Health Innovators
Health Innovators

Episode · 2 years ago

Understanding the Privacy Regulations and Legislation Affecting Digital Health Innovators w/Lucia Savage

ABOUT THIS EPISODE

In an age of digitized healthcare, some of the biggest issues and challenges for innovators are privacy, how patient information is collected and protected, and how legislation impacts the landscape of innovation. How can health innovators uphold regulations in their business models and operations? How can privacy influence the success and failure of an innovation?

 On this episode Lucia Savage, Chief Privacy and Regulatory Officer at Omada Health, shares on why healthcare innovators needs to uphold and embrace privacy, how to make it part of their business model, and the biggest myths about HIPAA.

 

3 Things We Learned

  • New HHS announcements and how they impact innovators
  • The two classes of digital health innovation
  • How healthcare innovators should be thinking about privacy

 

The success of digital health companies is immensely dependent on how well they handle the sensitive issue of personal patient/customer data. Even if a digital innovation is only regulated by the FTC and not HIPAA, the impact of data breaches or mishandled information can do real damage to the patient, so the same level of care and cautiousness should be applied, regardless of who’s regulating the innovation. Innovators do well when they leverage privacy as part of their business model positioning strategy. Ultimately, by embracing the well-founded rules and building innovations on practices that protect the rights of patients, the product is more likely to succeed long-term.

Welcome to Coiq and first of its kindvideo program about health, innovators earlier doctors and influencers andtheir stories about writing the roller poaster of health care and ovation. I'myour host doctor, Roxy Founder of Legacy Da Marketing Group and it's timeto raise our COIQ welcome back to you IQ listeners ontoday's show I have Lucia savage with us, she's, the chief privacy andsecurity officer at Omada health. Welcome to the show. Thank you, I'm soglad to have you here. This is a subject that I don't get a chance totalk about very often, but I think it is something that is so relevant andmeanmingful for the health innovators who are listening to the show. So thankyou for being here. So the first question I think, just tokind of ki or not really a question just to kick things off is just maybestart off by sharing a little bit about your background and what you do forthose that are listening and don't know who you are sure. Well, I I've been practicing wile a long timeand when I first started practicing, Waw algor had not yet invented theInternet, and so I've grown up in my practice, ashas the Internet, and I became interested in doing all health care allthe time in the late S, as hippa really was enacted and havesort of steered my practice deeper and deeper into health care and reallybecame enamored of the possibilities of health. I T, as we started doing theearly days of measurement before the office of the national cordinator waseven a thing when I got the privilege of serving theoffice of the national courtanor for healthlike ts, chief privacy officerfrom two thousand and fourteen to two thousand and seventeen and fell in love with health, it even moreand came to Amata in early o thousand and seventeen awesome at Omata. I havea portfolio of sort of all of our privacy strategy, obviously overseeingour compliance function,...

...a d and just to be a brief correction.I am not in charge of security. I am in charge of the theory and Law ofsecurity, but we actually have an Info Tet guy who's awesome who does securitybill, Dorty, okay and then I'm in Cherge of Regulatory, which is a wholenew world for the IT innovation space. You know who has to be licensed. Whatare the state laws that apply? How do you contract with a health insurancecompany? What what impacts at Health Insurance Company in your contractingprocess as you build out Your Business Model Etcta? So you know in this worldwhere we are digitizing healthcare and you know things are changing andyou're. You know completely dedicated to this industry of healthcare where wehave the highest taandards. It sounds like it would be a really exciting timeto be in your role. You know I woke up this morning and I opened my phone withmy cup of coffee and of course, by that time it was about nine twenty easternand my inmox was already flooded with was happening in dcw today, so that wasa little early for me at Sixtwen in the morning, but it definitely woke me upand yes- and I recruited people saying if you come work for me, you will readabout your job every day in the newspaper. Yes, that's exciting, that's reallyexciting! So you know you let me know before we started here today that HHSannounced a few new items just this morning, so it's kind of hot off thepress, so maybe just kind of talk about those a little bit. What are they andhow do you think they affect the health innovators who are listening today?Sure so number one is that s announced a longer period for people to filecomments on these two really important proposed rules. One is a rule from theoffice, its Te National Cordator, which defines what is considered information blocking andwhat is not considered information blocking in an ecosystem where APPS aremaking data calls on the holders that...

...protected health information beentrying really hard for about six years to bring Apis to healthcare instead of faxes ordirect connections for exchange, and this is a pretty big and importantproposed rule that they put on the street and they extended the comicperiod from maythird to June. Third. So I would urge innovators, who arebuilding apps that might be making. These data calls to really dig in onthat there's some great educational material. That's a digestible on ONC'swebsite, I've blogked about it. Other people have written about it, but anextra thirty days is nice for everybody mm and then cms has a corolary Wole,which is trying to bring those data, those Apis to health care, so that developers can build tools whereconsumers can get their own information out of their health plans via Aman Wha.So that can be a really important source, both for consumers being ableto tell if theyre care has been paid for correctly, but also to collecttheir own health information and build a longitunal record and that period oftime was extended as well. By the same thirty days. I think one of the reasonsfor the extension is the second thing tat release today. So you know, Congress is always askingagencies to do things and, aside from defiding information, blocking Congressasked ONC to develop a sort of a model set of contracting documents. ONC callsit the trusted exchange framework and common agreement or Tefka. One of the problems with the originaldate on the proposed rule was it asks a lot of questions about Tepka, butnobody knew what the new version of Tepka was, and so today they releasedtheir second iteration on Tefka for comment. But this enables people tolook at item to Tefka and the proposed rule together as a whole mm and then...

...and the third item they released wasoffice of Civil Rights, which is the hipp of regulator. Released fivefrequently asked questions about essentially in the zone of, if you area health system, for example, and a patient presents their own APP tocollect their own health information from you and you release thatinformation to them as you're supposed to how much responsibility do you have forsecurity things that happen in the patient's custody? Question for the doctors and there'ssome really great fqs about that that try to clarify you know how little responsibility aphysician has or actions and individual takes with their health information,not using tools that the doctor doctors office didn't sponsor right right right exactly so, you know how do you think health innovatorsuphold their responsibility in following these laws and regulationsand and kind of maintaining? You Know Trust when it comes to privacy. So it's really important to understandtheir sort of two classes of health, health, digital health, innovation thatare kind of running parallel in American society. One would be theclass in which a modest squarely fits, which is, we use an act to deliver ahealthcare service, but our entire business model fals inside traditionalregulations of Health Care Privacy under hip up Huh and then the secondcategory would be. You know an APP you might purchase for yourself and foryour own health engagement purposes, but youjust buy it on the APP store, there's no health care providing and billing goingon, and that APP is literally just regulated by the Federal TradeCommission, whose rules are not specific to health itself m. So hugegiant, important political demate going on about that right now and...

...bacebook came odown a let I cotctraseetc, but there really are two Domans. Some Ong Tho talk. First about thedomain in which a moto falls so legally a company that chooses hippo like wedid build our business mall around it. We're legally have the exact same rolesas a doctor's office or a hospital. We can't mess it up and we don't. We can't monetize the data. We can'tadvertise to you F with other people's ads about the data. We can't give it topeople, except for our health carappersions, as I look Al a host ofrules that we have to compor with we have to meat, minimum securitystandards etc, and that's been really fundamental to our business modelbecause it gives our customers and Ar Anar participants a lot of trust inwhat we do sure. I think, because the rules are different outside of HIPA. Ican't really speak to those businesses, because I'm not running one of them oradvising one of them, but I think you know that's. This political debate iswhat dos all that mean, I think there's a lot of you know journalism about that.People can look it up, and I think people rightfully should be verythoughtful about what happened, what they, where theyput their own health information, as opposed to trusting the health caresystem to have well founded rules that have been around almost twenty yearsnow. HEP US handle it an appropriate way M, really really great insights foraudience. So you know: How can health innovatorsuphold these regulations, especially when they have limited resources andare really focused on kind of just achieving their own business? Successright I mean thinkyou have to really thinkabout your business model right. I one of the things the whole facebook storytells us is that what we privacy officers call Abtechright where t e the platform is generating advertising revenues throughits tate of science, as opposed to providing healthcare through its dateof science,...

...is going to be evolving. It's going toinvolve it's going to evolve because the California law, or whatever thefeds, do so an innovator needs to pay attention to what that evolution lookslike if they're going to go down that path. Mm Me the more. The moreinteresting question is: give an oncs rule. Circling back and you'll find updo that Verdo! Well, what does it look like to have more APPs helping peopleprovide actual health care to embrace these well founded rules, as Amada hasdone and build your motto on embracing the right thing. To give us an example?Well F course: There's a Mata, but another examplepull ill make up a fewokay. So, let's, let's say that you, you built a connectivity system where, before and after a person's ACL surgeryon their brace, you had a little RFID chip that fed to an APP that then wentto your servers and you did data science on that to measure the Gat ofthe person whowas going to have this surgery and youwould have it beforegate and an after gate mm, and there would be the surgery intervening. Soyou can have a business model where you monetize that and sell the INSEGTS fromthat to people who want to sell sports equipment to people and Rehav Yep,that's outside of hip it or you could build a business model where you help provide insights to the orthopedicsurgeons, about which braces work better, which physical therapists areproviding more effective, rehave and PREHAV, based on the gate ofthis individual, or we might end up with a measure in healthcare where theOrthopedis makes more money if they can prove a better outcome via that gatemeasure, and so that all those three latter examples are all straight inhealthcare if you're in one of those models. Of course, you have to adhereto all the hyp of privacy, security, reachmefication rules Yep. That is,that a good example for you yep. It is...

...very good, so I'm going to read here,because I want to make sure that I get this right, but in a recent article intect crunch, your CEO Sean Duffy, said the success of digital health.Companies will hinge on whether patients feel comfortable sharing theirmost intimate data. They possess their personal health information, especiallywhen they worry that data could implact their employment. So my question foryou is what privacy and security strategies do. Health innovators needto put in place? Well it. This is a pretty complicatedquestion and it's probably more than we have time for today. So I'll, just giveyou a few high level ones. Yes, please, okay, the first one I would say is thatyou have to really look at the kind of Ditty you have and what its impact is for people. So, forexample, we know that across the country in certain clinicalcategories, despite the best efforts of civil rights and equal employment laws,there is health status, discrimination, Hib EIHT, it's a really great example.That's pretty fresh in everyone's mind, so think about your business model andwhat your data is and what the impact of people is on that data released inits raw form, and then don't do that figure out a way to report your yourvalue or demonstrate your value without without putting information out into theuniverse that you know will harm people you have to do it in a way that doesn'tharm people to really get to the ethical nut of the problem. Sure sothat's one so is there are some really amazing new toolsevolving for actually explaining all of this to people. Sage about networks hasa great open source tool that I just love, really clear policy provisions you canactually build in on an online interface and I'm hoping Amada will dothese things...

...like a quiz, so that people say oh yeah.I understand what that means, and I still want to do it and then, lastly,you know if people want their data, give it to them. If they want you tostop using it and extract themselves in the program, they should extract them.They should leave the program now. There are record keeping rules whichmean you can't necessarily exercise the data. That's a Europeanconcept, not an American concept, but you know if people gave it to you for acollect for purpose, use it for that purpose. Mm Yeah you make it seem soblack and white and cut D dry. It's very complicated. I think thething to think about is you know, accounting for the dignity of theindividual, in your business model mm and the reality of their life people before profits. Well, we have amode parcipan first, so that is definitely one of the things we thinkabout as we come up with our own plans. Yep absolutely so you know how do youthink that this subject will influence the success or failure of healthinnovators? I can only speak to hour own experienceand we end up explaining our lives as legally equimalent to a doctor's officeto almost every new customer that gets onboarded, very persuasive story. To tell aboutthat, and that's what I would say is be persuasive and then stick to whatyou've said, though our customers have a lot of confidence in us, because wehave taken these obligations so seriously o flipping about it. We don'tyou know we HAV. We had. Somebody asked me about a cap companythat you know asserted that it was hipic compliant and I'm not talkingabout Amazon, because I know people are interested hat with a different companyin Charlen. You know we dug in, and we put me and our CIO and Ger the smartpeople on the phone and it wasn't persuasive their story, wasn'tpersuasive, but if you're really going...

...to be in health care, you've got ta master.What hip it means and embrace it and sort of hold it up as something that isof core importance to your company yeah. It sounds like you all, have reallyleveraged this as either competitive advantage or part ofyour positioning strategy, and it seems like it served you well. I think that is true, but I will saythat the genesis of our sort of fundamental reliance on Hipa is when you are covered enity and youcollect the data, you you use it to deliver your care, and so in our worldthat is our datascience program and that we collect the data like adoctor's office, clex Atea like a hospital flex data that is the drivingforce behind our data science program and that wasn't before my time at aMada it was brilliant and it was intentional m yeah. So you mentioned HIPPA. Let's talkabout that a minute! So how does HIPA FIT into this story? So many times I'veseen hippa used in the last five years as an excuse to take no action or tonot make any change in adopting innovation, and you know it seems tohave be driven by a lot of fear and incertinainty around privacy andsecurity, so kind of just speak to that a little bit sure well an you're.Taking me back to two thousand and fourteen, when I was competing for myjob at ONC and I said to Karn DASALVO, I want to do three things, and one ofthem was. I want to explain what hippet really says, and so we did a lot ofwork in that space from two thousand and fourteen til, when I left in twothousand and seventeen some of the guidance that OCR issue today actuallycomes out of work. We collaborated with them on back then and they've just kindof lifted it up and put it in a different place on their website, whichis awesome, Yep,...

...and so you know, hippa has some wonderfullystrong limits, but it also has some really flexible and anextensiblefeatures. One really important feature is the privacy and security and theprivacy rule in particular applies to you know: protected health informationin almost any form, comma the limited file and it excelspreadsheet. It could be, you know, in whatever database format we useHERADOMATA. I have no idea tbat to the engineering experts, it could be onpaper and it could be oral. So what you and I talk about, if you're my posicianor a recording of what we talk about and the rules are the same and allthose media, and I think that that's a really that was a really prescient stepthat OCR took when it wrote those rules in two thousand s ago. Is that don'tlimit it to a particular coran format, because it's whatever formand formatit's in and and in that way, hip has really stood the test of time. The lastthing I'll say is you know I would day I two thousand and fourteen definitelypeople are like. Oh, it's all HIPP US fault, like there's, been a lot ofreally good education and by the way, now that people can contrast the wayHIPPA actually protects information from what's happening on social mediapeople are really beginning to understand. Ike. There are a lot ofrules that aren't hipup that are maybe causing confusion, maybe enhancingprotection, maybe undermining protection. HMM. So what are some of the myths around hipupthat you could kind of just debunk a little bit for our audience? Sure, myfirst one and my most favorite one and the one that feells my twitter feed isthat doctors can't give patients their own data. So let me break that down a little bit.There's an old role. It's been there since twothsand, it's really old thatsays patients can get their own data and conbress is so focused on thisthey've actually interpreted for OCR...

...twice in statute since then, and essentially an individual can get acopy of their own data in an electronic former format if it's available, sothat can all be negotiated. No questions asked it can't be withheldjust because the doctor doesn't like where the person's going to put it.That was in this Worns fqs, and it's in my coer feed like the for sense. The answer is: No,that's OON right right right! You can't make an individual drive to your officejust to sign an oporization. You can use e authorizations, so there's somuch gunk, clogging up the works in thisspace, but theye literally like many industries of Blobs, about how terriblethe situation is, and you know I've written about it professionally. Youknow Harlin criminals at Yale. Did I A blind study of thirty seven hospitals.They published that it's really terrible. An in EMA, Burma who had cmsis talking about how she's you know her husband's Ha doctor and they wouldn'tgive him his records. It's just awful. So that's my number one in my sitelihes.We don't do that at a moto. We give you a lot of information right on your APPand you can show it to whoever you want Yep and- and so that's number one. I thinknumber two is that you know people are really afraid thatif they are exchanging with another, you know doctor to Doctor Exchange andit you send the wrong Lucia savages records that you know it's going to bean awful catastrophe. If you actually look at the enforcement actions, thatOCR has brought there's, not a single one, that has that fact pattern not oneand there's hundreds and hundreds of enforcement activities enforcementactivities. Are you know the fourth time around? You forgot toautomatically? U Cripk your laptops, or you know you didn't turn off formeremployees accounts and they stole the data. Like the INPERSOMENT activitiesare really really terrible things: Yeah...

Yeah oops, it was the wrong Lucha,savage or Lisa Smith, or whoever. Whoever your patient is right. Okay,that makes sense anything else or you think that's enough. I could go on andon and off I can see the passion and I love it anden then I can also kind I mean, like you're, really passionate about all ofthis, but I can really sinse when I'm like. Oh my gosh she's on her soapbox,I love it. I want to take your time with my soabox, but I do have an activetwitter handle and people can certainly follow me there and there's always somenot always, but there's often some kind of mythbusting going on. I like to Ilike to put practical, useful and accurate information up on twitter forpeople. That's great, so I normally askd that question at the end, but goahead and give it to him now. What's your twitter handle at savage, Lucia,pretty easy awesome. So, just a couple more questions foryou before we wrap up- and you kind of touched on this alittle bit, but I want to just make sure that it's really clear how dohealth innovators stay on top of and informed about the regulatory andlegislative changes that are taking place? Well, the the cheap and easy wayis theyre two cheap in easy ways. One is to get you know whatever the morningtrades are that are the freeversn like the free version of morning ehelp,which is now only published three days a week, BIS usually decent. The nextcheap way like it's literally free, is subscribed to the Federal Register sosomeday. Somebody will invite me to to a Webanar on how to subscribe to theFederal Register, but can you not they deliver the latest regulatory updatesto your inbox every time, something issues and you just have to pick thesubscription. So you don't get overwhelmed with information. Forexample, you scend subscribe just to help an human services and then it'sonly health agencies that would be the FDA, ohnc, cms and the third chief Woyis follow. The agencies on twitter,...

...because usually executives on the ageof the CIES will will put out Ocearis, not so good at it, but FDA isgreat at it. CMS is decent at it put out stuff, you need to know on a andthey all have active social media account. So that's all the free ways, and then I think after that, probably you knowlook at what your product is talk to people in your niche of healthcare and look at how they're educatingthemselves on these issues that are contemporarnous and potentiallyimportant, and then lastly, commenting is so important. Almost every time, I'min DC SOMEBODY WHO's, a former colleague says I want to talk more tothe innovator community. Now innivators are very shy. People. They don'tnecessarily want to talk in public, but I will assert again, as I did in my did,a plusive log. If we don't go to them, then they'll keep making policy thatdoesn't account for the needs of innovation. Sure couldn't agree withyou more absolutely so. AMATA has been extremely involved in educating theindustry state holders about the cost of not getting involvedright, like you just depicted so you know. Why is it so important toyou and your leadership team? I think I'll do myself personally meanI have a passion for policy and a passion for innovation, and I like tomarry those two things whenever I canso that's, where my personal passion comesfrom, when I go out to get health care, I'm usually testing the system, becauseI know how it should work and but it doesn't work that way. It's frustratingYep, I think FRAMATA. You know we were founded in two thousand and eleven andI think that we have always kind of been on this bleeding edge and reallytaking responsibility for the people looking out behind us now. Some ofthose people are copy cats and obviously plagiarism is a sinceros formof lattery. So we take that we're very...

...flatterd right Yyeah, but you know we have. We have someresources that start up with four people or nine people doesn'tnecessarily have, and so we really try to be open minded within the within thedomain of we all have our own jobs to do of really being helpful andinformative hmhm yeah. I Seo that San does. That Adrian does that you knowour many of our senior professionals interact with other startups otherpeople in start community on a regular basis m awesome. I love the work thatyou're doing. I think that it's really important and one of the things that I you know kind of have observed- is thatyou're, not just you know, as an organization you're not just doing it.For the you know, personal gain that a Moto receives that you're. Really, youknow out there educating and informing for the for the betterment of theindustry as a whole, which is wonderful, that's true, but I also think that'salso because we are very it's very much in our blood that we are supplyinghealthcare. We have values like participante first, but we also havestart with science. If our products are not grounded inscience, then we need to rethink our products. We want to be improving thehealthcare system. You know we started with an easy test case, DiabetesPrevention Program and were tackling harder, more clinically, complicateduse cases. Now that we know what we're doing, but that's the whole point is wewant to change healthcare. We don't want to break it. We want to change itmm Yep, okay, so my last question, for you is: We have you know tons of healthinnovators in our audience today who are in the trenches? What advice do youhave for them? You know it's hard for me to say,because there, this area, that the possibilities of health it to improvehealthcare are almost limitless. They're, almost limited only byimagination and safety right. We don't...

...want to build anything that hurtspeople and make self care worse. And since I don't know what each person'strench looks like today, it's it's almost impossible for me to answer.Okay, all right! Well, I think that's fair enough. I M An. I think that they're, you knowsome of them are. You know based upon my conversations with them. Some ofthem are like really early and they can't even imagine investing resourcesin this particular discipline and then others are just really confused and inreally not knowing where to go and how to stay informed. And then I think thethird piece that I would say is you know paying for it. You know the he thefinancial investment that needs to be made yeah. I can say a couple things.So, first of all, there's actually a really great tool about what kind ofthing you're building it's on the FTC website. It's called the FTC m HAP mhealt APP developer tool. I out I'll, send out a twitter link to it in alittle while when I get offline with you, I mean it was actually developedby the Federal Trade Commission Office for Civil Rights, the FDA and ONC, andit's kind of a nice little Q na. You can take yourself to figure out ifyou're, building a device or a service and what legal rules you might need tocheck on in hipa outside of tepus. That's a great tool is released. inInApril two thousandand sixteen so three years ago now so that's a great toolfree paid by the American taxpayer, I'm under underutilized, I'm sure. Thesecond thing I would say is there: Are you know if you're setting up a complicated datasystem, you need people really understand. Data cruration and dataengineering and people are very willing to invest in that. I think the same istrue with health care regulation, don't underinvest in understanding yourenvironment to be scrappyyou may have...

...to Hustle Otogestanding, but Itgo to people who are actuallyexperienced in the area you want. You want to know about. HMM, absolutelywell! Thank you so much for your time today and for sharing your wisdom withtheir audience. I know that there are going to be thousands of people thatare going to find this really valuable and they may even want to listen to ita couple of different times to really be a what o grasp behold of all of thewisdom that you shared with us today. Well, thank you very much for having me.You ask some great questions and I hope the information is helpful to people.Thank you so much Bo by. What's the difference between launchingand commercializing a health care, novation many people will watch a newproduct. Few will commercialize it to learn the difference between latnchand commercialization and to watch past episodes of the show head to our videoshow page at Dr Roxycom. Thank so much for watching and listening to the showyou can subscribe to the latest episodes on your favorite podcast APPlike apple podcasts and spotify, or subscribe to the video episodes on ourYoutube Channel, no matter the platform just search Coyq with Dr Roxey untilnext time. LET'S RAISE OUR COIQ.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (107)