ONC's New Chief Privacy Officer: The Road AheadKathryn Marchesini Has the Experience. But Will She Have the Resources?
The Office of the National Coordinator for Health IT's new chief privacy officer, Kathryn Marchesini, has the experience and potential to play an important role in the Department of Health and Human Services' efforts privacy issues, regulatory experts say. But she could face an uphill climb if HHS fails to provide her with adequate resources.
Joy Pritts, former ONC chief privacy officer, tells Information Security Media Group that Marchesini is a strong pick for the job - but that she likely will face bureaucratic and funding challenges.
"Kathryn is knowledgeable, organized and results-driven," Pritts says, but she has "a tough road" ahead of her. "In spite of what HHS says, it is clear that privacy is not the department's top priority. HHS appears to be planning on eliminating the CPO office while at the same time starving OCR in the budget," she notes.
These combined actions would leave privacy efforts woefully understaffed and underfunded at a time when HHS is encouraging wider exchange of health information in a security-challenged environment."
In fact, HHS proposed fiscal 2018 budget had called for eliminating the ONC chief privacy office. However, that proposal met legislative resistance. "While HHS planned to eliminate the chief privacy officer's office, the position itself is created by statute" in the HITECH Act, notes privacy attorney Adam Greene of law firm Davis Wright Tremaine.
An ONC spokesman said during a Wednesday media briefing announcing Marchesini's appointment that HHS decided to retain the chief privacy officer post because "the leadership, the administration took another look at the requirements, the work that [ONC is] doing with OCR and what we're trying to do to achieve in [health IT] interoperability and usability - and privacy and security are still important pieces within that - and decided to fill the position, which is statutorily required - the chief privacy officer."
Seasoned Privacy Expert
In a memo sent to ONC staff - and provided to ISMG - ONC leader, Don Rucker, M.D., noted that Marchesini - an attorney - comes to the chief privacy officer position following a long tenure of working at HHS on privacy issues, including stints as ONC's deputy privacy director and acting chief privacy officer.
Marchesini "is a well-respected expert on the HIPAA rules from both the government and public sectors," Rucker writes in the memo.
"She brings to her new role a wealth of experience as a senior adviser and deputy director for privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology and health research. Most recently she has worked with the National Institutes of Health, and other federal agencies, to provide strategic direction and substantive expertise at the intersection of privacy and security law, technology, and healthcare."
Previously as deputy director for privacy, Marchesini led ONC's privacy team and helped with federal policy, guidance and education initiatives addressing emerging health IT privacy and security-related issues, Rucker notes. In 2014, she served as acting chief privacy officer.
Prior to joining HHS in 2010, Marchesini was a strategy and technology consultant at two global management consulting firms. She also previously held positions in state government and at an international clinical research organization.
Marchesini told reporters during the Wednesday media briefing that she expects "to be encouraging ONC to continue inspiring confidence and trust in health IT and health information exchange as the healthcare infrastructure evolves [and] ensuring that privacy and security of identifiable health information remains a key focus as ONC implements provisions of the 21st Century Cures Act."
In addition, Marchesini says she expects to work closely with ONC's sister agency at HHS - the Office for Civil Rights, as well as other HHS divisions, other federal agencies and nongovernment efforts "to modernize the health IT infrastructure to support the use of electronic health information for a multitude of sources and a variety of means and purposes, respecting consumer and patient perspectives while maintaining a coordinated approach to the privacy and security of identifiable health information."
Privacy attorney Deven McGraw, former deputy director of health information privacy at OCR who also held the ONC chief privacy officer role for about 10 months, says Marchesini is a good choice for the ONC job.
"She has deep HIPAA expertise and has close working relationships at both ONC and OCR - she actually did a detail at OCR during my tenure as deputy director," says McGraw, who now is chief regulatory officer at Ciitizen, a start-up health technology firm.
"In my view, the most important role for the chief privacy officer is helping to spot the privacy and security questions that arise as part of ONC's core work - promoting interoperability and usability of digital health information and digital health tools - and helping to figure out how to resolve those issues," McGraw says.
Often resolution of those issues will require coordination with other federal agencies - OCR in particular, but also the Federal Trade Commission and Food and Drug Administration, she adds.
"Those other agencies may have more authorities to resolve those issues - but may not fully be aware of them or understand the details and context," McGraw says. "It will be key for Kathryn to be both deeply involved with the policy and standards teams in order to understand ONC's core work - but also to interface regularly with federal partners to ensure privacy and security needs are addressed."
McGraw believes that Marchesini can step into her new role "quite naturally" given her background. "But taking that 'coordinator' role to heart is quite key - and in my view was a key reason why [former ONC chief privacy officers] Joy Pritts and Lucia Savage were both successful in the role," McGraw says.
"The job often involves convincing other agencies to focus on a particular privacy and security issue - and helping to ensure it gets addressed. Remember all of the joint guidance ONC and OCR did during my tenure? ONC identified the need for that guidance and actually picked up the pen and helped draft it - but ultimately OCR had to finalize drafts and actually produce the guidance, as the official word on HIPAA," she says. "It was a very productive partnership that I hope will continue - and certainly Kathryn has the right stuff to make that happen."
Looking ahead, McGraw says she hopes the HHS agencies will continue "to focus on how to get data to patients more quickly, efficiently and cheaply - making sure that individuals can easily leverage their HIPAA right of access through technology."
Greene says he sees ONC's chief privacy officer's duties as an important complement to the work of OCR. OCR's role is enforcing HIPAA's privacy and security provisions, he notes. "In contrast, ONC's role is promoting health IT, and the chief privacy officer is an important voice in ensuring that privacy and security efforts are an integral part of the promotion of health IT," says Greene, a former senior adviser at OCR who worked with Marchesini at HHS.
Among challenges Marchesini will face as ONC chief privacy officer will be "ensuring privacy and security are part of interoperability efforts," Greene predicts. "This involves safeguarding privacy and security while ensuring that it does not stand as an unreasonable obstacle to greater information exchange. Similarly, another option will be helping to draw the line between what is information blocking and what is protecting patient privacy and security. For example, is it information blocking to not share information with a third party if there are valid concerns about the third party's privacy or security practices?"
A great choice following in a short but incredibly impressive line. https://t.co/01k71D2uxK— Kirk J. Nahra (work) (@KirkJNahrawork) January 10, 2018
Long or Short Leash?
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the main challenge Marchesini will face will be the amount of latitude she's given.
"The role hasn't necessarily been very well defined," he says. "Lucia Savage, in particular, made it into a broader policymaking role on privacy generally - often in support, I suspect, of things OCR wanted to do but couldn't. It will certainly be interesting to watch whether Marchesini will try to continue this broader role - and will be allowed to, even if she wants to.
"The major challenge will be to try and make a difference. They can issue rules and binding authority in their relatively narrow lane, and can try to influence behavior on a broader level, but the primary impediment for both ONC and OCR is that there is no legislative authority for substantial changes to the scope of the privacy rules to cover the broad range of information being gathered outside the current HIPAA structure," Nahra says.
"It's an interesting issue - unlike many areas of regulation there is no industry push to get rid of existing rules. At the same time, there is little indication that the administration or Congress has an appetite for developing a new privacy framework to address a very expanded healthcare environment."