Health Innovators
Health Innovators

Episode · 3 years ago

Understanding the Privacy Regulations and Legislation Affecting Digital Health Innovators w/Lucia Savage

ABOUT THIS EPISODE

In an age of digitized healthcare, some of the biggest issues and challenges for innovators are privacy, how patient information is collected and protected, and how legislation impacts the landscape of innovation. How can health innovators uphold regulations in their business models and operations? How can privacy influence the success and failure of an innovation?

 On this episode Lucia Savage, Chief Privacy and Regulatory Officer at Omada Health, shares on why healthcare innovators needs to uphold and embrace privacy, how to make it part of their business model, and the biggest myths about HIPAA.

 

3 Things We Learned

  • New HHS announcements and how they impact innovators
  • The two classes of digital health innovation
  • How healthcare innovators should be thinking about privacy

 

The success of digital health companies is immensely dependent on how well they handle the sensitive issue of personal patient/customer data. Even if a digital innovation is only regulated by the FTC and not HIPAA, the impact of data breaches or mishandled information can do real damage to the patient, so the same level of care and cautiousness should be applied, regardless of who’s regulating the innovation. Innovators do well when they leverage privacy as part of their business model positioning strategy. Ultimately, by embracing the well-founded rules and building innovations on practices that protect the rights of patients, the product is more likely to succeed long-term.

Welcome to CIQ and first of its kind video program about health innovators, early adoptors and influencers and their stories about writing the roller coaster of healthcare innovation. I'm your host, Dr Roxy, founder of Legacy DNA marketing group, and it's time to raise our COIQ. Welcome back coiq listeners. On today show I have Lucia savage with us. She's the chief privacy and security officer at Amada health. Welcome to the show. Thank you. I'm so glad to have you here. This is a subject that I don't get a chance to talk about very often, but I think it is something that is so relevant and meaningful for the health innovators who are listening to the show. So thank you for being here the so the first question, I think, just to kind of or not really a question, just to kick things off, is just maybe start off by sharing a little bit about your background and what you do. For those that are listening and don't know who you are. Sure I'm well. I I'm in practicing law long time and when I first started practicing law, Al Gore had not yet invented the Internet, and so I've grown up in my practice, as has the Internet and I became interested in doing all healthcare all the time in the late s as Hippah really wasn't acted, and I sort of steered my practice deeper and deeper into healthcare and really became enamored of the possibilities of health. I T as we started doing early days of measurement, before the Office of the national coordinator was even a thing. Well, I got the privilege of serving the office of the National Coordinator for health. I T as chief privacy officer from two thousand and fourteen to two thousand and seventeen and fell in love with health. I T even more and came to Amada and early two thousand and seventeen, awesome at Omata. I have a portfolio of sort of all of our privacy strategy, obviously overseeing...

...our compliance function and just to be a brief correction, I am not in charge of security. I am in charge of the theory and Law of security, but we actually have an infostet guy who's awesome, who does security, build dirty okay. And then I'm in charge of regulatory which is a whole new world for the IT innovation space. You know, who has to be licensed? What are the state laws that apply. How do you contract with a health insurance company? What what impacts that health insurance company in your contracting process as you build out your business model, etc. So, you know, in this world where we are digitizing healthcare and you know things are changing in your you know, completely dedicated to this industry of healthcare where we have the highest standards. It sounds like it would be a really exciting time to be in your role. You know, I woke up this morning and I opened my phone with my cup of coffee and of course by that time it was about twenty eastern and my inbox was already flooded with what was happening in dcly today. So that was a little early for me at six twenty in the morning, but it definitely woke me up. And yes, and and I've recruited people saying if you come work for me, you will read about your job every day in the newspaper. Yes, that's exciting. That's really exciting. So you know, you let me know before we started here today that Dhhs announced a few new items just this morning, so it's kind of hot off the press. So maybe just kind of talk about those a little bit. What are they and how do you think they affect the health innovators who are listening today? Sure so. Number one is that Hus announced longer period for people to file comments on these two really important proposed rules. One is a rule from the office. It's the national coordinator which defines what is considered information blocking and what is not considered information blocking in an ecosystem where APPS...

...are making data calls on the holders that protected health information. Uh Huh, when trying really hard for about six years to bring Apis to healthcare instead of facts, has or direct connections for exchange, and this is a pretty big and important proposed rule that they've put on the street and they extend to the comment period from May third to June third. So I would urge innovators who are building APPS that might be making these data calls to really dig in on that. There's some great educational material that's a digestible on OHNC's website. I've blogged about it, other people have written about it, but an extra thirty days is nice for everybody. HMM. And then CMS has a corollary rule, which is trying to bring those data, those Apis, to healthcare so that developers can build tools where consumers can get their own information out of their health plans via any so that can be a really important source both for consumers being able to tell if their care has been paid for correctly, but also to collect their own health information and build a longitudinal record. And that period of time was extended as well by the same thirty days. I think one of the reasons for the extension is the second thing they released today. So you know Congress is always asking agencies to do things and aside from defining information blocking, Congress asked Owenc to develop a sort of a model set of contracting documents. OHNC calls it the trusted exchange framework and common agreement, or Tef C, and one of the problems with the original date on the proposed rule was it asks a lot of questions about tea, but nobody knew what the new version of Tef go was. And so today they released their second iteration on tef guff or comment, but this enables people to look at item to, tef Goa and the proposed rule together as a whole. MMMM and then...

...and then third item they released was office of Civil Rights, which is the HIPP a regulator. Released five frequently asked questions about, essentially in the zone of if you are a health system, for example, and a patient presents their own APP to collect their own health information from you and you release that information to them as you're supposed to, how much responsibility do you have for security things that happen in the patient's custody? Question for the doctors, and there's some really great FAQ's about that that try to clarify, you know, how little responsibility a physician has for actions and individual takes with their health information, not using tools that the doctor, doctor's office didn't sponsor. Right, right, right, exactly. So you know, how do you think health innovators uphold their responsibility in following these laws and regulations and and kind of maintaining, you know, trust when it comes to privacy? So it's really important to understand their sort of two class is of health health digital health innovation that are kind of running parallel in American society. One would be the class in which amada squarely fits, which is we use an APP to deliver a healthcare service, but our entire business model falls inside traditional regulations of healthcare privacy under Hippah. Huh, Huh, and then the second category would be, you know, an APP you might purchase for yourself and for your own health engagement purposes, but you just buy it on the APP store. There's no healthcare providing and billing going on and that APP is literally just regulated by the Federal Trade Commission, whose rules are not specific to health itself. So huge, giant important political debate going on about that right now and relevant. FACEBOOK came...

...againalytic, etcats, etc. But there really are two domains. So I'm going to talk first about the domain in which amada falls. So, legally, a company that chooses hippa like we did, build our business mall around it. We're legally have the exact same rules as a doctor's office or a hospital. We can't mess it up and we don't Uh Huh. We can't monetize the data, we can't advertise to you with other people's ads about the data, we can't give it to people except for our healthcare persons. As a look, a host of rules that we have to comport with. We have to meet minimum security standards, at Cetera, and that's been really fundamental to our business model because it gives our customers, and are in Er are participants a lot of trust and what we do. Sure, I think because the rules are different outside of HIPPA. I can't really speak to those businesses because I'm not running one of them or advising one of them, but I think you know, that's this political debate is. What does all that mean? I think there's a lot of, you know, journalism about that. People can look it up and I think people, rightfully, should be very thoughtful about what happened, what they where they put their own health information, as opposed to trusting the healthcare system to have well founded rules that have been around almost twenty years now help us handle it and appropriate way. HMM, really, really great insights for audience. So, you know, how can health innovators uphold these regulations, especially when they have limited resources in a really focused on kind of just achieving their own business success? Right? I mean think you have to really think about your business model. Right. One of the things the whole facebook story tells us is that what we privacy officers called Abtech, right, where the platform is generating advertising revenue through its data science as opposed to providing healthcare through its data science. Hmmm, is going to...

...be evolving it's going to evolve. It's get to evolved because of the California law or whatever the feds do. So an innovator needs to pay attention to what that evolution looks like if they're going to go down that path. MMM ME, the more the more interesting question is given ONC's rule, circling back and you'll find up that do. Well, what does it look like to have more APPs helping people provide actual healthcare, to embrace these well founded rules, as Amada has done, and build your model on embracing the right thing? To give us an example? Well, of course there's a Mada, but another example, I'll I'll pull a make up a few. Okay, so let's let's say that you you built a connectivity system where, before and after a person's ACL surgery on their brace, you had a little RFID chip that fed to an APP that then went to your servers and you did data science on that to measure the gate of the person who was going to have the surgery, and you would have a before gate and an after gate, MMM, and there would be the surgery intervening. So you can have a business model where you monetize that and and sell the insights from that to people who want to sell sports equipment to people in Rehab. Yep, that's outside of hippot or you could build a business model where you help pro bid insights to the orthopedic surgeons about which braces work better, which physical therapists are providing more effective rehab and Prehab based on the gate of this individual. Or we might end up with a measure and healthcare where the Orthopedis makes more money if they can prove a better outcome via that gate measure. So that all those three ladder examples are all straight in healthcare. If you're in one of those models, of course you have to adhere to all the hype of Privacy, security, breach notification rules. Yep, that is that a good example for you? Yep, it is very good. So I'm going to read here...

...because I want to make sure I get this right. But in a recent article in tech crunch, your CEO, Shawn Duffy, said the success of digital health companies will hinge on whether patients feel comfortable sharing their most intimate data. They possess their personal health information, especially when they worry that data could implect their employment. So my question for you is what privacy and security strategies do health innovators need to put in place? Well, if this is a pretty complicated question and it's probably more than we have time for today, so I'll just give you a few high level ones. Yes please. Okay, the first one I would say is that you have to really look at the kind of data you have and what it's impact is for people. So, for examp apple, we know that across the country in certain clinical categories, despite the best efforts of civil rights and equal employment laws, there is health status discrimination. HIV eight's a really great example that's pretty fresh in everyone's mind. So think about your business model and what your data is and what the impact of people is on that data released in its raw form, and then don't do that. Figure out a way to report your your value or demonstrate your value without, without putting information out into the universe that you know will harm people. You have to do it in a way that doesn't harm people to really get to the ethical nut of the problem. Sure, so that's one too. Is there are some really amazing new tools evolving for actually explaining all of this to people. Sage bowed networks has a great open source tool that I just love really clear policy provisions you can actually build in on an online interface, and I'm hoping a model will do these things like a quiz,...

...so that people say, Oh, yeah, I understand what that means and I still want to do it. And then, lastly, you know, if people want their data, give it to them. If they want you to stop using it and extract themselves in the program, they should extract them they should leave the program. Now there are record keeping rules, which means you can't necessarily exercise the data. That's a European concept, not the American concept. But you know, if people gave it to you for our collect for purpose, use it for that purpose. HMM. Yeah, you make it seem so black and white and cut and dry. It's very complicated. I think the thing to think about is, you know, accounting for the dignity of the individual in your business model, HMM, and the reality of their life. People before profits. Well, we have a model participants first. So that is definitely one of the things we think about as we come up with our own plans. Yep, absolutely. So, you know, how do you think that this subject will influence the success or failure of health innovators. I can only speak to our own experience and we end up explaining our lives as legally equip equivalent to a doctor's office to almost every new customer that gets on boarded very persuasive story to tell about that, and that's what I would say is be persuasive and then stick to what you've said. So our customers have a lot of confidence in us because we have taken these obligations so seriously. Not Flipping about it. We don't. You know, we had we had, somebody asked me about it, a tech company that you know a serted that it was hippo compliant, and I'm not talking about Amazon, because I know people are interested that, with a different company, Charlie, you know, we dug in and we put me and our CIO and you're the smart people, on the phone and it wasn't persuasive. Their story wasn't persuasive. But if you're really going to be in healthcare, you've...

...gotta master what hippa means and and embrace it and sort of hold it up as something that is of core importance to your company. Yeah, it sounds like you all have really leveraged this as either a competitive advantage or part of your positioning strategy, and it seems like it served you well. I think that is true. But I will say that the genesis of our sort of fundamental reliance on HIPPA is when you are covered entity and you collect the data you you use it to deliver your care. And so in our world that is our data science program and that we collect the data like a doctor's office, clex Dat out, like a hospital plex data. That is the driving force behind our data science program and that wasn't before my time at a Mata. It was brilliant and it was intentional. Hmmm, yeah, so you mentioned HIPPA. Let's talk about that a minute. So how does HIPPA FIT into this story? So many times I've seen hippa used in the last five years as an excuse to take no action or to not make any change and adopting innovation, and you know, it seems to have be driven by a lot of fear and in certainty around privacy and security. So kind of just speak to that a little bit. Sure. Well, I'm you're taking me back to two thousand and fourteen when I was competing for my job at OENC and I said to Karen to salvo, I want to do three things and one of them was I want to explain what hippa really says. And so we did a lot of work in that space from two thousand and fourteen till when I left in two thousand and seventeen. Some of the guidance that OCR issue today actually comes out of work we collaborated with them on back then and they've just kind of lifted it up and put it in a different place on their website, which is awesome. Yep. And so you know, hippa...

...has some wonderfully strong limits, but it also has some really flexible and an extensible features. One really important feature is the privacy and security and the privacy rule in particular applies to, you know, protected health information in almost any form. Comma, delimited file and it excel, spreadsheet, it could be, you know, in whatever database format we use here at Amata. I have no idea that. To the engineering experts, it could on paper and it could be oral. So what you and I talk about, if you're my physician, or a recording of what we talked about, and the rules are the same and all those media and I think that that's a really that was a really prescient step that ocee are took when it wrote those rules in two thousand is that don't limit it to a particular form and format, because it's whatever form and format it's in and and and that way hip has really stood the test of time. The last thing I'll say is, you know, I would say in two thousand and fourteen, definitely people are like, oh, it's all HIPPA's fault, but there's been a lot of really good education and, by the way, now that people can contrast the way hippa actually protects information from what's happening on social media, people are really beginning to understand there are a lot of rules that aren't hippo, that are maybe causing confusion, maybe enhancing protection, maybe undermining protection. HMM. So what are some of the myths around hippa that you could kind of just debunk a little bit for our audience? Sure, my first one and my most favorite one and the one that fills my twitter feed is that doctors can't give patients their own data. So let me break that down a little bit. There's an old rule. It's been there since two thousand. It's really old. That says patients can get their own data, and Congress is so focused on this...

...they've actually interpreted for OCR twice in statutes since then. And essentially an individual can get a copy of their own data in an electronic former format if it's available. So that can all be negotiated, no questions asked. It can't be withheld just because the doctor doesn't like where the person's going to put it. That was in this morning's FAQ's and it's in my choler feed. Like the first sense, the answer is note. That's the most right, right, right. You can't make an individual drive to your office just to sign an authorization. You can use e authorizations. So there's so much gunk clogging up the works in this space that they're literally like many industries of blogs about how terrible the situation is, and you know I've written about it professionally. You Know Harlon criminals at Yale did a blind study of thirty seven hospitals. They published that. It's really terrible. And you seem a Verma who had cms is talking about how she's you know, her husband's a doctor and they wouldn't give him as records. It's just awful. So that's my number one in my sidelines. We don't do that at a motta. We give you a lot of information right on your APP and you can show it to whoever you want. Yep, and and so that's number one. I think number two is that, you know, people are really afraid that that if they are exchanging with another, you know, doctor to Doctor Exchange, and it you send the wrong Lucia savages records, that you know it's going to be an awful catastrophe. If you actually look at the enforcement actions that OCR has brought, there's not a single one that has that fact pattern, not one. And there's hundreds and hundreds of enforcement activities. Enforcement Activities are, you know, the fourth time around, you forgot to automatically encrypt your laptops or, you know, you didn't turn off former employees accounts and they stole the data. Like the enforcement activities are really, really terrible things. Yeah,...

...loops, it was the wrong Lucia savage or Lisa Smith or whoever whoever your patient is right. Okay, that makes sense. Anything else? Or are you think that's enough? I could go on and on and all I can see the passion and I love it and then I can also kind I mean like you're really passionate about all of this, but I can really sense when I'm like, oh my gosh, she's on her soapbox. I love it. I don't want to take your time with my soapbox, but I do have an active twitter handle and people can certainly follow me there and there's always some not always, but there's often some kind of mythbusting going on. I like to I like to put practical, useful and accurate information up on twitter for people. That's great. So I normally ask that question at the end, but go ahead and give it to him now. What's your twitter handle at savage Lucia? Pretty easy, awesome. So just a couple more questions for you before we wrap up. In the kind of touched on this a little bit, but I want to just make sure that it's really clear. How do health innovators stay on top of and informed about, the regulatory and legislative changes that are taking place? Well, that the cheap and easy way is. They're too cheap and easy ways. One is to get, you know, whatever the morning trades are. That are the free version, like the free version of morning e health, which is now only published three days a week, is usually decent. The next cheap way, like it's literally free, is subscribe to the Federal Register. So someday somebody will invite me to to a Webinar on how to subscribe to the Federal Register. But give you not. They deliver the latest regulatory updates to your inbox every time something issues and you just have to pick the subscription so you don't get overwhelmed with information. For example, you can subscribe just to help an you some human services. And then it's only health agencies. That would be the FDA, O andccms. And the third cheap way is follow the agencies on twitter, because usually executives on the agencies will put out OCR is not so good at...

...it, but FDA is great at it. C MS is decent at it, put out stuff you need to know on and they all have active social media account. So that's all the free ways. And then, I think at for that, probably you know, look at what your product is, talk to people in your niche of healthcare and look at how they're educating themselves on these issues that are contemporaries and potentially important. And then, lastly, commenting is so important. Almost every time I'm in DC SOMEBODY WHO's a former colleague says I want to talk more to the innovator community. Now, innovators are very shy people. They don't necessarily want to talk in public. But I will assert again, as I did in my data Bolosi blog, if we don't go to them, then they'll keep making policy that doesn't account for the needs of innovation. Sure couldn't agree with you more. Absolutely so. Amada has been extremely involved in educating the industry stakeholders about the costs of not getting involved right like you just depicted. So you know why is it so important to you and your leadership team? I think I'll do myself personally. Mean I have a passion for policy and a passion for innovation and I like to marry those two things whenever I can. So that's where my personal passion comes from. When I go out to get healthcare, I'm usually testing the system because I know how it should work and what it doesn't work that way, I it's frustrating. Yep, I think for a Mada you know, we were founded in two thousand and eleven and I think that we have always kind of been on this bleeding edge and really taking responsibility for the people looking out behind us. Now some of those people are copycats and obviously plagiarism is a sincerest form of flattery, so we take that. We're very flattered,...

...right. Yeah, yeah, but you know, we have we have some resources that are start up with for people or nine people doesn't necessarily have, and so we really try to be open minded within the within the domain of we all have our own jobs to do, of really being helpful and informative. HMM, yeah, I do that. Shawn does that, Adrian does that. You know, are many of our senior professionals interact with other startups, other people in start community on a regular basis? HMM, awesome, and I love the work that you're doing. I think that it's really important and one of the things that I, you know, kind of have observed is that you're not just, you know, as an organization, you're not just doing it for the, you know, personal gain that Amada receives, that you're really, you know, out there educating and informing for the in for the betterment of the industry at as a whole, which is wonderful. That's true, but I also think that's also because we are very it's very much in our blood that we are supplying healthcare. We have values like participants first, but we also have start with science. If our products are not grounded in science, than we need to rethink our products. We want to be improving the healthcare system. You know, we started with an easy test case Diabetes Prevention Program and we're tackling harder, more clinically complicated use cases now that we know what we're doing. But that's the whole point is we're we want to change healthcare. We don't want to break it, we want to change it. Hmmm, YEP, okay. So my last question for you is we have, you know, tons of health innovators in our audience today who are in the trenches. What advice do you have for them? You know, I it's hard for me to say, because they're this area, that the possibilities of health I t to improve healthcare, are almost limitless. They're almost limited only by imagination and safety. Right. We don't want to...

...build anything that hurts people and makes healthcare worse. And since I don't know what each person's trench looks like today, it's it's almost impossible for me to answer. Okay, all right. Well, I think that's fair enough and I think that they're, you know, some of them are, you know, based upon my conversations with them, some of them are like really early and they can't even imagine investing resources in this particular discipline. And then others are just really confused and in really not knowing where to go and how to stay informed. And then I think the third piece that I would say is, you know, paying for it. You know, the the the financial investment that needs to be made. Yeah, I can say a couple things. So, first of all, there's actually a really great tool about what kind of thing you're building. It's on the FTC website. It's called the FTC m hat m health APP developer tool out. I'll send out a twitter link to it in a little while when I get offline with you. I mean it was actually developed by the Federal Trade Commission Office for Civil Rights, the FDA and ONC and it's kind of a nice little q Anda you can take yourself to figure out if you're building a device or a service and what legal rules you might need to check on in hip outside of hip us. That's a great tool. It's released in in April of two thousand and sixteen, so three years ago now. So that's a great tool, free paid by the American tax pair. Under under utilized, I'm sure. The second thing I would say is there are you know, if you're setting up a complicated data system, you need people really understand data curation and data engineering, and people are very willing to invest in that. I think the same is true with healthcare regulation. Don't under invest in understanding your environment. You have to be scrappy, you may have to hustle together standing, but it go...

...to people who are actually experienced in the area you want you want to know about. HMM, absolutely. Well, thank you so much for your time today and for sharing your wisdom with our audience. I know that there are going to be thousands of people that are going to find this really valuable and they may even want to listen to it a couple of different times to really be able to grasp ahold of all of the wisdom that you shared with us today. Well, thank you very much for having me. You ask some great questions and I hope the information is helpful to people. Thank you so much. By Bye. What's the difference between launching and commercializing a healthcare in avation. Many people will launch a new product, few will commercialize it. To learn the difference between launch and commercialization and to watch past episodes of the show, head to our video show page at Dr Roxycom. Thanks so much for watching and listening to the show. You can subscribe to the latest episodes on your favorite podcast APP like apple podcasts and spotify, or subscribe to the video episodes on our youtube channel. No matter the platform, just search coiq with Dr Roxy. Until next time, LET'S RAISE OUR COIQ.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (121)