Deven McGraw been appointed to the role of Deputy Director of Health Information Privacy, and must get the agency auditing, advising and enforcing as it is supposed to be. Ms McGraw will be filling the role left vacant by departure of Susan McAndrew, who retired last year, and is set to assume the role on June 29.
The OCR has taken its time to identify a replacement for Susan McAndrew. That wait certainly seems to have paid off.
McGraw boasts an impressive resumé, with experience in both the public and private sector. She has developed strong strategic management skills and has held the posts of Chief Operating Officer at the National Partnership for Women & Families and Director of the Health Privacy Project at the Center for Democracy & Technology. McGraw is familiar with challenges, and has an extensive working knowledge of the particulars of healthcare privacy and security laws.
She served as partner at Manatt Phelps & Phelps and co-chair of the firm’s privacy and security practice. She has also been an adviser to the HHS for the past 6 years and has testified before congress on privacy matters many times; in addition to serving on the federal Health IT Policy Committee.
The OCR decribed the role McGraw will play at the OCR in the announcing of her appointment. “McGraw will spearhead OCRs policy, enforcement, and outreach efforts on the HIPAA Privacy, Security, and Breach Notification Rules; as well as lead OCR’s work on Presidential and Departmental priorities on health privacy and security.”
There are two major challenges which require immediate action to be taken. The second phase of the HIPAA compliance audits has been delayed for some time. The OCR has taken action having sent out pre-audit surveys. After the responses have been gathered, covered bodies need to be selected for audit. No announcement has been made by the OCR as to when they will begin but the pressure is on to make a start soon.
The OCR must also help covered bodies achieve compliance with HIPAA Security, Privacy and Breach Notification Rules. One of the ways the agency will aim to do this is by issuing technical guidance. New guidance has been slow to emerge of late and many covered bodies are struggling to comply with HIPAA Rules due to this. The legislation is, after all, nearly 20 years old.
The OCR must make good on its promise to help covered bodies more and issue new technical guidance to help covered entities and their Business Associates implement the necessary measures to protect the privacy of patients and keep healthcare data secure.
The OCR has lost some key members of staff in recent months and the effects are still being felt. The agency has had to adapt to a new Director, Jocelyn Samuels, and Susan McAndrew’s absence will be felt. The appointment of Deven McGraw should certainly help to redress this.
There is a lot to be done and with little funding, which will make McGraw’s job difficult. Despite having the rigt skill-set she have to squeeze even more out of the resources the OCR has at its disposal.