New ONC Chief Privacy Officer starts with a full plate

When Joy Pritts, the newly appointed Chief Privacy Officer in the Office of the National Coordinator for Health IT, started her job on Monday, she already had a list of pending action items stemming from activities, initiatives, and recommendations dating back more than three and a half years. High up on that list should be formulating a single cohesive federal privacy policy to help eliminate some of the confusion, conflicts, and inconsistencies among various federal and state level rules and regulations on privacy. This is a task for which Pritts should be unusually well suited, given her extensive research into different state-level privacy practices and deep expertise with key federal health privacy legislation, especially HIPAA. Over 10 years ago she was the lead author on a study called The State of Health Privacy, sponsored by the Health Privacy Project at Georgetown (now part of the Center for Democracy and Technology). The study, first published in 1999 and revised several times since then, provides a comparison of state-level privacy statutes and identifies states that have augmented or strengthened federal HIPAA requirements. More recently she served as an advisor on the Health Information Security and Privacy Collaborative (HISPC), an ONC initiative begun in 2006 now in its third phase that includes participation from 42 states.

To the extent that ONC director David Blumenthal will shape the Office’s privacy agenda, the effort to establish a comprehensive privacy policy (or privacy framework, as is often proposed) will draw on multiple sources of privacy principles and guidelines, as was the case with the privacy framework promulgated by the American Health Information Community (AHIC) a couple of years ago. At the urging of privacy advocates who have been advising the Health IT Policy Committee on privacy issues, both before and since the release of the meaningful use criteria for EHR technology adoption incentives, the current effort on privacy policy will apparently also include recommendations submitted over three years ago by the National Committee on Vital and Health Statistics (NCVHS) to address patient privacy rights associated with the Nationwide Health Information Network (NHIN). Tucked into those recommendations is a proposed definition for health information privacy: “an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data.” This definition, if adopted, may have a better-than-average chance of successful application, as it is both domain-specific and encompasses the three major contexts (according to a model proposed and fully described by Daniel Solove in Understanding Privacy) in which privacy ordinarily comes into play:  information collection, information processing, and information dissemination. Given the past indications that ONC considers the privacy policy issue to be a prerequisite for making progress on other key initiatives, perhaps policy is the best place for Pritts to start.