Todd Foley: Hello and welcome to the CDO magazine interview series. I’m Todd Foley, the Chief Digital and Information Security Officer at Lydonia. Today, I have the pleasure of talking with Melissa Mitchell, Chief Privacy Officer at Phreesia. Melissa, thank you for taking the time to talk to us today.
Melissa Mitchell: Thanks for having me. Great to be here.
Todd Foley: Great. Maybe you can start by telling us a little bit about Phreesia—what does the company do, and what’s your role there?
Melissa Mitchell: Sure. So, Phreesia is a health technology company, and our mission is to make care easier and ensure every person is an active participant in their care. We have many products and services, but this all aims to do that in a variety of ways. We’ve been around for 20 years now, and, like I said, all of our products have different ways to help make care easier. That can be from a convenient way to prepare for appointments through our intake platform or do other visit-related activities, either pre-appointment or post-appointment. Then, of course, we have our platform that supports our core product, which enables people who are using the product to receive timely, relevant information at critical moments in their healthcare journey. So, if patients choose to opt into what we call personalized relevant healthcare messaging, then they also can receive that as part of our additional product offering on our platform. We manage a lot of patient visits a year—around 170 million patient visits a year—so that kind of scale allows us to, we think, make a significant impact. Whether that be through just making the appointment flow easier because you’re able to prepare for it using our software, or if that means, if you’ve chosen to opt into that personalized messaging, hopefully using patient data to ultimately make patients more active in their care journey, allow them to speak to their physicians with that data, and ultimately to improve health outcomes. So, that’s Phreesia. Me and my role—like you said, I’m the Chief Privacy Officer at Phreesia. That’s partly legal and partly privacy. I started my career as a practicing attorney, and I eventually made my way into this healthcare area, first by working at hospitals in Chicago, where I live, which was a great boots-on-the-ground experience for me and one that I often reflect on in my role here at Phreesia because we have many clients that are healthcare providers. Then I took a turn into more of a healthcare tech space when I was recruited to Amazon, where they were really just starting to grow into the healthcare space with a couple of different products and offerings in that space—into pharmacy. I was there when they acquired One Medical, and I eventually became the Chief of Privacy for what is now known as Amazon Health Services. But in my work at Phreesia, I’ve been able to combine a lot of those different past experiences to support this privacy program, which, you know, frankly they’ve been thinking about and having in place since day one. But we’ve really been evolving in these past two decades before I got there and now that I’m here. Like I said, I love to use all of the different common threads I’ve identified in my past and lessons learned to help really support that evolving mission, which I think is core to our mission in general.
Todd Foley: That’s kind of a remarkable perspective because of your background—you have that legal background, you’ve worked in the provider space, you’ve worked at a hyperscaler in terms of healthcare data, and now with—and correct me if I’m saying this wrong—a SaaS platform that caters to providers and others and has that immediate patient contact aspect of things as well. What is Phreesia’s approach to protecting patient health data, knowing that you have all of these different perspectives and a legal background to understand what is a very dynamic environment, in terms of state regulations, for instance?
Melissa Mitchell: Right. Well, I mean, you’re thinking about all the right things because there are these things that, you know, are foundational to our program because they have to be, because they’re regulatory frameworks that we, you know, we need to be compliant with. So, our core product and many of our products and services are regulated by HIPAA to a certain extent, so we’re thinking about HIPAA. But we also have a privacy policy that incorporates some additional state laws that are kind of emerging in this privacy area and other regulations that apply to the data that we hold. So, it’s a large framework that, you know, we have to think about, that we’ve pieced together, and that can be overwhelming, and that can be, you know, a lot of legal checkboxes to check off. But it also, I think, is helpful to think about sort of this privacy north star, as I think of it, and that’s really just ensuring that patients know what they’re doing when they interact with our platform and know what their choices are when they interact with our platform. So, I’ve talked with other privacy people, and it is a very dynamic, changing landscape, especially with regard to these state laws, but if you do keep that in the back of your mind—or the front of your mind, maybe—I think it’s helpful because really what I’m trying to ask every day, and I think what these regulatory frameworks are all leading to, is: do people understand what they’re doing? Is it clear? Are we explaining things clearly? Like, we do have a complicated business model. Are we doing a good job of explaining it to them in an easy-to-understand way so they can make a good judgment call that’s right for them? And when you’re thinking about that constantly, I think you’re on the right track as a privacy professional in a place like Phreesia.
Todd Foley: Yeah, you have a very unique—because of the platform, Phreesia has very unique engagement directly with patients. It sounds like you’re giving them a lot of flexibility too.
Melissa Mitchell: What I think makes us really unique is that even when they’ve made that choice or are in different parts of their journey, we’ve made ourselves available to them to answer questions and to get feedback from them. So, I think that’s something, you know, while we’re very much similar to other companies in terms of we’re all dealing with this evolving landscape and we all have the great responsibility of holding patient data, we’re also unique in that one, we’ve been doing it for a really long time. So, I happen to think that we’ve kind of got a leg up in that way, where we’ve made this part of our core mission long before some of these state laws have come along. But also, we have all of these different ingresses where folks can write in and ask questions or use, even in our platform, they can navigate their way to us to provide feedback or ask a question or change their mind about, you know, what they’ve previously decided to opt into. So, if they opted in, they can write into us and say, you know what, I’ve decided I don’t want to do this anymore, and they can change their mind about that. So, I think that’s really what makes us unique in this space—that we’re really thinking about that journey and then also trying to, you know, what I’ve been trying to do as much as possible is trying to humanize all of that. So, it’s really frustrating, I think, for people to have to read legal and privacy policies and understand all of them in order to make these choices that we all have to make every day. But if we can augment some of that legalese with human talk—whether that is like in the form of, on our website, we have this great commitment to privacy page, we have FAQs, so people who, you know, we know some people are thinking really deeply about this and really want to know, they can go on the website and they can read all of that—and then they can also write into us, and actually we read all of that. Sometimes a whole team of people read through questions and feedback, and I read through it myself. Sometimes I even respond directly to patients myself when I think that it might be warranted or helpful for them to hear from me.
Todd Foley: I really appreciate you sharing that perspective. It’s been a pleasure talking to you today. Thank you very much.
Melissa Mitchell: Thanks for having me.
Todd Foley: For those listening, please visit cdomagazine.tech for additional interviews, and thank you all for taking the time.
