Deven McGraw Leaves HHS; What's Next for Privacy Efforts?Longtime Consumer Advocate Joining Silicon Valley Start-Up Firm
Longtime privacy advocate Deven McGraw has left her positions leading health information privacy efforts at the Department of Health and Human Services.
She had served deputy director of health information privacy at the HHS Office for Civil Rights, where she helped oversee HIPAA enforcement since 2015. Since January, she also served as chief privacy officer at the HHS Office of the National Coordinator for Health IT.
The privacy attorney's last day at HHS was Oct. 19. McGraw tells Information Security Media Group she'll join a start-up technology firm in Silicon Valley next week, where she'll serve as chief regulatory officer but will also likely wear other hats.
"The company was formed about a month ago; it's very small," she says. The focus of the start-up is "empowering consumers" with their healthcare, she adds, declining to identify the company.
"I had the good fortune to work on [developing] the individuals' right to access [health information] under HIPAA guidance" that OCR issued in 2016, she says. "This is near and dear to my heart - a role helping consumers exercising that access right," she says about her new job.
Iliana Peters, who had been OCR senior adviser for HIPAA compliance and enforcement, has been named acting deputy director of health information privacy, to at least temporarily replace McGraw in that role. Peters will be a speaker at ISMG's upcoming Healthcare Security Summit in New York Nov. 14-15.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm Cynergistek, says Peters is a good pick to replace McGraw. "Iliana knows the HIPAA Rules inside and out. More importantly, she has earned the respect of the OCR staff and leadership for her even keeled approach to managing staff and collaborating with OCR's regional offices."
Enforcement 'Flurry, Lull'
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says McGraw's most significant contributions at HHS "included an emphasis on patient rights, as most clearly evidenced by the guidance on individuals' right of access; helping to preside over larger and more frequent financial settlements and fines [for HIPAA noncompliance]; and frequent outreach to covered entities and business associates in which she was incredibly transparent about OCR's priorities and limitations and interested in obtaining feedback from the regulated community."
During her time at OCR, while working with former OCR Director Jocelyn Samuels under the Obama administration, HIPAA enforcement activities at the agency spiked.
That included the rollout of phase 2 HIPAA audits. After a busy 2016 - and into early 2017, with new HIPAA enforcement settlements with healthcare sector entities being announced by OCR on an almost monthly basis, that activity has died down significantly in the last six months.
OCR's most recent HIPAA settlement - with St. Luke's-Roosevelt Hospital Center - was issued in May. The New York-based hospital agreed to pay $387,000 and implement a corrective action plan to settle a case involving what OCR says was "careless handling of HIV information" for two patients (see Big Settlement in Privacy Case Involving 2 Patients, HIV Data).
But McGraw cautions against reading too much into the recent lull in settlement activity at OCR. "It always takes a lot of time from when OCR launches a HIPAA investigation and reaches a settlement or [issues] a civil monetary penalty," she says. "There was a flurry of these cases, but now there's a lull; that's no indication of the seriousness of enforcement. It always takes a new director some time to get acclimated," she says referring to Roger Severino, who the Trump administration named as OCR director in March.
"That's what's happening now. But that's no indication that OCR isn't full speed ahead with enforcement and guidance," she says, noting that OCR issued new HIPAA guidance last week related to information sharing to help address the opioid crisis.
Holtzman predicts OCR's enforcement activity could pick up again - in terms of what the public sees - soon. "While there have not been recent settlements involving formal resolution agreements involving the payment of a penalty and supervised corrective action plan, it is thought that there are several cases in which such agreements are under negotiation with OCR."
McGraw took on the additional role in January of acting chief privacy officer at sister HHS agency ONC following the departure of Lucia Savage.
But the future of the chief privacy officer role at ONC is still "undetermined," an ONC spokesman says. In July, ONC leader Don Rucker, M.D., said that the agency would be phasing out the office of chief privacy officer, but McGraw says that the position was created by the HITECH Act, so Congressional action is likely needed to officially phase out that role.
"The administration is focused on implementing the 21st Century Cures Act and, as part of that, working with OCR to make sure that privacy and security remain important parts of the health IT certification process," the ONC spokesman says.
Prior to joining HHS, McGraw was a partner in the healthcare practice of Manatt, Phelps & Phillips. Earlier, she served as the director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group, and as the chief operating officer at the National Partnership for Women & Families.
For several years while working in the private sector, McGraw served as a federal adviser, serving as chair of the Health IT Policy Committee's privacy and security "tiger team," which hammered out policies for ONC related to electronic health records under the HITECH Act.
Change the Course?
Some privacy experts say that while McGraw brought a lot of privacy-related work experience and perspective to the OCR role, the direction of OCR's HIPAA enforcement activities aren't likely to dramatically change.
"Deven was the perfect kind of regulator. She had a complete and integrated knowledge of all of the relevant rules, as well as why they were put in place and what the goals were," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "She was a determined protector of individual rights and protecting the privacy interests of patients. At the same time, she also understood and applied the broader goals of an effective healthcare system. Companies knew that Deven was prepared to listen, and that her conclusions would be fair."
Still, there are "certainly many capable, thoughtful and effective people still left at OCR," he adds. "I don't have any reason to think that her departure will have any meaningful impact on the enforcement approach of that office. The general approach has been in place since the beginning of HIPAA - it isn't an office that tries to nail a company just because something didn't go right. They fix, educate, guide, mitigate and generally try to separate those entities who are trying to do the right thing and fix their problems from those who don't."
Nahra says he'd be surprised if there is any meaningful decrease in HIPAA enforcement activities at HHS "unless there are significant budget cuts that really reduce staff. That is of course a real possibility - but that would reflect staffing rather than a change in philosophy."