News Stay informed about the latest enterprise technology news and product updates.

Joy Pritts: Health data security features must be usable

We sat down with outgoing ONC Chief Privacy Officer Joy Pritts, who may surprise you with perspectives on health data security, patient privacy and her next act, post-ONC.

This is the second half of our exit interview with ONC's outgoing Chief Privacy Officer Joy Pritts. Part one can be found here.

What's your next act? Will you be going to work for Farzad [former ONC chief Farzad Mostashari, who has started a health IT consulting firm]? Are you going to be doing something privacy related in the private sector?  Do you know yet?

Joy Pritts: I intend to stay in the privacy world …. I really don't have any idea what my next steps are. I'm kind of jumping off the cliff without a parachute. It's very exciting to think about what options are out there. But as a political employee it's almost impossible for me to look for another job while I'm still here. I really don't have any clue where [I'll] be going.

That makes a lot of sense. Because there would be built-in conflicts, or there could be in a lot of cases.

Pritts: The moment I have an interview I need to recuse myself from any item that I'm looking at that might have an impact on that organization. And given the breadth of what I do, that means that I'd have to recuse myself from almost everything I do. It's just easier for me to deal with it once I'm gone from ONC.

Did you feel like the position has been established enough so that it will prosper in the wake of your departure?

Pritts: Oh yes. When I was first appointed to this office there was me and one staff member. We now have the positions of chief privacy officer and at least 12 staff members, and the current national coordinator has made a definite commitment to maintaining the office size and its focus and its funding.

In your mind what role do vendors play in protecting patient privacy? It's providers that want to comply with HIPAA and meaningful use rules, but in some ways they can only be as compliant as the software they purchase allows them to be.

With respect to the vendors in particular, we really believe they need to make a concerted effort to build security into their products.

Pritts: We obviously see that it's very important for vendors to build in security and privacy enhancements into their products. When we address this issue, we always say that everyone has responsibility when it comes to protecting the privacy and the security of health information. It runs from the government to the vendors to the providers and even to the patients when they receive their own information.

With respect to the vendors in particular, we really believe they need to make a concerted effort to build security into their products and do it in such a way that it's easy to use. Because if it's hard to use, the providers won't do it. We also see some activity out in the field that we find a little distressing, which is where some vendors tell their provider/customer, "just buy this product and you will be HIPAA-compliant." And that's just not the case. So what we really encourage vendors to do is be really careful in how they message what they're selling a provider. You can sell a provider a product that has a lot of security features, but the provider is still going to have to use it properly and have proper policies and practices in place. You can't buy security.

What do you see as the top privacy issues that are going to face the health IT world in the next few years? Are there any new issues on the horizon?

Pritts: The health IT space is really constantly evolving. Probably one of the biggest issues is going to be what a lot of people are referring to as big data. I'm using that term as meaning the collation of data from a number of different resources and combining it and analyzing it. When you're doing that activity and you're taking information not only from healthcare providers who are covered by HIPAA, you might be also collecting information from the individual's mobile device that's not covered by HIPAA. And you might be trying to get some of that information from credit reporting agencies because that's a big movement now, to look at not only an individual's health, but also their social and economic factors and how all of this comes into play. All of those different sectors are subject to different rules and regulations. It's going to be very curious to see how that all plays out.

OK, the obvious question is: why are you leaving?

Pritts: The timing is just right. I've been here for 4 ½ years. And the average tenure of a political appointee is two years. And I feel like it's been a great tenure here. I've been able to accomplish a lot and set up a great office going forward. And it’s just a good time for me to leave on a very high note.

Let us know what you think about the story; email Shaun Sutner, news and features writer, or contact @SSutner on Twitter.

Dig Deeper on Electronic health records privacy compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.