Share this article on:
Very shortly there will be a new face at the Department of Health and Human Services’ Office for Civil Rights. Privacy Advocate, Deven McGraw, has taken on the role of Deputy Director of Health Information Privacy, and must get the agency auditing, advising and enforcing as it should. She will be filling the role left vacant by Susan McAndrew, who retired last year, and is set to join the OCR on June 29.
It Takes Time to Find the Right Candidate
The OCR has taken its time to find and appoint a replacement for Susan McAndrew. That wait certainly appears to have paid off.
McGraw will bring a wealth of experience to the OCR, having worked in both the public and private sector. She has developed strong strategic leadership skills and has held the posts of Chief Operating Officer at the National Partnership for Women & Families and Director of the Health Privacy Project at the Center for Democracy & Technology. McGraw is no stranger to challenges, and has an extensive working knowledge of the intricacies of healthcare privacy and security laws.
She will be able to draw from the experience she gained at Manatt Phelps & Phelps, where she served as partner and co-chair of the firm’s privacy and security practice. She has also been an adviser to the HHS for the past 6 years and has testified before congress on privacy matters on numerous occasions; in addition to serving on the federal Health IT Policy Committee.
McGraw to Spearhead the OCR’s policy, enforcement, and outreach efforts
The OCR confirmed the role McGraw will play at the OCR in the announcement of her appointment. “McGraw will spearhead OCRs policy, enforcement, and outreach efforts on the HIPAA Privacy, Security, and Breach Notification Rules; as well as lead OCR’s work on Presidential and Departmental priorities on health privacy and security.”
There are two major challenges which require immediate attention. The second phase of the HIPAA compliance audits is long overdue. The OCR has already set the ball rolling having sent out pre-audit surveys. After the responses have been collated, covered entities need to be selected for audit. No announcement has been made by the OCR as to when they will commence but the pressure is on to make a start this fall.
The OCR must also help covered entities achieve compliance with HIPAA Security, Privacy and Breach Notification Rules. One of the ways the agency achieves this is by issuing technical guidance. New guidance has been slow to emerge of late and many covered entities are struggling to comply with HIPAA Rules as a result. The legislation is, after all, nearly 20 years old.
The OCR must make good on its promise to assist covered entities more and issue new technical guidance to help covered entities and their Business Associates implement the necessary controls to protect the privacy of patients and keep healthcare data secure.
The OCR has lost some key personnel in recent months and the effects are no doubt still being felt. The agency has had to adapt to a new Director, Jocelyn Samuels, and Susan McAndrew’s experience will certainly be missed. The appointment of Deven McGraw should certainly help steady the ship.
There is a lot to be done and very little money to do it with, which will make McGraw’s job that much harder. She certainly has the right skill-set, but is likely to have to squeeze even more out of the resources the OCR currently has available.