Lucia Savage sits at the center of the ongoing campaign to move health care from paper to the web.

As chief privacy officer of the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology, Savage is charged with guiding health IT through the pitfalls and entanglements of patient privacy rights, electronic records consent and interoperability.

Savage caught up with Senior Staff Reporter Carten Cordell to talk about ONC's progress on connecting health IT. 

One of the biggest challenges facing ONC in promoting interoperability has been the various interpretations of HIPAA. What do you find has been the most common issue when educating stakeholders about HIPAA compliance?

Well, one thing to remember that in the United States, HIPAA is kind of the baseline rule and we have intentionally created an environment where every state can pass their own special health privacy laws and states do that to protect their population, maybe because of particular clinical conditions or whatever. We actually have a very complicated rules environment and because we are training our physicians and nurses to take care of people's health, we can't expect them to understand or digest on a daily basis 53 state rules. That being said, two of the most common things we see with HIPAA are first, that people think that somehow HIPAA prevents them from having an ordinary dialogue with the patient and the patient's caregivers about care that's necessary and nothing could really be further from the truth. Doctors are free to tell patients about their own health care under HIPAA, and patients are free to tell doctors whatever they want about their own health care. In fact, patients are free to tell anyone they want about their own health care. We don't really regulate private people. And the second thing we know is that doctors are confused that they can't share with each other, for example, in a referral situation. HIPAA actually has a long-standing rule about that as well, to facilitate that because it's an ordinary part of health care. All of that information transfer was necessary before the HITECH Act and all we've done with HITECH is digitized the information that's being transferred.

It seems like you have a two-pronged campaign where you working with industry on these regulations, but you are also informing patients of their rights to be able to share their information. Can you talk about those education efforts?

So when HIPAA was enacted 17 years ago—20 years ago for the law and 17 years ago for the regulations—it built in is right of individuals to get a copy of their own records and to suggest corrections when they found errors in the records or the records were missing information, but that record system, from the care perspective, was primarily paper-based. After HITECH was passed and we started to digitize the system, the Office for Civil Rights revised those rules to make it clear that not only can you get a copy, but you can get a copy electronically if it's stored in that format and there are some security controls on that and that you can actually transmit a copy of your records to a person you need it to go to. So back to that referral situation, even though the law allows two doctors in a referral situation to share the information, if it's not happening for whatever reason, you as the patient can say, "Send my records to this second doctor down the stream," so the doctor has what they need to treat you. So OCR embarked on a process of really giving a lot more elaborate examples in their FAQs that were issued in February and that set of guidances were addressed to primarily physicians, the health care organizations and the lawyers who serve them. What we promised to do was to use our special secret sauce at ONC to take all that information and turn it into something that was usable every day by consumers. So the videos that were released in June were kind of the first effort in that regard and we really like them. We spent a lot of time in the field with patients, field testing language and how we would describe things with physicians, making sure that they hit the right note about collaboration between patients and their physicians and also being sure to incorporate the most modern technology. Because really, the patient is on the mobile phone and the health care system has to catch up to them there.

As chief privacy officer, what is the question you get asked the most about interoperability?

"Am I allowed to do that?" When we're asking people to exchange information, that's really what we get. And we have to do a lot of work to sometimes tease out what that question is about, right? Is the question about a patient being allowed to disclose their information where they want it to be? To a parent or a child or a family member who might be a health care professional who’s coaching them through a particular issue or to a doctor or to a researcher or to precision medicine, all those different things. That's the one universe, but then we think about the providers’ perspective, they want to improve patient health, that's why they went into the profession of medicine. And so we need to help them understand that the digital information is a tool that facilitates that and the sharing of the information is a tool that facilitates that. So when providers ask, "Are we allowed to do that," we try to give them relevant information for their context, whether it's treatment context or we have a lot of work with other HHS agencies relative to Flint, Mich., and the lead crisis. Because now we have to test the children for lead poisoning, and if we find lead poisoning, we have to track their health over a long period of time. Similarly, women who have Zika and who might become pregnant, all those things require a fair amount of information over a fairly long period of time with a lot of different actors in the system. So again, we end up talking about what's allowed and what's not allowed.

You've mentioned before the benefits of threat sharing when it comes to cybersecurity. We've seen it in other agencies, like Homeland Security. Can you talk about what the benefits would be for HHS?

Sure, I just want to make sure people understand the difference between threat sharing and sharing health information, that's sort of the first question we get. So sharing health information is when I tell a doctor I have this condition or this disease or this prescription so they can account for it in care. Threat sharing is when a systems administrator identifies some anomaly in their technology which indicates a security flaw or a security incursion and that's completely different from actual [Protected Health Information].

Across the health and public health sector, we've been working very hard with our sister agencies at HHS to improve the rate at which health care stakeholders share the threat that they identified. And many efforts were in place well before Congress and enacted the [Bipartisan Budget Bill] last year, which gave us some specific charges and more work was done in response to those charges. So to put the DHS context in it, DHS is kind of the mothership or the home port for threat sharing that the national security infrastructure has identified. It’s their job to get back out to the sectors, and so we want to hook our health care stakeholders into that. The way they hook into that is through Health and Human Services’ Assistant Secretary for Preparedness and Response.

So every cabinet level or every economic sector, if it were, has its own agency that's responsible for facilitating this activity. [Department of] Energy has one, Transportation has one, Commerce has one and Health has one, and it’s housed within Health and Human Services’ Assistant Secretary for Preparedness and Response. So what we do is we collaborate with ASPR bring the private sector into what the government is already doing to share within the government.

So I want to point out that if it's an area of a lot of confusion because in the health care sector—the businesses are range from very, very tiny to very, very large. And we know that the really large businesses have sophisticated cyber threat detection infrastructure and are already participating in some threat sharing. Maybe they need to participate in a little bit, but we know that where the weak link in it is that as the business gets smaller and smaller. Again, if you're going to have a very highly trained specialist who’s running his own little doctor's office, you want him to be taking care of your health and not be worried about cybersecurity, but by the same token, he is responsible for the security of the system. We need to create better methods and strengthen the methods by which we bring the smaller organizations into threat sharing so that threats are shared across the health and public health sector.

The analogy I gave a couple months ago, which is what I've used for a while which is kind of my favorite, is the neighborhood watch. If you participate in a neighborhood watch in your own community, you know your neighbors and everyone knows each other car. You know when there’s an unfamiliar car on the street or with somebody’s jiggling the lock on your door that doesn't look like they belong there. And you tell each other, "Hey, this guy was casing the neighborhood," or "I thought I saw a suspicious car." So cyber threat sharing is the same thing, only it’s a virtual neighborhood, and we organize it in states by economic sectors. So we have a virtual neighborhood in public health and health, and within that community, for people to share the threats they identify and to take information about identified threats and know how to respond to them.

Can you talk about the challenges of facing patient consent to share health information with providers?

One of the things we look at as we look across the health care system to see if it is interoperable is how much is automated versus subject to paper. It's a pretty easy litmus test in terms of as you look out into the universe. What we find is that while we have great standards for data architecture and we know what a certified electronic health record is and we know what kind of data elements have to be collected, what we don't have good standards for is electronically documenting a privacy choice when one is required. So, in backing up to our earlier question, there are many circumstances for ordinary health care when the rules are in place to allow information to flow as it needs to for the patient’s care without the necessity, legally, of getting that patient to find a piece of paper. But when you do need to get that piece of paper signed, how can we automate that process? How can we make it as easy as, you know, you can apply for a mortgage online? That used to be a process that was just completely covered with paper, and now we do it electronically. How do we bring that technology in the health care so that we are using appropriate credentials from an e-signature standpoint, that we have good capture of that information within our system so the systems talk to each other to understand that information as it is being created? So that if I'm saying to you, ‘I have [someone’s] consent,’ you recognize that data instead of me having to pull a piece of paper out of my file cabinet and fax it to you.

It's a little more than a year since the Interoperability Road Map came out, can you talk about the progress that has been made in that time and where you are looking to go from here?

My team, we made a couple of firm commitments. The first one was to sort of help sort out all of the confusion about privacy laws. We put that into three buckets. The first bucket was, "What does HIPAA actually say?" So we did a very concerted effort this year with the Office of Civil rights to publish some basic factsheets on how HIPAA supports interoperability because it allows physicians to exchange data for care without first having to get a patient’s signature. So that all came out in February. The second thing we did was, as a corollary to that, this work that we've done in the Office for Civil Rights on you as a person, as an individual, your right to get your data and move it wherever you want to go, that’s sort of Bucket One.

Bucket Two is helping states that have their own privacy laws understand the policy implications of having unique laws, how that might be interfering with their own interoperability goals—for example, for their Medicaid populations—and how can states collaborate to arrive at privacy standards that work across the country. Maintaining the protections that those laws already create, but also facilitating interoperability. So that was through our grant from the National Governors’ Association, and while the results of that are not public yet, we're very pleased with the progress that NDA has made and we're very excited for when they finish that work.

And the third point was to help our stakeholders understand, at the policy level, the implications of adopting consent and documentation rules that HIPAA would not require. So that is a work-in-progress. We gave ourselves three years to get that work done. We're about halfway through the second year right now, and again, I'm very happy with the progress. We don't have any public information.

What tools do you have to help people improve security in the health care sector?

So for a long time we've had a tool called a Security Risk Assessment tool. It's free, prepaid by the American taxpayer, downloadable. It’s a tool that has always helped the physicians. They could download it and it asks questions about their environment. Based on the answers, the physician or their office manager or whoever can help identify places in your own environment where they can strengthen security. They can take that and focus their efforts on things that really need repair. We just released a new version of that, we released it with bug fixes and a few upgrades for operating systems Next year, hopefully, we'll get an even more fancy new release out. It's our No. 1 download on HealthIT.gov. It’s used by consultants and office managers and people trying to understand the security rules. As with all of our tools, we use them in concert with the actual regulator here at the Office of Civil Rights, and we're really excited that came out [in September]. We also have material on our website under the security and privacy tabs: video games and online training tools so that individual offices can really get to improve their own security behavior. Because one of the things we know about security is it about half of poor security results from human behavior as opposed to a technical flaw, like answering a phishing email. We've all been trained about that, but we can always use more training.

So it seems like a multi-pronged front, where you are educating the public, working with industry and collaborating with OCR.

One of the things I think we do really well here at ONC is take very complicated information from other people—like Office of Civil Rights or the Department Homeland Security—and turn it into stuff that ordinary, small health care businesses can really absorb and understand. That's something that we were asked to do in HITECH, and we've really taken it as kind of our pillar of the work we do in my office.