ONC picks Marchesini to be chief privacy officer
The Office of the National Coordinator for Health Information Technology has named Kathryn Marchesini to serve as ONC’s chief privacy officer.
Marchesini, who joined the Department of Health and Human Services in 2010, has been serving in a number of capacities at ONC, including acting chief privacy officer and deputy director for privacy, where she led ONC’s privacy team and helped with federal policy, guidance and education initiatives addressing emerging health IT privacy and security-related issues.
The chief privacy officer at ONC is charged with, among other activities, ensuring that privacy and security standards are addressed in a consistent manner to better protect private health data, as well as advising the national coordinator for health information technology on electronic health information privacy and security policies.
National Coordinator for HIT Donald Rucker, MD, sent an email to ONC staff on Wednesday informing them of Marchesini’s selection for the position.
“Kathryn is a well-respected expert on the HIPAA rules from both the government and public sectors,” Rucker wrote. “She brings to her new role a wealth of experience as a senior advisor and deputy director for privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology and health research. Most recently she has worked with the National Institutes of Health and other federal agencies to provide strategic direction and substantive expertise at the intersection of privacy and security law, technology and healthcare.”
On Wednesday, Marchesini said ONC has a “laser focus” in its priorities, particularly as the agency looks to implement provisions of the 21st Century Cures Act.
“We will zone in on some of the areas we’ve been looking long and hard at,” said Marchesini, including seeking to “continue to address uncertainties around the overall interplay of privacy and security of identifiable health information with respect to access, purposes and various stakeholder uses of that.”
Marchesini added that in her role as chief privacy officer she will encourage ONC to “continue inspiring confidence in health IT, electronic health information exchange, as the healthcare infrastructure evolves.”
Last year, ONC had announced its intention to eliminate the Office of the Chief Privacy Officer in 2018 because of shifting priorities and an attempt to become a leaner and more accountable agency. At the time, Rucker said there was no need for a dedicated office for privacy and security in ONC given that HHS “already on some level” had those capabilities in the Office for Civil Rights.
However, in a policy reversal, ONC changed course with the Marchesini selection and decided to retain the position.
“The leadership in the Administration took another look at the requirements, the work that we were doing with OCR, and what we’re doing to achieve interoperability and usability—and privacy and security are still important pieces within that, and felt that it would be important to fill the position that’s statutorily required of the chief privacy officer,” said an ONC spokesperson explaining the reversal.
Lucia Savage previously served as ONC’s chief privacy officer in the Obama administration. She left the position in January 2017 to join digital behavioral medicine vendor Omada Health as its chief privacy and regulatory officer.
“Kathryn has many years’ experience in the Office of the Chief Privacy Officer and knows HIPAA thoroughly,” said Savage in a written statement. “I am sure she will serve the National Coordinator well.”
Deven McGraw, who served as the agency’s acting chief privacy officer and left HHS in October to join startup Ciitizen as its chief regulatory officer, was similarly positive about Marchesini being named to the position.
“I think this is a terrific pick,” said McGraw, who in addition to her ONC duties had previously served as former deputy director of health information privacy at OCR. “Kathryn has deep experience in privacy and security, and close relationships with staff at both ONC and OCR, which will help assure the important coordination between those two offices.”
HIPAA is enforced by the OCR to provide nationwide privacy, security and breach notifications for health information accessed, used, disclosed or held by covered entities and their business associates. “Key components of the (chief privacy officer’s) work involves changing the industry’s understanding of HIPAA by showing how HIPAA and other privacy rules support rather than impede information flow in an electronic environment; developing and supporting approaches that assure, information shared electronically is kept secure,” according to ONC’s FY18 budget justification.
McGraw added that OCR “has all of the authority to enforce privacy and security regulation but ONC plays an important role in working with stakeholders to understand their privacy and security issues and needs—for example, what questions do they have about how to comply with HIPAA that create potential obstacles to interoperability” and “having someone in this position that can work closely with both offices is key and Kathryn has worked in both places and has the deep respect of both offices.”