Meet our Chief Privacy Officer: Q&A with Melissa Mitchell

Melissa Mitchell, Phreesia’s Chief Privacy Officer, shares about our commitment to patient privacy, transparency and consent.
Security & Privacy

At Phreesia, we believe everyone should be in charge of their health information, and we’ve built our platform of personalized health content on the principles of privacy and consent.

We recently sat down with Melissa Mitchell, Phreesia’s Chief Privacy Officer, to discuss the importance of privacy in our work and dive into her background, approach to privacy and goals for the future.

Tell us a bit about your background before you came to Phreesia.

Mitchell: I started my career as a practicing attorney, and eventually made my way into the compliance and privacy world working in hospitals in Chicago, where I live. Then I made the move to health tech. When Amazon started venturing into healthcare, I joined the company first in compliance and then eventually as Chief of Privacy for Amazon Health. Healthcare was a new space for Amazon at the time, and there were data and privacy concerns that came with entering the market. Now in my role at Phreesia, I find that a lot of the patient and client questions we get surrounding data and privacy are similar to the questions I faced at Amazon, so I was able to hit the ground running with an understanding of the questions that people may have.

What made you excited to work at Phreesia? 

Mitchell: I have always been passionate about the intersection of data and privacy. I’m excited about the prospect of all the great things we can do with data to help people while also protecting their privacy in a meaningful way.

There are great conveniences and advantages in my life because I have trusted and believed in organizations that use data in a responsible way—with my consent and my understanding of how they are using it. As a result, I’m really invested in transparency and making sure patients understand how our platform works so they can make informed decisions.

One thing I was excited to see at Phreesia is that we have a lot of data showing that patients who receive high-quality, relevant health information at the point of care have better health outcomes, including higher rates of diagnosis and increased preventive screenings. One patient even shared with us that seeing relevant information after check-in actually saved her life. She was shown content related to symptoms she was experiencing, she asked her doctor about a potential treatment, they ran tests, and she ended up having a life-saving operation.

We also have compelling data that shows that a significant number of patients want to see health information that is relevant to them, especially before an interaction with their healthcare provider. I think it’s empowering and incredibly valuable that we offer patients that option.

What is Phreesia’s approach to privacy?  

Mitchell: Phreesia’s approach is why I was excited to join the organization. We are driven by protecting patient privacy every step of the way, and we follow the highest industry standards and best practices for securing and protecting user data.

Phreesia is unique because we act as a business associate to our healthcare organization clients, and we’re governed by HIPAA when we’re acting on their behalf—for instance when patients use Phreesia to check in for an appointment.

But for patients who provide optional consent, Phreesia also provides content that is sponsored by life sciences companies, advocacy groups and other organizations—without sharing data with those sponsors. While patients are checking in, we may present them with an optional HIPAA authorization. If they accept, Phreesia may use their data to show them personalized health information after their check-in is complete. During that part of the patient journey, our activities are governed by our privacy policy.

We’re always aiming for transparency when asking for consent so we can really feel confident that patients understand what they are agreeing to. It’s a constant priority to make sure we’re not just obtaining consent but that we’re being clear and transparent.

Mitchell: Trust and consent are at the heart of everything we do. We’re required by HIPAA to obtain consent to show patients relevant health information. But we’re going further to continually improve how we present that authorization—how clearly it reads, where it is located, etc. Some of the changes we’ve made include adding language at the top clearly stating that the form is optional and making the authorization itself shorter and hopefully easier to digest. And then beyond that authorization, we want the policies that govern our use of patient data to be very clear and understandable, which is why they’re easy to find on our website.

It’s incredibly important that patients trust us. Phreesia has been around for nearly two decades, and being confusing to patients does not align with our mission, vision and values.

I spend a lot of time talking directly to individuals who reach out with questions about our privacy practices—and I’m happy to do it. I enjoy talking with people directly because I think it can really move the needle on helping them understand what we do. We’re going beyond checking the box of being HIPAA-compliant and giving patients additional channels to tell us what they think about Phreesia, how clear our communication on consent is, and express any concerns. This is something we are highlighting now more than ever, and it’s been both exciting and enlightening to hear the feedback and use it to proactively make improvements. 

I want to make sure people understand what we do and what we don’t do—for instance, we don’t use trackers or cookies and we don’t ever sell data. What you do on the Phreesia platform won’t follow you around the internet. I want patients to understand that our platform is based on consent and that privacy is our North Star.

What are you looking forward to next? 

Mitchell: I’ve been at Phreesia for almost a year, and in that time, we’ve become more proactive in communicating about privacy to our patients and partners. One thing I want people to know is that there is a real person responding to their privacy questions—and that person is usually me. I truly enjoy speaking to people and helping them understand what we do, and I’m excited to do more of it.

We’ve made strides this year, but there will always be more work to be done, and that excites me. The privacy landscape, especially in healthcare, is changing every day. Companies are constantly looking at how to take the changing regulatory space and make it digestible for everyone. It’s an exciting challenge, and I truly enjoy translating what we do into a patient-friendly approach.