The Office of the National Coordinator for Health Information Technology will eliminate its Office of the Chief Privacy Officer next year as ONC shifts priorities and attempts to become a leaner and more accountable agency.
Deven McGraw, deputy director for health information privacy at the Department of Health and Human Service’s Office for Civil Rights, has been serving as ONC’s Acting Chief Privacy Officer since Lucia Savage’s departure in January. However, McGraw’s days at ONC are numbered with no plans for a permanent replacement.
The Chief Privacy Officer position is charged with, among other activities, ensuring that privacy and security standards are addressed in a consistent manner to better protect private health data, as well as advising the National Coordinator for HIT on electronic health information privacy and security policies.
ONC’s Fiscal Year 2018 budget justification states that it will “continue to efficiently lead the U.S. government’s efforts to ensure that electronic health information is available and can be shared safely and securely to improve the health and care of all Americans and their communities.” However, the document released in May also states that the agency will “close out” the Office of the Chief Privacy Officer in FY 2018.
When asked last week during a press conference whether ONC needs a dedicated office for privacy and security, National Coordinator for HIT Donald Rucker, MD, said that HHS “already on some level” has those capabilities in the Office for Civil Rights. Nonetheless, Rucker added that privacy and security are “implicit in every single thing that we do” at ONC.
HIPAA regulations are enforced by the HHS Office for Civil Rights to provide nationwide privacy, security and breach notifications for health information accessed, used, disclosed or held by covered entities and their business associates. However, some providers have been known to cite the HIPAA privacy rule as a reason for denying the exchange of electronic protected health information for treatment purposes.
ONC has been working with OCR to improve stakeholder understanding of the HIPAA rules related to information sharing.
“Key components of the (Chief Privacy Officer’s) work involves changing the industry’s understanding of HIPAA by showing how HIPAA and other privacy rules support rather than impede information flow in an electronic environment; developing and supporting approaches that assure, information shared electronically is kept secure,” according to ONC’s FY18 budget justification.
Rucker said that his agency is in “early discussions” with OCR on “how to parcel out these different tasks” from the Office of the Chief Privacy Officer, given that HIPAA is a “misunderstood piece of legislation” at the provider level.
He added that clarifying “what’s covered and what’s not covered” under HIPAA is critical going forward to remove obstacles to information sharing. “Patients have an electronic right to their record under HIPAA for anybody who has electronically generated that record,” Rucker emphasized.