Health Innovators
Health Innovators

Episode · 2 years ago

Understanding the Privacy Regulations and Legislation Affecting Digital Health Innovators w/Lucia Savage

ABOUT THIS EPISODE

In an age of digitized healthcare, some of the biggest issues and challenges for innovators are privacy, how patient information is collected and protected, and how legislation impacts the landscape of innovation. How can health innovators uphold regulations in their business models and operations? How can privacy influence the success and failure of an innovation?

 On this episode Lucia Savage, Chief Privacy and Regulatory Officer at Omada Health, shares on why healthcare innovators needs to uphold and embrace privacy, how to make it part of their business model, and the biggest myths about HIPAA.

 

3 Things We Learned

  • New HHS announcements and how they impact innovators
  • The two classes of digital health innovation
  • How healthcare innovators should be thinking about privacy

 

The success of digital health companies is immensely dependent on how well they handle the sensitive issue of personal patient/customer data. Even if a digital innovation is only regulated by the FTC and not HIPAA, the impact of data breaches or mishandled information can do real damage to the patient, so the same level of care and cautiousness should be applied, regardless of who’s regulating the innovation. Innovators do well when they leverage privacy as part of their business model positioning strategy. Ultimately, by embracing the well-founded rules and building innovations on practices that protect the rights of patients, the product is more likely to succeed long-term.

Welcome to CIQ and first of itskind video program about health innovators, early adoptors and influencers and their stories aboutwriting the roller coaster of healthcare innovation. I'm your host, Dr Roxy,founder of Legacy DNA marketing group, and it's time to raise our COIQ.Welcome back coiq listeners. On today show I have Lucia savage with us.She's the chief privacy and security officer at Amada health. Welcome to the show. Thank you. I'm so glad to have you here. This is asubject that I don't get a chance to talk about very often, but Ithink it is something that is so relevant and meaningful for the health innovators whoare listening to the show. So thank you for being here the so thefirst question, I think, just to kind of or not really a question, just to kick things off, is just maybe start off by sharing alittle bit about your background and what you do. For those that are listeningand don't know who you are. Sure I'm well. I I'm in practicinglaw long time and when I first started practicing law, Al Gore had notyet invented the Internet, and so I've grown up in my practice, ashas the Internet and I became interested in doing all healthcare all the time inthe late s as Hippah really wasn't acted, and I sort of steered my practicedeeper and deeper into healthcare and really became enamored of the possibilities of health. I T as we started doing early days of measurement, before the Officeof the national coordinator was even a thing. Well, I got the privilege ofserving the office of the National Coordinator for health. I T as chiefprivacy officer from two thousand and fourteen to two thousand and seventeen and fell inlove with health. I T even more and came to Amada and early twothousand and seventeen, awesome at Omata. I have a portfolio of sort ofall of our privacy strategy, obviously overseeing...

...our compliance function and just to bea brief correction, I am not in charge of security. I am incharge of the theory and Law of security, but we actually have an infostet guywho's awesome, who does security, build dirty okay. And then I'min charge of regulatory which is a whole new world for the IT innovation space. You know, who has to be licensed? What are the state lawsthat apply. How do you contract with a health insurance company? What whatimpacts that health insurance company in your contracting process as you build out your businessmodel, etc. So, you know, in this world where we are digitizinghealthcare and you know things are changing in your you know, completely dedicatedto this industry of healthcare where we have the highest standards. It sounds likeit would be a really exciting time to be in your role. You know, I woke up this morning and I opened my phone with my cup ofcoffee and of course by that time it was about twenty eastern and my inboxwas already flooded with what was happening in dcly today. So that was alittle early for me at six twenty in the morning, but it definitely wokeme up. And yes, and and I've recruited people saying if you comework for me, you will read about your job every day in the newspaper. Yes, that's exciting. That's really exciting. So you know, youlet me know before we started here today that Dhhs announced a few new itemsjust this morning, so it's kind of hot off the press. So maybejust kind of talk about those a little bit. What are they and howdo you think they affect the health innovators who are listening today? Sure so. Number one is that Hus announced longer period for people to file comments onthese two really important proposed rules. One is a rule from the office.It's the national coordinator which defines what is considered information blocking and what is notconsidered information blocking in an ecosystem where APPS...

...are making data calls on the holdersthat protected health information. Uh Huh, when trying really hard for about sixyears to bring Apis to healthcare instead of facts, has or direct connections forexchange, and this is a pretty big and important proposed rule that they've puton the street and they extend to the comment period from May third to Junethird. So I would urge innovators who are building APPS that might be makingthese data calls to really dig in on that. There's some great educational materialthat's a digestible on OHNC's website. I've blogged about it, other people havewritten about it, but an extra thirty days is nice for everybody. HMM. And then CMS has a corollary rule, which is trying to bring those data, those Apis, to healthcare so that developers can build tools where consumerscan get their own information out of their health plans via any so that canbe a really important source both for consumers being able to tell if their carehas been paid for correctly, but also to collect their own health information andbuild a longitudinal record. And that period of time was extended as well bythe same thirty days. I think one of the reasons for the extension isthe second thing they released today. So you know Congress is always asking agenciesto do things and aside from defining information blocking, Congress asked Owenc to developa sort of a model set of contracting documents. OHNC calls it the trustedexchange framework and common agreement, or Tef C, and one of the problemswith the original date on the proposed rule was it asks a lot of questionsabout tea, but nobody knew what the new version of Tef go was.And so today they released their second iteration on tef guff or comment, butthis enables people to look at item to, tef Goa and the proposed rule togetheras a whole. MMMM and then...

...and then third item they released wasoffice of Civil Rights, which is the HIPP a regulator. Released five frequentlyasked questions about, essentially in the zone of if you are a health system, for example, and a patient presents their own APP to collect their ownhealth information from you and you release that information to them as you're supposed to, how much responsibility do you have for security things that happen in the patient'scustody? Question for the doctors, and there's some really great FAQ's about thatthat try to clarify, you know, how little responsibility a physician has foractions and individual takes with their health information, not using tools that the doctor,doctor's office didn't sponsor. Right, right, right, exactly. Soyou know, how do you think health innovators uphold their responsibility in following theselaws and regulations and and kind of maintaining, you know, trust when it comesto privacy? So it's really important to understand their sort of two classis of health health digital health innovation that are kind of running parallel in Americansociety. One would be the class in which amada squarely fits, which iswe use an APP to deliver a healthcare service, but our entire business modelfalls inside traditional regulations of healthcare privacy under Hippah. Huh, Huh, andthen the second category would be, you know, an APP you might purchasefor yourself and for your own health engagement purposes, but you just buy iton the APP store. There's no healthcare providing and billing going on and thatAPP is literally just regulated by the Federal Trade Commission, whose rules are notspecific to health itself. So huge, giant important political debate going on aboutthat right now and relevant. FACEBOOK came...

...againalytic, etcats, etc. Butthere really are two domains. So I'm going to talk first about the domainin which amada falls. So, legally, a company that chooses hippa like wedid, build our business mall around it. We're legally have the exactsame rules as a doctor's office or a hospital. We can't mess it upand we don't Uh Huh. We can't monetize the data, we can't advertiseto you with other people's ads about the data, we can't give it topeople except for our healthcare persons. As a look, a host of rulesthat we have to comport with. We have to meet minimum security standards,at Cetera, and that's been really fundamental to our business model because it givesour customers, and are in Er are participants a lot of trust and whatwe do. Sure, I think because the rules are different outside of HIPPA. I can't really speak to those businesses because I'm not running one of themor advising one of them, but I think you know, that's this politicaldebate is. What does all that mean? I think there's a lot of,you know, journalism about that. People can look it up and Ithink people, rightfully, should be very thoughtful about what happened, what theywhere they put their own health information, as opposed to trusting the healthcare systemto have well founded rules that have been around almost twenty years now help ushandle it and appropriate way. HMM, really, really great insights for audience. So, you know, how can health innovators uphold these regulations, especiallywhen they have limited resources in a really focused on kind of just achieving theirown business success? Right? I mean think you have to really think aboutyour business model. Right. One of the things the whole facebook story tellsus is that what we privacy officers called Abtech, right, where the platformis generating advertising revenue through its data science as opposed to providing healthcare through itsdata science. Hmmm, is going to...

...be evolving it's going to evolve.It's get to evolved because of the California law or whatever the feds do.So an innovator needs to pay attention to what that evolution looks like if they'regoing to go down that path. MMM ME, the more the more interestingquestion is given ONC's rule, circling back and you'll find up that do.Well, what does it look like to have more APPs helping people provide actualhealthcare, to embrace these well founded rules, as Amada has done, and buildyour model on embracing the right thing? To give us an example? Well, of course there's a Mada, but another example, I'll I'll pulla make up a few. Okay, so let's let's say that you youbuilt a connectivity system where, before and after a person's ACL surgery on theirbrace, you had a little RFID chip that fed to an APP that thenwent to your servers and you did data science on that to measure the gateof the person who was going to have the surgery, and you would havea before gate and an after gate, MMM, and there would be thesurgery intervening. So you can have a business model where you monetize that andand sell the insights from that to people who want to sell sports equipment topeople in Rehab. Yep, that's outside of hippot or you could build abusiness model where you help pro bid insights to the orthopedic surgeons about which braceswork better, which physical therapists are providing more effective rehab and Prehab based onthe gate of this individual. Or we might end up with a measure andhealthcare where the Orthopedis makes more money if they can prove a better outcome viathat gate measure. So that all those three ladder examples are all straight inhealthcare. If you're in one of those models, of course you have toadhere to all the hype of Privacy, security, breach notification rules. Yep, that is that a good example for you? Yep, it is verygood. So I'm going to read here...

...because I want to make sure Iget this right. But in a recent article in tech crunch, your CEO, Shawn Duffy, said the success of digital health companies will hinge on whetherpatients feel comfortable sharing their most intimate data. They possess their personal health information,especially when they worry that data could implect their employment. So my questionfor you is what privacy and security strategies do health innovators need to put inplace? Well, if this is a pretty complicated question and it's probably morethan we have time for today, so I'll just give you a few highlevel ones. Yes please. Okay, the first one I would say isthat you have to really look at the kind of data you have and whatit's impact is for people. So, for examp apple, we know thatacross the country in certain clinical categories, despite the best efforts of civil rightsand equal employment laws, there is health status discrimination. HIV eight's a reallygreat example that's pretty fresh in everyone's mind. So think about your business model andwhat your data is and what the impact of people is on that datareleased in its raw form, and then don't do that. Figure out away to report your your value or demonstrate your value without, without putting informationout into the universe that you know will harm people. You have to doit in a way that doesn't harm people to really get to the ethical nutof the problem. Sure, so that's one too. Is there are somereally amazing new tools evolving for actually explaining all of this to people. Sagebowed networks has a great open source tool that I just love really clear policyprovisions you can actually build in on an online interface, and I'm hoping amodel will do these things like a quiz,...

...so that people say, Oh,yeah, I understand what that means and I still want to do it. And then, lastly, you know, if people want their data, giveit to them. If they want you to stop using it and extractthemselves in the program, they should extract them they should leave the program.Now there are record keeping rules, which means you can't necessarily exercise the data. That's a European concept, not the American concept. But you know,if people gave it to you for our collect for purpose, use it forthat purpose. HMM. Yeah, you make it seem so black and whiteand cut and dry. It's very complicated. I think the thing to think aboutis, you know, accounting for the dignity of the individual in yourbusiness model, HMM, and the reality of their life. People before profits. Well, we have a model participants first. So that is definitely oneof the things we think about as we come up with our own plans.Yep, absolutely. So, you know, how do you think that this subjectwill influence the success or failure of health innovators. I can only speakto our own experience and we end up explaining our lives as legally equip equivalentto a doctor's office to almost every new customer that gets on boarded very persuasivestory to tell about that, and that's what I would say is be persuasiveand then stick to what you've said. So our customers have a lot ofconfidence in us because we have taken these obligations so seriously. Not Flipping aboutit. We don't. You know, we had we had, somebody askedme about it, a tech company that you know a serted that it washippo compliant, and I'm not talking about Amazon, because I know people areinterested that, with a different company, Charlie, you know, we dugin and we put me and our CIO and you're the smart people, onthe phone and it wasn't persuasive. Their story wasn't persuasive. But if you'rereally going to be in healthcare, you've...

...gotta master what hippa means and andembrace it and sort of hold it up as something that is of core importanceto your company. Yeah, it sounds like you all have really leveraged thisas either a competitive advantage or part of your positioning strategy, and it seemslike it served you well. I think that is true. But I willsay that the genesis of our sort of fundamental reliance on HIPPA is when youare covered entity and you collect the data you you use it to deliver yourcare. And so in our world that is our data science program and thatwe collect the data like a doctor's office, clex Dat out, like a hospitalplex data. That is the driving force behind our data science program andthat wasn't before my time at a Mata. It was brilliant and it was intentional. Hmmm, yeah, so you mentioned HIPPA. Let's talk about thata minute. So how does HIPPA FIT into this story? So many timesI've seen hippa used in the last five years as an excuse to take noaction or to not make any change and adopting innovation, and you know,it seems to have be driven by a lot of fear and in certainty aroundprivacy and security. So kind of just speak to that a little bit.Sure. Well, I'm you're taking me back to two thousand and fourteen whenI was competing for my job at OENC and I said to Karen to salvo, I want to do three things and one of them was I want toexplain what hippa really says. And so we did a lot of work inthat space from two thousand and fourteen till when I left in two thousand andseventeen. Some of the guidance that OCR issue today actually comes out of workwe collaborated with them on back then and they've just kind of lifted it upand put it in a different place on their website, which is awesome.Yep. And so you know, hippa...

...has some wonderfully strong limits, butit also has some really flexible and an extensible features. One really important featureis the privacy and security and the privacy rule in particular applies to, youknow, protected health information in almost any form. Comma, delimited file andit excel, spreadsheet, it could be, you know, in whatever database formatwe use here at Amata. I have no idea that. To theengineering experts, it could on paper and it could be oral. So whatyou and I talk about, if you're my physician, or a recording ofwhat we talked about, and the rules are the same and all those mediaand I think that that's a really that was a really prescient step that oceeare took when it wrote those rules in two thousand is that don't limit itto a particular form and format, because it's whatever form and format it's inand and and that way hip has really stood the test of time. Thelast thing I'll say is, you know, I would say in two thousand andfourteen, definitely people are like, oh, it's all HIPPA's fault,but there's been a lot of really good education and, by the way,now that people can contrast the way hippa actually protects information from what's happening onsocial media, people are really beginning to understand there are a lot of rulesthat aren't hippo, that are maybe causing confusion, maybe enhancing protection, maybeundermining protection. HMM. So what are some of the myths around hippa thatyou could kind of just debunk a little bit for our audience? Sure,my first one and my most favorite one and the one that fills my twitterfeed is that doctors can't give patients their own data. So let me breakthat down a little bit. There's an old rule. It's been there sincetwo thousand. It's really old. That says patients can get their own data, and Congress is so focused on this...

...they've actually interpreted for OCR twice instatutes since then. And essentially an individual can get a copy of their owndata in an electronic former format if it's available. So that can all benegotiated, no questions asked. It can't be withheld just because the doctor doesn'tlike where the person's going to put it. That was in this morning's FAQ's andit's in my choler feed. Like the first sense, the answer isnote. That's the most right, right, right. You can't make an individualdrive to your office just to sign an authorization. You can use eauthorizations. So there's so much gunk clogging up the works in this space thatthey're literally like many industries of blogs about how terrible the situation is, andyou know I've written about it professionally. You Know Harlon criminals at Yale dida blind study of thirty seven hospitals. They published that. It's really terrible. And you seem a Verma who had cms is talking about how she's youknow, her husband's a doctor and they wouldn't give him as records. It'sjust awful. So that's my number one in my sidelines. We don't dothat at a motta. We give you a lot of information right on yourAPP and you can show it to whoever you want. Yep, and andso that's number one. I think number two is that, you know,people are really afraid that that if they are exchanging with another, you know, doctor to Doctor Exchange, and it you send the wrong Lucia savages records, that you know it's going to be an awful catastrophe. If you actuallylook at the enforcement actions that OCR has brought, there's not a single onethat has that fact pattern, not one. And there's hundreds and hundreds of enforcementactivities. Enforcement Activities are, you know, the fourth time around,you forgot to automatically encrypt your laptops or, you know, you didn't turn offformer employees accounts and they stole the data. Like the enforcement activities arereally, really terrible things. Yeah,...

...loops, it was the wrong Luciasavage or Lisa Smith or whoever whoever your patient is right. Okay, thatmakes sense. Anything else? Or are you think that's enough? I couldgo on and on and all I can see the passion and I love itand then I can also kind I mean like you're really passionate about all ofthis, but I can really sense when I'm like, oh my gosh,she's on her soapbox. I love it. I don't want to take your timewith my soapbox, but I do have an active twitter handle and peoplecan certainly follow me there and there's always some not always, but there's oftensome kind of mythbusting going on. I like to I like to put practical, useful and accurate information up on twitter for people. That's great. SoI normally ask that question at the end, but go ahead and give it tohim now. What's your twitter handle at savage Lucia? Pretty easy,awesome. So just a couple more questions for you before we wrap up.In the kind of touched on this a little bit, but I want tojust make sure that it's really clear. How do health innovators stay on topof and informed about, the regulatory and legislative changes that are taking place?Well, that the cheap and easy way is. They're too cheap and easyways. One is to get, you know, whatever the morning trades are. That are the free version, like the free version of morning e health, which is now only published three days a week, is usually decent.The next cheap way, like it's literally free, is subscribe to the FederalRegister. So someday somebody will invite me to to a Webinar on how tosubscribe to the Federal Register. But give you not. They deliver the latestregulatory updates to your inbox every time something issues and you just have to pickthe subscription so you don't get overwhelmed with information. For example, you cansubscribe just to help an you some human services. And then it's only healthagencies. That would be the FDA, O andccms. And the third cheapway is follow the agencies on twitter, because usually executives on the agencies willput out OCR is not so good at...

...it, but FDA is great atit. C MS is decent at it, put out stuff you need to knowon and they all have active social media account. So that's all thefree ways. And then, I think at for that, probably you know, look at what your product is, talk to people in your niche ofhealthcare and look at how they're educating themselves on these issues that are contemporaries andpotentially important. And then, lastly, commenting is so important. Almost everytime I'm in DC SOMEBODY WHO's a former colleague says I want to talk moreto the innovator community. Now, innovators are very shy people. They don'tnecessarily want to talk in public. But I will assert again, as Idid in my data Bolosi blog, if we don't go to them, thenthey'll keep making policy that doesn't account for the needs of innovation. Sure couldn'tagree with you more. Absolutely so. Amada has been extremely involved in educatingthe industry stakeholders about the costs of not getting involved right like you just depicted. So you know why is it so important to you and your leadership team? I think I'll do myself personally. Mean I have a passion for policyand a passion for innovation and I like to marry those two things whenever Ican. So that's where my personal passion comes from. When I go outto get healthcare, I'm usually testing the system because I know how it shouldwork and what it doesn't work that way, I it's frustrating. Yep, Ithink for a Mada you know, we were founded in two thousand andeleven and I think that we have always kind of been on this bleeding edgeand really taking responsibility for the people looking out behind us. Now some ofthose people are copycats and obviously plagiarism is a sincerest form of flattery, sowe take that. We're very flattered,...

...right. Yeah, yeah, butyou know, we have we have some resources that are start up with forpeople or nine people doesn't necessarily have, and so we really try to beopen minded within the within the domain of we all have our own jobs todo, of really being helpful and informative. HMM, yeah, I do that. Shawn does that, Adrian does that. You know, are manyof our senior professionals interact with other startups, other people in start community on aregular basis? HMM, awesome, and I love the work that you'redoing. I think that it's really important and one of the things that I, you know, kind of have observed is that you're not just, youknow, as an organization, you're not just doing it for the, youknow, personal gain that Amada receives, that you're really, you know,out there educating and informing for the in for the betterment of the industry atas a whole, which is wonderful. That's true, but I also thinkthat's also because we are very it's very much in our blood that we aresupplying healthcare. We have values like participants first, but we also have startwith science. If our products are not grounded in science, than we needto rethink our products. We want to be improving the healthcare system. Youknow, we started with an easy test case Diabetes Prevention Program and we're tacklingharder, more clinically complicated use cases now that we know what we're doing.But that's the whole point is we're we want to change healthcare. We don'twant to break it, we want to change it. Hmmm, YEP,okay. So my last question for you is we have, you know,tons of health innovators in our audience today who are in the trenches. Whatadvice do you have for them? You know, I it's hard for meto say, because they're this area, that the possibilities of health I tto improve healthcare, are almost limitless. They're almost limited only by imagination andsafety. Right. We don't want to...

...build anything that hurts people and makeshealthcare worse. And since I don't know what each person's trench looks like today, it's it's almost impossible for me to answer. Okay, all right.Well, I think that's fair enough and I think that they're, you know, some of them are, you know, based upon my conversations with them,some of them are like really early and they can't even imagine investing resourcesin this particular discipline. And then others are just really confused and in reallynot knowing where to go and how to stay informed. And then I thinkthe third piece that I would say is, you know, paying for it.You know, the the the financial investment that needs to be made.Yeah, I can say a couple things. So, first of all, there'sactually a really great tool about what kind of thing you're building. It'son the FTC website. It's called the FTC m hat m health APP developertool out. I'll send out a twitter link to it in a little whilewhen I get offline with you. I mean it was actually developed by theFederal Trade Commission Office for Civil Rights, the FDA and ONC and it's kindof a nice little q Anda you can take yourself to figure out if you'rebuilding a device or a service and what legal rules you might need to checkon in hip outside of hip us. That's a great tool. It's releasedin in April of two thousand and sixteen, so three years ago now. Sothat's a great tool, free paid by the American tax pair. Underunder utilized, I'm sure. The second thing I would say is there areyou know, if you're setting up a complicated data system, you need peoplereally understand data curation and data engineering, and people are very willing to investin that. I think the same is true with healthcare regulation. Don't underinvest in understanding your environment. You have to be scrappy, you may haveto hustle together standing, but it go...

...to people who are actually experienced inthe area you want you want to know about. HMM, absolutely. Well, thank you so much for your time today and for sharing your wisdom withour audience. I know that there are going to be thousands of people thatare going to find this really valuable and they may even want to listen toit a couple of different times to really be able to grasp ahold of allof the wisdom that you shared with us today. Well, thank you verymuch for having me. You ask some great questions and I hope the informationis helpful to people. Thank you so much. By Bye. What's thedifference between launching and commercializing a healthcare in avation. Many people will launch anew product, few will commercialize it. To learn the difference between launch andcommercialization and to watch past episodes of the show, head to our video showpage at Dr Roxycom. Thanks so much for watching and listening to the show. You can subscribe to the latest episodes on your favorite podcast APP like applepodcasts and spotify, or subscribe to the video episodes on our youtube channel.No matter the platform, just search coiq with Dr Roxy. Until next time, LET'S RAISE OUR COIQ.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (111)