Faith Myers, Chief Privacy Officer at McKesson: Captains Of Industry

Introduction:

Q: It was great to meet you at the IAPP’s Global Summit 2023 Tell us about your background. How did you get to be the Chief Privacy Officer at McKesson?

I started my career as a regulatory healthcare lawyer at Alston & Bird, a large law firm headquartered in Atlanta, Georgia.  During my first year in practice, HIPAA was signed by President Bill Clinton. By the time HIPAA went into effect, I had transitioned to in-house counsel at Emory Healthcare, one of the largest academic healthcare systems in the southeast region.  I was part of a larger team that helped to implement HIPAA requirements throughout the hospitals, affiliated healthcare entities, and physician clinics.  I didn’t realize it at that time, but that experience really set a great foundation for my privacy career. 

When I joined McKesson, I first served as Regulatory Counsel and focused a wide range of health care regulatory issues specifically supporting the technology division of the company.  A few years later, due to a department restructure, I was offered the opportunity to become McKesson’s first Privacy Counsel, supporting the entire McKesson enterprise on a variety of privacy legal issues.  Looking back, I can honestly say I was not ecstatic.  I was worried that limiting my focus to “just” privacy and not the breadth of other healthcare regulatory issues to which I was accustomed would limit my growth and career opportunities.  (Remember, this was way before the privacy profession exploded!).  Within 6 months, I was overwhelmed!  My privacy landscape had expanded way beyond HIPAA, Part 2, and Georgia laws, but now also included Section 5 of the FTC Act, the EU Directive, the EU US Safe Harbor, 50 state security breach laws, and many, many other laws. 

It was from the Privacy Counsel role that I transitioned to the Chief Privacy Officer role. I was then responsible for creating the centralized privacy infrastructure for privacy compliance across McKesson.  It also meant that I’d have to tactically implement the legal advice I was used to giving.  Ultimately, I wound up overseeing both the enterprise privacy legal and compliance teams for several years.  I had no idea what I signed up for at the time, but looking back, I wouldn’t change a thing!  Focusing on privacy has been a phenomenal experience for me, both professionally and personally. 

Q: Many people know the name McKesson, but certainly not the entire broad scope of the company. What is McKesson? What does the company do?

McKesson is the biggest and oldest healthcare services company that no one has ever heard of! The company is over 150+ years old and is headquartered in Irving, Texas.  We partner with biopharma companies, healthcare providers, pharmacies, manufacturers, governments, and others to deliver products and services that make quality healthcare more accessible and affordable. We are mostly a B2B company and don’t often interface directly with patients or consumers, so our name isn’t always recognizable. However, our touch is broad and deep across the healthcare services industry.

In practical terms, we excel at getting all kinds of medications from the biopharma companies that manufacture them onto the shelves of retail pharmacies, into specialty pharmacies, into the hands of the health care providers who prescribe them, or into the hands of the patients that need them.  We also help solve medication access, affordability, and adherence challenges for patients by working across healthcare to connect patients, pharmacies, providers, pharmacy benefit managers, health plans, and biopharma companies.

One of the many ways that McKesson supports the healthcare ecosystem is we currently ship out 70 million vaccine doses annually for the Centers for Disease Control and Prevention (CDC) Vaccines for Children Program. McKesson is also the largest seasonal flu vaccine distributor and distributes all kinds of vaccine types. In 2009, shortly after I started at McKesson, we managed the distribution of the H1N1 vaccine under the direction of the CDC, and more recently, we were named the U.S. government’s partner for distributing frozen and refrigerated COVID vaccines and supply kits. If you received a COVID vaccine at any time during or after the pandemic, it’s more than likely that McKesson helped get those vaccines to your provider, pharmacy or clinic.

Privacy Management Best Practices

Q: When many hear “big data” they often think of tech companies like Amazon. But data is hugely important to the biotech sector as well. What does “big data” mean to you? Why is it so important to the biotech sector?

When I think of big data, I always think of the three Vs – volume, velocity, and variety.  There is a large amount of healthcare data, coming across or through multiple systems at incredibly high speeds, and from a variety of data sources. People traditionally think of healthcare data as the data specifically found within patient medical records, but it means and includes so much more than that. Big data is crucial to biotechnology because it allows researchers to analyze vast amounts of complex healthcare data from sources like not only medical records, but genomics, clinical trials, social media, data aggregators and various other sources.   Researchers are then enabled to identify patterns, trends, and potential treatments much faster and more accurately. When researchers can better understand various disease mechanisms, it may help accelerate the development of new treatments, therapies, breakthroughs in drug discovery, and personalized medicine (treatments based on a person’s specific genetic makeup). Plain and simple, big data in the biotech sector will hopefully not only save lives, but also extend lives and increase the quality of those lives.

Q: Already this year we have seen several states pass new privacy laws. What is your strategy for keeping up? How do you avoid having to constantly reinvent the wheel?  

I typically spend at least an hour a day reading law firm newsletters, updates and releases directly from government agencies, and other periodicals just to stay abreast of new laws, regulations, interpretations, and case decisions.  There are so many great trade organizations, such as the IAPP (and yes, I am biased), law firms, consulting firms and vendors that regularly put together and update comprehensive charts, tables and summaries of the privacy landscape within the US, Europe, Canada and other jurisdictions. We also have a regular cadence of sharing relevant privacy information internally with our stakeholders.  Lastly, McKesson has a fabulous Corporate Affairs team that keeps us abreast of potential new legislation, such that we can focus on the delta of what may be different about the new law or regulation rather than what is similar to legislation already passed. 

Q: Another type of change is technological. AI and ChatGPT are in the news every day and it was a major topic at IAPP’S GPS23. As a privacy professional, what are your initial concerns?

AI has already impacted our lives in profound ways and continues to have the potential to change our lives for the better, but we also must be cognizant of the potential risks and make sure that AI is being used responsibly.  Some of the risks include AI collecting sensitive or personal data without consent or using that data without permission.  On top of that, AI can house or store large amounts of data, which can be hacked or stolen. That data can include medical record information, genetic information, financial information, geolocation details and other types of sensitive information. AI systems may also be seen as “black boxes” or not transparent, making it difficult to understand how decisions are made and how conclusions are reached.  As a result, individuals might not know or realize what data is being used or how it is being used. 

One of the most unsettling issues is that AI systems can learn from training data that is already biased, and that can lead to discrimination in applications like hiring, financial lending, and law enforcement.  Even as a privacy professional, reading books like “The Fight for Privacy” by Danielle Keats Citron and “Unmasking AI” by Dr. Joy Buolamwini were very eye opening as to the very practical dangers of AI when it is not responsibly deployed.  AI has been used to create fake profiles, manipulate images, and impersonate or commit identity fraud resulting in all kinds of professional and reputational harms.  While AI can make our lives easier, we need to proactively help organizations use AI responsibly and vet use cases appropriately. Privacy pros can be a great help in getting this done.

Q: When a business wants to integrate new technology or use technology in a new way, give us a peak at what that means for work from the privacy office? What does the privacy pro’s role look like in that process?

That typically means a privacy evaluation such as a Privacy Impact Assessment (PIA) comes into play.  The Global Privacy Office (GPO) supports the PIA process by providing guidance, subject matter expertise, and oversight.  The ultimate goal is to help ensure that the business properly evaluates and mitigates potential privacy risks associated with new or updated technologies or processes that collect personal information.  The GPO creates standardized templates and processes for conducting PIAs, including how to identify high risk processing activities, how to initiate the PIA process, how to identify who the appropriate stakeholders might be and then outlining the necessary steps to complete the PIA.  We partner with the local business unit compliance teams who initiate the PIAs, and then monitor the status to help ensure that the PIAs are completed and that privacy risks are identified, assessed and mitigated.  A privacy pro can be invaluable during the PIA process by helping identify potential privacy issues early on and suggesting appropriate privacy controls. 

Q:  The privacy workload has exploded over the last 2 years with no sign slowing. What is your secret for “managing up” that you can marshal resources such as headcount and budget?

We are constantly thinking of ways to demonstrate the value of our services, but also of ways to simplify processes and make them more efficient.  In other words, how do we do more with less, but still not compromise the quality of our services?  We try to build awareness around the importance of data privacy by educating stakeholders about the privacy regulatory requirements and risks, but most importantly by aligning privacy initiatives with company goals.  It’s incredibly important to prioritize your activities by risk level, and then establish your goals and objectives so that you are clear about what your team can accomplish and what might be a challenge.  When you can articulate the objectives and risks in an understandable and practical way, clearly identify the work that needs to get done and the resources it will take to get there, the management team can make informed decisions about what risks it’s willing to take and what risks can be addressed later or perhaps differently.   

Team Management:

Q:  Across the industry, there is an incredible wave of new hiring. What are the top 1 or 2 must-haves when you look at a candidate? How do you know if a candidate is truly “doing privacy”?  How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution?

The level of expertise needed will certainly depend on the level of the role for which we’re recruiting, but generally I’m looking for someone that not only has a good grasp of the privacy landscape, but someone who can effectively apply those regulatory parameters in a very practical way to the dynamic factual scenarios we face. It is often hard to determine how much a candidate is “doing privacy” based on paper alone, but once you meet the candidate in real time, you can often tell their depth of expertise based on a few probing questions related to their past experience or current role. At the end of the day, we need problem solvers and individuals who can help find solutions to unique problems. Someone who knows every single privacy law or regulation, but who cannot practically apply it well may not be the best fit for our team.    

Q: Competition for top quality privacy candidates is fierce. We often advise candidates to ‘chase the CPO’ not just title/brand name/comp. What sets you apart from your peers?

I’m so fortunate to have been truly “doing privacy” for the past 20+ years.  While the profession has certainly grown and expanded over the years, there are not many of us who have been truly focusing on privacy for that long.  I’ve always worked in the healthcare industry, and it’s been fantastic lens to learn about other privacy laws and see the evolving privacy landscape.  In addition, McKesson has been a truly fascinating and dynamic place to build and grow your career.  I’ve built an incredible team of privacy professionals who genuinely enjoy working together.  It’s like we have our own internal consulting practice (with access to our legal partners) and have the opportunity bounce ideas, suggestions, and challenges amongst the “practice” to find the best possible solutions.  I have team members that are practical and smart, and who will collaborate with our stakeholders to help achieve the company’s mission – improving health care in every setting.  I am also committed to helping my team members develop into the most talented professionals they can be.  Hopefully, these professionals will always want to stay at McKesson, but sometimes it might result in them moving into CPO roles at other great companies too! My team members are outstanding privacy professionals, but most importantly, they are wonderful human beings. 

Q: What advice would you give an up and coming privacy professional?

Whatever role you are currently doing, learn as much as you can and try to do it well because that often opens the door to new and different opportunities.  Also, be flexible because the next best role (which may not be a “comfortable” role) doesn’t often materialize in the way you’d expect.  Every path is not a direct path, but there is always something to be learned along the way. There are so many more paths to privacy than there were 25 years ago, so I recommend networking locally or regionally with other privacy professionals or joining privacy focused organizations like the IAPP. Every privacy role is different based on the level, the organization, and the specific team, so it’s helpful to have as much information and context as possible.

Q: The last several years have seen lots of change especially with covid, WFH, RTO policies etc. How do you maintain team culture? What does ‘culture’ even mean?

I currently have team members in five different locations and within multiple time zones.  I make it a priority to meet virtually with my direct reports often – both as a group and individually - and I encourage them to have a similar cadence with their team members.  Although COVID was a scary time, it either taught us or reminded us that if you are intentional, you can absolutely maintain a sense of community without being physically together.  While there is no permanent substitute for human interaction, budget, time and distance are sometimes barriers.  I’m not a fan of having a meeting just for the sake of a meeting, but I support having in person meetings to get team members together when and if your budget allows. 

I could probably write an entire chapter on what “culture” means to me, but in short, I strive to maintain a team culture where my team members feel valued, where we are both results and client oriented, where we want to collaborate and can jump in the foxhole together on a tough or challenging situation, and where we can be unafraid to ask questions or ask for help. But I always want the team to remember that we’re more than just privacy professionals, we’re also good humans with rich lives when we’re not thinking about privacy principles.

Q: Anything else you’d like to share?

I honestly think you will not find a more encouraging, warm and collegial group of individuals than privacy professionals! At the end of the day, I try to live by a quote that a friend shared with me more than 20 years ago when an acquaintance passed unexpectedly.  With a sigh, she said “we should all live in a way that if our time unexpectedly comes, people will remember how richly we lived.”  Live rich, my friends, live rich.