Lucia Savage brings to her new job as chief privacy officer at HHS' Office of the National Coordinator for Health Information Technology an extensive background in healthcare business privacy law and health information exchange, particularly from the perspective of health insurance benefits administration.
When it comes to healthcare information privacy, Savage said she'll be looking for “the right balance of rules between our need as a society to have better information,” to keep costs under control and provide better care for individuals and populations “and protect their privacy.”
In studying some of the privacy laws passed before the advent of health IT, “I'm really interested in asking why,” Savage said. “We can look at a lot of the privacy rules we have and ask, 'Why they were enacted?' Have we (since) solved the problem that was addressed when they were enacted in some other way? We have to convene people and listen to the experts and use our expertise internally and help the executive branch sort things out.”
Savage's resume does not include a great deal of direct advocacy for individual patients' privacy rights. However, in an interview, Savage said she first became interested in healthcare privacy issues as the in-house benefits attorney for Stanford University, where she worked from 1995 through 2003, and particularly after the Health Insurance Portability and Accountability Act passed in 1996.
After leaving Stanford, Savage served as general counsel for the Pacific Business Group on Health, doubling as general counsel to the executive team that oversaw California's Pacific Health Advantage program. PacAdvantage was one of a number of health insurance exchanges established nationwide.
“I did a lot of very technical and legal work under HIPAA,” for PBGH and the exchange, Savage said.
The exchange limited its efforts to providing affordable health insurance for small firms with from two to 50 workers. When PacAdvantage folded at the end of 2006, Savage stayed on at PBGH for another year and then went to United Healthcare.
Savage, a 52-year-old graduate of New York University School of Law, most recently served as senior associate general counsel for the health insurance giant, where she's worked since 2008. She was named ONC's chief privacy officer on Oct. 14 and took her post on Oct. 20.
At UnitedHealthcare, the health insurance arm of UnitedHealth Group, Savage said, she had “a very specific portfolio,” helping draft contracts and legislative policy, particularly in regards to United's interactions with the nation's burgeoning health information exchange capabilities, even before passage of the American Recovery and Reinvestment Act of 2009, which allocated hundreds of millions of dollars to promote HIEs.
We cut our teeth on CalRHIO,” Savage said. The California Regional Health Information Organization is now defunct.
“We did somewhat similar work within the company,” with so-called big data, she said. “And then HITECH (the health information technology section of the federal stimulus law) came along and our work just exploded.”
Savage did not work directly with Ingenix, or OptumInsight, as it was later renamed, she said. Ingenix was UnitedHealth Group's once-troubled data mining and health IT business unit.
In addition, Savage said she has personal ties to the benefits of health IT. Her mother, who has multiple medical issues, has been a beneficiary of a healthcare provider organization that has interoperable electronic health records.
“I was a supporter of her healthcare for years and I've watched that system not only keep her alive but also improve her health,” Savage said. “I'd like to see everybody have that.”
Dealing with health IT and privacy means striking a balance between organizational needs for patient data, the appetite for data among researchers that “appears to be unlimited” and patients' rights, Savage said. “A major function I hope to accomplish is looking at the complete picture.”
The new privacy chief is married to Mark Savage, also a lawyer, and the director of health information technology policy and programs at the not-for-profit National Partnership for Women & Families. He is also a member of the ONC-run Health IT Policy Committee's consumer empowerment workgroup.
Savage replaces HHS' first chief privacy officer, Joy Pritts, who announced in June her plans to step down after four and a half years in office. Pritts left the post on July 12.
In contrast to Savage, Pritts came to the job with a long track record in patient privacy advocacy, having served at the Health Privacy Project at Georgetown University, and later as an assistant research professor at Georgetown's Health Policy Institute, where she wrote and spoke on patient privacy rights in the U.S. and abroad.
In a memo to her staff announcing the appointment, ONC Chief Dr. Karen DeSalvo praised Savage for her “rich experiences at the intersection of health information, privacy and modernizing the health care delivery system,” noting her “stellar qualifications” and “passion for health IT in this nation and our work.”
DeSalvo expressed confidence that Savage “will bring her wealth of experience to advance critical privacy and security policies in health IT development and implementation.”
ONC spokesman Peter Ashkenaz, in a written statement, said candidates for the ONC vacancy “were identified through professional networks and recommendations” and “(a) number of candidates were interviewed and reviewed based on their professional background and experience.”
Ultimately, HHS leadership, he said, “made a collaborative decision to select Lucia because of her exemplary work and understanding of the issues, as well as her ability to work across organizational structures.”
The position is part of the ONC, but the chief privacy officer has broader national and international responsibilities, serving, in effect, as the nation's healthcare chief patient privacy advisor.
On the technological capabilities—and the growing pressure—to afford patients more control over the movement of their medical information, Savage said she agrees with the recommendations of the federally chartered Health Information Technology Policy Committee's privacy and security tiger team, that technology alone isn't enough.
“I'm very much with the 2012 tiger team recommendation,” Savage said. “I think consent is important, but with the size of the American population, that may not always be possible. We have to have rules where people have confidence about the use of their data even if they do nothing.”
The President's Counsel of Advisors on Science and Technology in 2010, and a group of scientists known as JASON, have recommended an overhaul of the nation's health IT information exchange infrastructure, moving to a system based more on Internet principles, using data tags to both facilitate research and provide individuals with the technical means to lock their records and prohibit their exchange for secondary uses without their consent.
“I've read PCAST and I've read JASON,” Savage said. “I think it's architecturally possible to do that from a technical standpoint, but one of the problems we have is the variation in (privacy) rules across state lines,” an issue, side-stepped by HIPAA, that's proved intractable thus far.
Follow Joseph Conn on Twitter: @MHJConn