Deven McGraw is the new chief regulatory officer at Ciitizen, a new health care company aiming to create a more effective personal health record tool for sick patients. A leading privacy advocate for many years, McGraw recently completed her service as the deputy director for health information privacy at the Office for Civil Rights in the U.S. Department of Health & Human Services, the primary enforcement agency for the HIPAA Privacy and Security Rules. In this Q&A, Kirk Nahra, CIPP/US, chair of the IAPP’s Publications Advisory Board and a partner at Wiley Rein in Washington, D.C., recently interviewed McGraw to discuss her guidance to regulated entities and her thoughts about the future in health care privacy.

The Privacy Advisor: How did your experience at OCR match up with your expectations when you took the job?

McGraw: At the surface level, the actual experience of the job at OCR matched my expectations. Some of what I was told to expect (or that I intuitively knew to expect) were all present in the job — i.e., it’s often hard to get something done within a large government bureaucracy, career staff need to have the buy-in of political staff on any particular initiatives, and the resources it would take to do the ideal job (all or most of what you want to try to accomplish) far surpass the resources you actually have.

Deven McGraw

What was surprising was the degree to which all of these were true. I don’t think I really understood how hard it would be to work within a bureaucracy until I actually had to do it — and then had to adjust when a new administration took the helm, as it did things differently. Every initiative, no matter how well intended, is like pushing a gigantic boulder up a hill, and the battle actually gets harder the closer you get to the top. Additional decision makers within federal government who have their own ideas about how to accomplish what you’re doing (although without the firsthand knowledge of your regulations or your programs), and you need to get on the phone with them (often itself a challenging task) and understand their idea and then either make adjustments to accommodate them (which often starts the approval process all over again) or successfully explain to them why their idea won’t work, or may be a good idea but isn't well-timed. It is painstaking work, requires a lot of patience and dedication to the outcome, and is without any guarantees of success, because if someone’s approval is needed, but your project is not a priority for them, it can hold you up for months, if not years.

The lack of resources to do the job well is another ever-present issue. OCR’s budget has been flat for years, and while the office benefits from being able to spend HIPAA settlements and civil monetary penalties on HIPAA enforcement, that money is not guaranteed, so it is hard to build it into the budget to meet long-term staffing needs. I also wish it were easier for individuals in government to get experience in the private sector that would help inform their work but without necessarily “losing their place” in federal government. It’s harder for law enforcement agencies to do that, because of the conflicts of interest that can occur on both ends.

The Privacy Advisor: What was the biggest surprise about the job? 

McGraw: Just how much the stakeholders enjoyed talking with us, hearing from us, understanding more about what our expectations are. I think I thought the reception would be much more hostile than it was. Perhaps people were hostile in private and not to my face. And I get that, but in general, I was always pleasantly surprised at just how receptive people were to meeting with us and/or hearing from us.

The Privacy Advisor: Is there anything that you weren’t able to finish that you really wanted to get done?

McGraw: I really wanted to do more guidance on the right of access and be able to enforce it more aggressively. It was hard because OCR’s Regional Offices were already robustly enforcing HIPAA, but focusing aggressively on improving health-information security, which is another critical area. The access cases could often be addressed by a phone call to the entity to “remind them” of their obligations, but I’m not sure that resolving cases this way, while expeditious for the individual, helps send a message to industry that OCR is serious about enforcing these provisions (because they don’t grab headlines). Investigating complaints or data breaches is hard work and takes considerable time. Consequently, it is not always easy to add additional enforcement priorities, particularly without a significant injection of additional expertise. We also lost people to the private sector, because once they learned HIPAA, well, they were incredibly marketable and could earn much more than we could pay them. Recruiting and retaining top talent in the federal government has always been a challenge, and I think that continues to be the case. 

The Privacy Advisor: What were your biggest challenges at OCR?  

McGraw: Ah, recruiting and retaining top talent! For the most part, people are attracted to government because they want to serve the public. But if the frustrations of doing your job start to pile up and overwhelm the benefits, you’re going to look elsewhere. Also, the HR rules in the federal government either are Byzantine or get interpreted in ways that create unbelievable constraints in terms of bringing in top talent and then promoting them once you get them in the door. Just to give you an example, if a person was hired at certain levels, and then they should be promoted, sometimes they can’t be just based on their merits. The agency needs a specific slot at the new level, and then there are additional posting requirements, even for an internal promotion. Or, we might post a position for a certain type of position, say a HIPAA policy analyst. We might get lots of resumes, but they might be from people, like someone with medical records clerk experience but no real skills of policy analysis, where we would then have to explain to personnel folks why this wasn’t really the right fit. It just made the hiring process even more challenging than usual. 

The Privacy Advisor: How do you think covered entities are generally doing at protecting the privacy and security of patient information? 

McGraw: In general, I think many covered entities have focused a lot on compliance with the Privacy Rule, erring almost toward "over-interpretation" of the rules due to fear of being found out of compliance with HIPAA. However, on the Security Rule, it is astonishing just how badly out of compliance a number of covered entities are, even large ones with greater resources to spend on compliance. Of course, there are exceptions; covered entities with mature CIOs, who understand that the risk assessment is where security starts, who pay attention to the needs across the enterprise, and who are both implementing security safeguards in order to address and manage risks they have identified and documenting what they are doing. But time and time again, we saw covered entities during our breach investigations (including a number of large ones) who pulled out HIPAA Security Rule checklists when we asked for their risk assessments or weren’t able to produce anything at all within the six-year look-back period. 

They are also not focusing enough on assuring individuals have seamless access to their health information. But I’m increasingly convinced that achieving seamless access by patients is going to require cultural change. HIPAA compliance helps but is only going to move the ball so far. 

The Privacy Advisor: How about business associates? 

McGraw: For business associates, there seems to be a big difference between larger, mature health care companies — who seemed to understand their HIPAA obligations and were generally as good as a covered entity in achieving compliance with them — and smaller companies, or ones that were new to health care, who often didn’t even realize they had BA obligations (or were still reluctant to admit they had them). 

The Privacy Advisor: Any particular weaknesses that you see from the industry generally on privacy and security?

McGraw: Security is a gigantic weakness across the board, and again, some doing it right but far too many leaving obvious vulnerabilities unaddressed.

And over-interpretation of the Privacy Rule continues to be a problem. The point of privacy rules is not to bottle up data so it can never be used. But sometimes I feel like organizations (perhaps led by “diligent” compliance officers) feel like their job is to gum up the machinery. Health care organizations should take due care with the information they steward, but making good (and yet still responsible) use of that information should be part of their commitment to patients. The concept of data utility is built into the DNA of the HIPAA Rules, but it is far too often ignored.

The Privacy Advisor: What advice would you give to your successor? 

McGraw: Keep well connected to the stakeholders. It will help you give them the kind of guidance that improves compliance, and in your darkest, bureaucracy-filled days, their success stories (and they do exist out there) will help keep you optimistic and dedicated to the mission. Also, cultivate other feds within HHS and across the federal government. You never know when you might need someone to help you get an initiative over that final approval hurdle, or they might have a piece of advice that will help you eliminate a particularly sticky obstacle. And along those same lines, keep an eye open for how you can leverage other governmental priorities to advance a particular initiative that you have on your list. There’s nothing that greases the wheels better than alignment of priorities across multiple government agencies.

The Privacy Advisor: Tell us a little bit about your new role. Why did you take it and what is the company hoping to do?  

McGraw: I am the chief regulatory officer at Ciitizen. We are aiming to create a personal health record tool for sick patients, starting with cancer. Getting patients their health information, in a frictionless way, has been a dream of mine for many years. I wanted to make the HIPAA right-of-access a priority when I was at OCR, and I was fortunate to be able to do that. I took this position so I could go the next mile for patients, actually make access happen, and in a way that largely isn’t the case today. Other companies are working on this, too, and we applaud them. Ultimately, the culture change that will put the patient at the center of health-information exchange will take an army knocking persistently at the doors. We will be part of that army.