Recorded July 17, 2020
November.20.2020
In our third episode, Shannon Yavorsky talks with Deven McGraw, Co-Founder and Chief Regulatory Officer at healthtech platform Ciitizen and former Deputy Director for Health Information Privacy at the Office for Civil Rights of the U.S. Department of Health and Human Services. Together, they discuss the limitations of HIPAA, the challenges of a state-by-state privacy law approach and ways to share health info without compromising patient privacy.
Deven McGraw is the Co-Founder and Chief Regulatory Officer at Ciitizen, a consumer health technology company. She previously directed U.S. health privacy and security for the United States as the Deputy Director, Health Information Privacy at the HHS Office for Civil Rights and Chief Privacy Officer (Acting) of the Office of the National Coordinator for Health IT. Widely recognized for her expertise in health privacy, she directed the Health Privacy Project at the Center for Democracy and Technology for six years and led the privacy and security policy work for the HITECH Health IT Policy Committee. She also served as the Chief Operating Officer of the National Partnership for Women and Families.
Shannon Yavorsky: |
Hello, and welcome to Take 5 for Privacy, brought to you by Orrick. I’m your host, Shannon Yavorsky, and a partner in the Cyber, Privacy and Data Innovation practice at Orrick. With me today is Deven McGraw, the former Deputy Director for Health Information Privacy at the Office for Civil Rights of the U.S. Department of Health and Human Services where she was responsible for enforcing HIPAA and issuing guidance, including amazingly instructive videos on how to comply with those rules. After spending two years with the U.S. government working on behalf of patient rights regarding personal health data, she’s now the Co-Founder and Chief Regulatory Officer at Citizen, a patient-centered platform for helping people collect, organize, and share their health data. Deven, I’m thrilled to have you on the show today, and thank you so much for joining me. I have a few questions for you. |
Deven McGraw: |
Sounds good. |
Shannon: |
In your view, what is the most critical issue in privacy today? |
Deven: |
So, I’m going to give a very U.S.-based answer, because I think the most critical issue in privacy for the U.S. is the fact that we don’t have a comprehensive privacy law in this country. And most of the work I do is in healthcare, and the fact that we’re trying to get - you know, to kind of build this health data ecosystem, where it’s not just health data in doctors and hospitals, but we’ve got data that’s contributed by patients through Fitbits and monitoring tools and patients wanting to get their own health information and use it, and HIPAA’s only got limited coverage. It’s a decent law, but it doesn’t really cover all of the data outside of that. And so when consumers are using and sharing health information on social media sites and various other venues, they’re not protected by anything other than commitments made in company privacy policies, which we know are sometimes really hard to understand, and not that vigorously enforced, at least in my opinion. |
Shannon: |
Yeah, that’s exactly right. And there’s a sort of patchwork of privacy laws that applies to non-HIPAA health data that makes the regulatory landscape even more complex for companies, and costly for them to comply having to do fifty state surveys to figure out what exactly, you know - what state laws are applicable. So, I hear you. And, so how do you think we address that issue? |
Deven: |
Well, you know, certainly Congress is aware of it. What has happened, of course, in the U.S.—which you know very well—is that the states have jumped into that void. Right? You know, we have California with the CCPA, and frankly, there’s another initiative that is in the works to… |
Shannon: |
Yes. |
Deven: |
… strengthen that law even more. Right? And then you hear about other states, because Congress, frankly, has not acted yet to fix this problem. And there have been some bills that have been introduced, right, but they haven’t gone very far. So, I don’t know what it’s going to take. Because, here, there may be an alignment, actually, of consumer and company interests. Right? Companies want a clear, level playing field. They don’t want to be governed by fifty state laws, I get it. Frankly, fifty different state laws is a very confusing environment for consumers. Right? You know, is the company in California? Is the company in Rhode Island? Where do I live? What law covers me? And so, if we were able to get a decently strong law that everyone could agree to, I think that would fix it. That’s a hard thing to do, though. |
Shannon: |
Yeah, no, I hear you. And, I see the danger of ending up with fifty different state privacy laws, in the way we have fifty different state data-breach notification laws which makes it complex, timely, and costly for business to comply with the law. And I think people really would welcome a unifying legislative approach, like they have in Europe with the adoption of the General Data Protection Regulation, which sought to harmonize data protection law across Europe. And it’s been a success, and I could see, you know, that being very welcome in the U.S. |
Deven: |
Yeah. No, I mean, look, think about the ways that people think that HIPAA covers all health data already, right? They think that there is this law that covers their health data wherever it is, and it doesn’t. |
Shannon: |
Right, yeah. |
Deven: |
So, I think you’re absolutely right. |
Shannon: |
Yeah, I feel like I’ve been saying that a lot with companies who are collecting all manner of health data in connection with COVID-19. So, they’re doing - they’re issuing health-screening questionnaires, or they are rolling out contact tracing. And they’re like, “So, tell me about HIPAA.” And I’m like, “Sorry, HIPAA doesn’t really apply here, so we’re going to have to, you know, look at this other legislative landscape. As well as, you know, guidance from the CDC.” So, it is a complicated - it’s a complicated issue. And I think that’s right, people think, “Oh, well HIPAA covers health data.” And that’s just part of the story. |
Deven: |
Yeah, yeah, indeed. |
Shannon: |
So, is there a way to share health information—for example, for research purposes—in a way that doesn’t compromise consumer/patient privacy? |
Deven: |
Oh, absolutely. And, in fact, it happens every day, in this country, that health information is shared for genuine research purposes without compromising privacy, and that happens in a couple of ways. One, it happens by using data that are less identifiable to the person so that the researchers who are dealing with the data get the information that they need to do the research, but they don’t know, you know, which patients are behind that information. Because they don’t need to. They need to know that I - they need to know my age, and what my condition is, and how I responded to medication, but they don’t need to know that it’s Deven McGraw, in that record. So that’s one way. The other way is by having an objective body, like an institutional review board, reviewing whether the research, in fact, is, you know, valuable research. Is investigating a question that is going to contribute to science, as opposed to slapping that research label on essentially what is an internal set of company analytics. Which, not that that is necessarily a bad thing to do, but, you know, if you’re talking about allowing data to be used for research in a broad set of circumstances, I think, generally, people are much more willing to have their data be used in a way that contributes to the public good. |
Shannon: |
Yeah, I think that’s right, provided it’s appropriately deidentified. |
Deven: |
Yeah, or… |
Shannon: |
I think people would support that. |
Deven: |
Yeah, or consented, right? |
Shannon: |
Yeah, or consented. Yeah, exactly. Switching gears, can you share with us a challenge you’ve had to overcome in privacy, and maybe some of the lessons you’ve learned from that experience? |
Deven: |
Yeah, so I, having been a regulator for a couple of years, and now inside of a company, I now know just how challenging it is to write privacy policies in ways that are aimed at being understandable to the public, but also providing the company with the kind of legal protection that the company needs in order to move forward. That is just a huge challenge. Like, you know, I want to be, like, radically transparent, radically honest, very clear, and then you realize that those words - that crafting that language in a way that you can guarantee that the company will be able to honor for years to come turns out to be very hard. |
Shannon: |
Right. {Laughs} |
Deven: |
It’s a huge challenge, right? And it’s not to say that I’m trying to figure out how to get something over on people, because I’m not. But it is, like, we’re a brand new company. We have some idea of where we’re going, and what kind of data uses and disclosures we’re going to need to put out there to the public. We have no idea - that could change. And we can change the policy, but I want to do that in a way that people are aware of and not pull the rug out from under people. So, it’s just - it is so hard. |
Shannon: |
Achieving that level of transparency, while provisioning for the future. It is a tricky calculus, getting that exactly right. |
Deven: |
Yep. |
Shannon: |
Yeah, I hear you. Do you have a privacy pet peeve? |
Deven: |
Oh, I have many. Doesn’t everybody have those? |
|
{Laughter} |
Shannon: |
Definitely. Mine last year was they everyone was calling CCPA “cacpa”. |
Deven: |
Oh… |
Shannon: |
But that’s been resolved, so I’m good now. |
Deven: |
So, I think my biggest one is related to the conversation that we had earlier, about people thinking that HIPAA is, you know, covers more than it does, and using it as a weapon. “I won’t wear my mask during COVID-19, and nobody can ask me about what my health condition is that keeps me from wearing masks , because that would be a violation of HIPAA.” |
Shannon: |
Oh, right. I wasn’t even aware of it being weaponized in that way. |
Deven: |
Oh yeah, there’s an entire feed on Twitter. There’s actually, somebody has set up a Twitter account called “Bad HIPAA Takes”. You can read this stuff all day long, and it literally - as a lawyer who has - and as former HIPAA regulator, like, it just makes me cringe. |
Shannon: |
Just rankles. |
Deven: |
Just stop already. Not true. Not true. Not true. So, that’s probably my biggest one. And a second little pet peeve is overreliance on consent to protect privacy. |
Shannon: |
Yeah, I hear you. |
Deven: |
Like, you know what, it’s important, but if that’s the lynchpin, we’re doomed. People just give their privacy away way too easily, and the companies need to take steps to be more accountable for how they handle data. |
Shannon: |
Yeah, I hear you. I hear you. One thing, I guess that our final question here is, it’s sort of the interests section of a résumé. Can you tell us a fun fact about you that people may not know? |
Deven: |
Yeah, you know, I was trying to think of one. This is terrible, isn’t it? It’s like I spend so much time working that I no longer know fun facts about myself. |
Shannon: |
Oh no. |
Deven: |
But I - one of my early jobs out of college was I was a journalist. I was an assistant producer for CBS news for four years before I went to law school. And I studied… |
Shannon: |
Oh wow. |
Deven: |
…journalism in college. So, I think a lot of people don’t realize that I once was a journalist. |
Shannon: |
Those skills are really critical in, you know, investigative journalism, writing, all of those things matter now. |
|
{Outro Music} |
Shannon: |
Thank you so much for joining us on Take 5 for Privacy, we really appreciate your time. |
Deven: |
Thank you, I appreciated being here. |