June 12, 2025

 

Paula Stannard, JD

Director

Office for Civil Rights

Department of Health and Human Services

200 Independence Avenue, SW

Washington, DC 20201

 

Dear Director Stannard:

On behalf of the Workgroup for Electronic Data Interchange (WEDI), the nation’s leading authority on health information technology (IT), I extend my warmest congratulations on your appointment as the Director of the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). Given your background as the Chief Legal Counsel of the Montana Department of Public Health and Human Services and previous service as a Senior Counselor and Advisor to Dr. Tom Price and Alex Azar, former HHS Secretaries, we believe you bring to this role a fresh understanding of the many privacy and security challenges impacting the delivery of high quality and efficient patient care. WEDI stands ready to work with you and your colleagues at OCR in creating a new era of efficient, effective, and secure health care.

 

WEDI was formed in 1991 by then Secretary of Health and Human Services under the George H.W. Bush Administration, Dr. Louis Sullivan. WEDI was designated in the 1996 Health Insurance Portability and Accountability Act (HIPAA) legislation as an advisor to HHS and we have collaborated with every administration since the passage of that landmark legislation. We have had effective working relationships with the directors of OCR for many years and have been honored to have previous directors, as well as deputy directors, speak at WEDI conferences and events. We also appreciated the opportunity to offer your agency recommendations on numerous privacy, security, and cybersecurity issues.

 

As you assume your leadership role at OCR, there are number of critical issues your agency will need to address. One important issue is the challenge of balancing the ability for consumers to access the information they need to be partners in the care delivery process, while appropriately protecting that data from inappropriate disclosures. New application programming interface (API) mandates on health plans and providers will permit unprecedented interoperability, yet these APIs also allow access to potentially sensitive protected health information by third-party applications not covered under HIPAA.

 

At the same time, there is an increasing threat of ransomware and other forms of cyber-attacks facing health care entities. The February 2024 cyberattack on Change Healthcare highlighted the devastating downstream impact on health care operations of a largescale ransomware event. It is imperative that providers, health plans, clearinghouses, health care vendors, and others transmitting or storing health information be armed with the appropriate guidance, tactics, and resources that enable the deployment of proper cyber hygiene practices. WEDI has been a leader in educating the industry on cybersecurity challenges and solutions. Our upcoming cybersecurity virtual event on July 15 on federal insights on today’s cyber threat landscape will feature speakers from the Cybersecurity & Infrastructure Security Agency, Federal Bureau of Investigation, National Institute of Standards and Technology, and experts from the private sector. We would be pleased to have you or one of your staff participate in the event.

 

As the collective voice of the health care industry on health IT issues, we offer our best wishes for great success during your tenure as OCR Director. As we have with each of your predecessors at OCR, we look forward to working with you to achieve our shared vision of an effective and secure health care system. We would be pleased to set up a meeting with you and/or your senior staff to discuss our respective organization’s priorities and explore collaboration opportunities. I can be reached at 202.368.2675 or rtennant@WEDI.org.

 

Sincerely,

Robert M. Tennant

Executive Director, WEDI