Privacy lawyer Deven McGraw will move onto the federal payroll this month as a top privacy and security enforcement officer. She's been named deputy director of the health information privacy division at HHS' Office for Civil Rights. In this role, McGraw will lead OCR's policy and enforcement on HIPAA.
For nearly a decade, she offered free advice to federal health information technology policymakers at HHS.
McGraw replaces Susan McAndrew, who retired in May 2014. Christina Heide, a senior adviser for policy, has been acting as division head in the interim.
“Ms. McGraw is a nationally recognized expert known for her strategic leadership and substantive policy expertise in the areas of health privacy and security,” said Office for Civil Rights Director Jocelyn Samuels. “We are thrilled that Deven will be joining OCR's leadership team in this important position.”
The division is charged with enforcing privacy, security and breach notification regulations under the Health Insurance Portability and Accountability Act. This includes maintaining the “wall of shame” website for major healthcare data breaches.
McGraw is well-known to the health IT community. She served during the administrations of presidents George W. Bush and Barack Obama as a privacy and security adviser to the Office of the National Coordinator for Health Information Technology at HHS.
She declined a request to be interviewed prior to meeting with her new staff.
Privacy advocate Dr. Deborah Peel, founder of the not-for-profit Patient Privacy Rights Foundation, Austin, Texas, has both collaborated and bumped heads with McGraw for years.
“I frankly find this very disturbing that the current administration of HHS is intent on placing industry representatives in top privacy positions,” Peel said, noting last fall HHS named Lucia Savage, the former senior associate general counsel for health insurance giant UnitedHealthcare, Minnetonka, Minn., to replace Joy Pritts as chief privacy officer. Peel also points to McGraw's own "pro-business" work at Manatt and earlier at the Center for Democracy & Technology, which is partly funded by technology firms.
Peel said she has been at loggerheads with McGraw over the role of patient consent in the disclosure and sharing of their health information, particularly for treatment, payment and “other healthcare operations,” or TPO.
An HHS revision of the HIPAA rule in 2002 removed the consent requirement for these common disclosures. Peel said she sees McGraw's work on the various privacy committees as supportive of HHS' position on consent, which is also favored by the multibillion-dollar healthcare data-mining industry.
“We define what we mean by privacy, which is the right of individuals to control their sensitive healthcare information,” Peel said. When it comes to the role of patient consent, “we see things entirely differently,” she said.
Others say McGraw will do fine.
“I think she's going to bring a fresh perspective” to the civil rights office, said Pritts, also a privacy lawyer and the ONC's first chief privacy officer, serving 4½ years through mid-2014. “She's been working with the private sector in various capacities for several years now, first with CDT then with Manatt. So she's heard where the pain points are in addressing privacy in a practical matter. She sees it as an opportunity to make a big impact.”
Pritts said her office worked closely with the Office for Civil Rights, which enforces the federal HIPAA privacy and security rules, as well as with the Substance Abuse and Mental Health Services Administration, which has primary jurisdiction over 42 CFR Part 2, a federal privacy law more stringent than HIPAA affecting the privacy of patient records of federally funded providers of drug and alcohol use treatment programs. McGraw can hit the ground running with these agencies, Pritts said. “She knows a lot of those people.”
Asked if she had any advice for McGraw in her new post, Pritts said, “Be strong.”
Dr. Paul Tang, vice president and chief innovation and technology officer at the Palo Alto (Calif.) Medical Foundation, also serves as vice chairman of the Health IT Policy Committee.
"We provide advice, but the government still has to do the heavy lifting of weighing the advice, writing rules and implementing them,” Tang said. “The government will be benefit from having her inside the agency.”