An Appreciation

November 2017

In mid-October, without fanfare, Deven McGraw left her position as the Deputy Director for Health Information Privacy at the Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services. Deven has been a strong leader on health care privacy and security issues for many years. While there certainly is highly capable staff left at OCR, both protected individuals and the regulated industry will miss Deven’s presence at OCR. 

The lesson of Deven’s tenure at OCR – and of her previous advocacy on privacy issues – for future regulators, at HHS Office for Civil Rights and elsewhere, is to ensure that they focus on privacy interests, compliance, and enforcement as part of a broader puzzle. From the very beginning of the HIPAA era, OCR’s regulators recognized that an overly aggressive approach to enforcement would create problems within the health care system, for patients and covered entities. The same issues have arisen in connection with various health care reform ideas, such as transparency and patient engagement – where there are certain tensions between these important goals and strict adherence to HIPAA and overall privacy concepts. An appropriate approach to privacy enforcement in the health care system protects and advocates for patients, but this advocacy must factor in what is best for the patients and the health care system in a broader, systemic analysis, where privacy interests are evaluated and protected along with the overall health of the health care system itself, for the benefit of patients, both individually and collectively, and the industry.

Deven’s career in health privacy began as a consumer advocate at the National Partnership for Women & Families. I first met Deven when we both served on the Privacy and Security Committee for the American Health Information Community (the predecessor to the HHS Office of the National Coordinator for Health Information Technology). On this AHIC committee, Deven represented the interests of the patient community on the critical privacy and security issues related to the expanding development and implementation of electronic health records. But, it is also critical to understand that this leadership on privacy issues did not mean – and should not have meant – a focus on privacy and security to the detriment of other values. Patients want a health care system that works – they want effective, efficient, and reasonably priced health care. They want medical research to develop better cures. And they want privacy and security of their information as a part of this effort – but not as the only part. Deven’s critical role was in representing the patient interest from this holistic perspective – protecting privacy and security as part of an improved and effective health care system.

After leaving the Partnership, Deven spent several years engaging as a national thought leader on health privacy at the Center for Democracy & Technology. In that role, she continued to represent the patient perspective, but also began to develop a broader role in the most complete aspects of the health care privacy debate, including the important discussions that led to the HIPAA revisions pursuant to the HITECH Act.

She joined HHS in 2015, and quickly became the most visible HIPAA regulator. At HHS, we continued to see this important thought leadership and an effective enforcement voice. Deven advocated for better security protections, more patient engagement, and improved data sharing in key areas. She also led a focus on more and better guidance, for covered entities and others. At the same time, while HHS OCR continued to expand its enforcement role – with more and more cases – the office, under Deven’s leadership, continued and improved its long-standing approach on enforcement. OCR was never a “gotcha” agency. From the start, it recognized that data flow was critical to the operations of the health care industry, and benefited both the industry and patients. An enforcement approach that was too aggressive would have shut down critical data sharing. Accordingly, the agency’s enforcement approach was to educate, guide, mitigate, correct, etc., and take enforcement action only when these steps were not working.

Deven became the focal point of this approach in recent years. If you were trying to do the right thing, and had put reasonable effort into appropriate steps, and acted quickly to fix your problems, you tended to be OK. Companies that did not take reasonable action, or did not fix their problems, or that had repeated mistakes, were the ones seeing enforcement actions. Under Deven’s leadership, this office could tell when a covered entity or business associate was trying hard to do the right thing – and could distinguish those entities that were not. This kind of thoughtful approach benefits patients – by protecting their privacy where it counts – but also ensures that the system works appropriately and effectively. Companies that were focused on compliance – and that fixed the problems that did occur – were motivated to act appropriately, because they could see peers who did not take these steps face enforcement. 

This made the Office for Civil Rights the best kind of regulator, for both individuals whose interests were being protected by the regulations, and the regulated industry. In a political context where many industries are pushing to eliminate regulations, the health care industry has settled into an appropriate compliance posture under HIPAA, and there is no broad push by the health care industry to change the regulations or make them easier to comply with. While the drafters of the HIPAA rules deserve much of the credit for this situation, and the earliest leadership of OCR also deserves credit for their thoughtful approach to reasonable enforcement, the health care industry and the patient community at large owe Deven thanks for a job well done.

There is significant thoughtful, capable and effective staff remaining at OCR. Both patients and the industry should hope (and reasonably can expect) that the example Deven set – and the effectiveness of the office under her leadership – can continue over the next several years, to the overall benefit of the health care system and the interest of patients in both privacy and a strong, effective health care system.

Read Time: 5 min
Jump to top of page

By using this site, you agree to our updated Privacy PolicyTerms & Conditions, and Cookies Policy.