitt. Chief among them was that some measure patient consent should be restored to healthcare data-sharing, specifically; consent should be required before the disclosure or sharing of certain sensitive information on the proposed national health information network.
In summary, the committee wrote, "We have concluded that NHIN policies should permit individuals limited control, in a uniform manner, over access to their sensitive health information disclosed via the NHIN. Public dialogue should be undertaken to develop the specifics of these policies, and pilot projects should be initiated to test their implementation."
HHS stripped the requirement that covered entities obtain patient consent prior to the disclosure of their medical information for treatment, payment or "other healthcare operations" when it revised the original HIPAA privacy rule in 2002.
Using software to record and invoke patient consents "raises a lot of very interesting issues and it tees up a lot of potential solutions, but it raises even more questions about how it would be implemented that would create some challenges for the policy community," McGraw said. "Like, how is that notation going to show up on the record? I'm going to be very interested in what the provider community reaction is going to be.
"That's something the provider community has very much resisted. I think the consent piece, it's still a topic that people want to get a handle on. It will be the subject of one of our longer papers. The center has already put out a paper debunking the idea that consent is the answer, and I agree with that. There is a role (for consent), but suggesting that it is the one and only thing to do is the wrong approach. If the system you are consenting into is not good, and the coercive nature (of required consent) just magnifies the burden that it places on the individual, I would rather think of consent of people consenting into a system that already has strong privacy rules built into it," McGraw said.
One area in which the Health Privacy Project will devote a lot of attention in months to come is legislation. There are several bills pending that would promote healthcare IT and others that boost privacy, including a bill by Rep. Edward Markey (D-Mass.) that includes patient-consent requirements to protect privacy.
Regarding the Markey bill, McGraw said, "I think it's too much to be likely to move in this Congress. Again, there is a role for consent, but do we want to put into statutes that in all contexts, we want to have consent whenever we move data and then including a private right of action if they (covered entities) do it wrong?
"I wonder about the unintended consequences of those two provisions together," McGraw said. "On the other hand, there are things in Markey that we like. I know the intent behind it is very much appreciated, particularly when it is juxtaposed against other efforts where privacy isn't mentioned at all."
McGraw also serves on the AHIC Personalized Health Care Workgroup, which focuses on PHRs.
According to her biography on the Web site of the National Partnership for Women & Families, McGraw came to the not-for-profit organization after working as an associate on Medicare policy in the public policy group at the Washington law firm of Patton Boggs. She also has worked as an associate in the healthcare group at the law firm of Ropes & Gray, Boston. She was deputy legal counsel to former Massachusetts Gov. Paul Cellucci and Lt. Gov. Jane Swift, both Republicans, as an adviser on healthcare and economic development.
McGraw earned bachelor's degrees in journalism and English from the University of Maryland and a master's degree in law and a juris doctor degree from the Georgetown University Law Center where she was the executive editor of the Georgetown Law Journal. McGraw also received a master's degree in public health from the Johns Hopkins School of Hygiene and Public Health.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.