HIPAA/HITECH , Standards, Regulations & Compliance

Privacy Advocate Deven McGraw Joins OCR

Will Spearhead Agency's HIPAA Enforcement Efforts
Privacy Advocate Deven McGraw Joins OCR
Deven McGraw

Well-known health data privacy expert and federal adviser Deven McGraw is joining the Department of Health and Human Services' Office for Civil Rights as its new deputy director for health information privacy.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

McGraw, an attorney, will join OCR on June 29. She's currently a partner at Manatt, Phelps & Phillips LLP, where she co-chairs the law firm's privacy and data security practice.

In a statement, OCR says McGraw will spearhead the agency's policy, enforcement, and outreach efforts on the HIPAA privacy, security and breach notification rules, as well as lead OCR's work on presidential and departmental priorities on health privacy and security.

OCR's previous deputy director for health information privacy, Susan McAndrew, retired in 2014 (see HIPAA Enforcement Leadership Changes).

McGraw tells Information Security Media Group that she decided to join OCR to help the agency evolve in its efforts to help ensure health data privacy. "I am passionate about health privacy and security - and about responsibly leveraging health data to achieve gains in individual and population health - so I jumped at the opportunity to be part of a great team at the epicenter of U.S. health privacy policy," she says.

Among its other activities, OCR is trying to launch its long-delayed phase two of its random HIPAA compliance audit program. The agency acknowledged recently that it has begun sending pre-audit surveys to hundreds of covered entities and business associates (see HIPAA Audits: Getting Ready). However, the agency has been tight-lipped on when it plans to begin the actual audits and how they'll be conducted.

A Good Fit

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, says McGraw is a good fit for OCR. "Deven is an excellent pick for this position," he says. "She has both the public and private sector experience, an excellent grasp of the issues and a demonstrated passion for doing what's right."

McMillian is hopeful that McGraw "will be able to bring her objectivity to evaluate how OCR is handling its enforcement and guidance responsibilities. There is no doubt that effective oversight causes organizations to be more responsible. Part of being effective is being credible. Deven has a reputation for being just that, so, hopefully, she will be able to [leverage] that in her review and leadership of what OCR does to promote compliance, like its audit program."

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who previously was on the OCR staff, says he's hopeful that McGraw can help resource-squeezed OCR deal with the evolving cyberthreat landscape, which has become far more complex since the HIPAA privacy and security rules were first written.

"I hope that Deven will bring her broad range of experience to help OCR continue to navigate the fine line of protecting patient privacy and rights while respecting the operational challenges of delivering and paying for healthcare in the U.S.," he says. "OCR has a very full plate at the moment, but I hope that Deven can help OCR provide more technical guidance on how these mostly 15-year-old regulations apply to today's new technological and policy developments."

Dixie Baker, a longtime federal adviser, says she's pleased that McGraw will be working on outreach, "which is extremely important and challenging. Helping people understand and interpret the law is a critical component of enforcement. Deven's deep understanding of health law and its nuances, and her ability to communicate in lay terms, have certainly benefitted me tremendously."

Baker, senior partner at the consulting firm Martin, Blanck and Associates, is now co-chair of the Office of the National Coordinator for Health IT's Transport and Security Standards Workgroup. She says she'd like to see McGraw help HHS facilitate the harmonization of HIPAA and the Common Rule, which governs research. "This is particularly important as research becomes increasingly integrated with healthcare. I'd like to see the HIPAA Privacy Rule updated to specifically address genomic data, and to revisit the de-identification provisions within the context of both genomic data and today's 'big data' technology environment."

McGraw's Experience

Before joining Manatt Phelps & Phillips in 2014, McGraw was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group, working on health privacy and security policy issues. Earlier, she was chief operating officer at the National Partnership for Women & Families, where she provided strategic leadership and policy expertise for the organization's health policy agenda.

In addition to her "day job," McGraw has also has served as an adviser to HHS on health data privacy and security issues for the last six years. She was appointed by former HHS Secretary Kathleen Sebelius in 2009 to the federal Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT on policies related to the HITECH Act electronic health record financial incentive program, as well as secure nationwide health information exchange, and HIPAA. She also co-led the committee's privacy and security workgroup - previously called the Privacy and Security Tiger Team - and co-led its Information Exchange Workgroup. McGraw has also testified before Congress on privacy-related matters.

The privacy attorney has also been recognized twice by Information Security Media Group as among the most influential people in health information security. ISMG named McGraw a top 10 health information security "influencer" in 2012, and the entire Tiger Team was also named to the list in 2013 (see Top 10 Influencers in Health InfoSec).

A Critical Time

McGraw is taking on the leadership of OCR's health information privacy division at a critical time, says attorney David Holtzman, a former senior adviser at OCR.

"There are expectations that OCR will fulfill its longstanding commitment to provide guidance on key areas of the [HIPAA] privacy and breach notification rules, especially those areas that underwent significant change in the 2013 Omnibus Rule changes," says Holtzman, who's now vice president of compliance at CynergisTek. "Deven could provide a needed champion to the nascent HIPAA/HITECH audit program, which appears to have gotten off to a very slow start. And, she brings a credible voice to how patient privacy protections and choice influence the development of HHS policy as the department addresses the challenges in promoting EHR technologies and interoperability."

McGraw is joining the agency as it faces internal challenges, he says. "My sense is that OCR is facing tremendous fiscal pressures and leadership challenges. For example, the department is, or has plans to, consolidate some of OCR's regional offices. Deven is the right person to advise Director [Jocelyn] Samuels on health information privacy and security matters," he says.

Beth Israel Deaconess Medical Center CIO John Halamka, M.D., who chairs ONC's HIT Standards Committee, notes that he worked closely with McGraw on a review of the HIPAA Omnibus Rule. "Deven is a remarkable person, and very practical. She understands operational issues we all face, and the trade-offs between perfect security and usability and delivery of care to patients."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.