ONC's Pritts says feds have put more muscle behind privacy protection

When Joy Pritts steps down this month after 4½ years as the first chief privacy officer at the Office of the National Coordinator for Health Information Technology at HHS, she'll leave convinced the feds have put extra oomph into privacy protection.

Pritts gave her notice last month. Her last day is July 12.

Pritts said she came into office with a list of things to do and, looking back, accomplished quite a few of them. The highlight achievement of her tenure, she said, was to see “the change in the tone of the discussion around privacy and security.”

“I think that it has long been voiced that it is a priority,” she said, but the feds are “putting our muscle behind it now.”

“When the Affordable Care Act comes out, and there are paragraphs about privacy and security in health information exchange organizations, you think that's not an accomplishment? We do.”

She also pointed to inclusion of a strong privacy statement in HHS' overall strategic plan. It says, in part, “The success of health IT and eHIE is dependent on patients' trust that their health information will be kept private and secure and that their rights with respect to this information will be respected.”

“We've definitely and concretely put health information exchange on a path where people will no longer be able to argue that it is impossible to share information that requires special treatment,” she said.

It was a reference to years of behind-the-scenes work at ONC and with private-sector participants developing and pilot testing standards for tagging and exchanging medical records containing particularly sensitive—and legally constrained—information, such as the medical records of patients at drug and alcohol abuse treatment centers.

ONC and HHS have worked together to afford patients with direct access to their lab results, culminating in a rule issued in February amending the Clinical Laboratory Improvement Act and trumping regulations in 13 states.

“One of the most important pieces of information for patients is the results of their lab tests,” Pritts said. “People will now get access to those results directly from their labs.”

Pritts also pointed to a communication strategy for health data security. “It's a team effort here. We say everyone is responsible for security of health information, including the vendors. We, through certification criteria (under the federal EHR incentive payment program) have encouraged vendors to build in more security into their products.”

Also included in providers' meaningful-use criteria under the program is a requirement that providers must attest that they have conducted a data security risk assessment. It was already a requirement under the Health Insurance Portability and Accountability Act that providers conduct risk assessments, but it wasn't getting done, Pritts noted.

“We could tell by looking at the breach reports, it was one of the areas that really needed to be addressed,” she said.

Providers must inform the Office for Civil Rights at HHS of health data breaches, one of numerous privacy and security requirements of the HITECH provisions of the American Recovery and Reinvestment Act of 2009, which also created the chief privacy officer position.

By adding a risk assessment attestation requirement to the meaningful criteria, the feds reinforced, and highlighted, that it needed to be done.

“If you draft a reg, you've done part of your job,” Pritts said. “It's also part of the government's job to communicate that out to the stakeholders.”

Pritts was a privacy lawyer and associate professor at the Georgetown University Health Policy Institute on Feb. 18, 2010 when she named ONC's first chief privacy officer.

For many privacy advocates, patient consent—that is, the ability of a patient to control the exchange or use of his or her medical records—is the sine qua non of privacy.

Consent is one of the five totemic Fair Information Practices Principles of 1973 on which many privacy rules around the world are based. Consent is the definition of privacy according to a report by the National Center for Vital and Health Statistics that studied healthcare information privacy in the digital age and made recommendations about it to HHS. Patient consent would have been required for disclosure of patient information for treatment, payment and other healthcare operations had the initial final privacy rule under the HIPAA gone into effect. That rule was pre-empted by HHS in 2002, replacing consent with HHS's authorization to disclose patient information without consent for those uses.

Since then, the restoration of patient consent has been a key objective in a trench war fought by privacy advocates. The latest battle ground over consent is the federal rule governing the records of many drug and alcohol abuse patients called 42 CFR Part 2. More stringent that HIPAA, it requires a patient's prior consent be given before their treatment records are disclosed, even for treatment or payment.

ONC—with Pritts' involvement—oversaw multiple pilot programs to test various policies and technologies for consent management of these treatment records as well as other sensitive information similarly impacted by state privacy laws.

The most important lesson learned from the pilots, Pritts said, was “that is possible for a behavioral healthcare provider to disclose information in accordance with 42 CFR Part 2. They can do it.”

In a 2007 interview, after completing a report on privacy laws and practices in several foreign countries, Pritts said, "We in the U.S. like to think that we are the foundation of democracy, and you look at other countries and they give their patients a lot more choice, from a policy angle." In the seven years since, Pritts said, the U.S. has moved to close the choice gap.

“In some ways, we the United States have leapfrogged other countries with respect to privacy. We have a breach notification requirement that is unparalleled. Our definition of what is de-identified is clearer than I've seen in any (other) statute. Enforcement wise, I don't think you'd see any other country that is more stringent that what is coming out of Office for Civil Rights. A lot of countries talk the talk but they don't walk the walk.”

So, what's next for Pritts?

“I plan to take a nice, long vacation,” Pritts said, then look for something else. “It's impossible to look for another position while I'm still here and still working, and I am still working. here is a whole lot going on, and I'm sure I'm going to be doing something fun.”

Follow Joseph Conn on Twitter: @MHJConn