CVS Health is currently the eighth-largest company in the Fortune 500 and ranked 19th on the Fortune Global 500 list, with $194.58 billion in annual revenue and over 295,000 employees. Last December, CVS Health celebrated the one-year anniversary of its historic merger with Aetna, which simultaneously marked the broader rollout of localized HealthHUBs throughout the country, including in Atlanta, Tampa, Florida, and Philadelphia. Tracey Scraba, formerly Aetna’s Chief Privacy Officer, has since assumed the same CPO role at CVS Health, overseeing all privacy functions of the nation’s premier health innovation company. Scraba’s “north star” vision for her contribution to CVS Health involves more than just educating customers and internal stakeholders on the policies and processes required for maintaining a compliant privacy program; instead, Scraba’s impact potentially extends farther into the exploration of the possibilities that data aggregation and analysis can provide to uniformly improve the health of individuals as well as their communities.
Scraba’s career inadvertently prepared her for the unforeseen challenges and opportunities of her current role as CPO of CVS Health provides. Scraba’s first job after receiving her bachelor’s degree in health systems administration was at Aetna. She then simultaneously earned her JD and master’s degree in public health from UCONN at night while working at Aetna during the day, before departing the organization to spend a few years in private practice at Robinson & Cole. “I have been interested in law and healthcare my entire career,” says Scraba. It was when she returned to Aetna in the legal department that the foundation of her privacy career began to take shape. “My first role back at Aetna was legal counsel for National Accounts, working with large customers and negotiating contracts, and from there, I moved to support the Aetna Behavioral Health business and their work to address mental health parity, substance abuse, and other conditions, such as autism.” This is what Scraba really wanted to do because she was now serving, as she says, “in a legal capacity that was supporting a health-related function,” putting her closer to the clinical aspects of the business. “That was the sweet spot that ultimately opened the door to me becoming CPO,” admits Scraba.
As an in-house attorney who was now both familiar with the needs of the customer and the privacy laws related to sensitive conditions such as mental health and substance abuse, Scraba was the top choice for her superiors to elevate as the go-to privacy and security attorney for Aetna. This promotion to Senior Privacy and Security Legal Counsel was “right around the time when privacy and cyber were starting to become something beyond HIPAA, and the industry was starting to see external forces that were driving the function of privacy to be bigger than just a compliance function,” says Scraba.
Scraba’s current privacy team comprises about fifty people. “I had to bring everyone together pretty quickly, integrating two privacy teams that were about the same size,” professes Scraba. Step one for Scraba: “I spoke to every single individual about what their role was on the legacy CVS team.” What she discovered was role definition inefficiency. “Most people were working on and doing what they knew but not necessarily what they owned,” adds Scraba. Roles were redefined. There were also some talent gaps in the department, despite its sizeable workforce. “We recently added a data analyst to the privacy staff who uses data to create dashboards so we can see how we spend our time, comparing different potential risks in the organization, then reallocating time so we can be more proactive in our approach to privacy.”
Scraba’s group sits in the legal department. “My team is one of the largest in the legal department, but the majority of my team are non-lawyer professionals,” says Scraba. “Following the law is no longer enough,” continues Scraba. “I was being asked questions that cannot be answered by looking at the law–questions like, ‘How do we reduce enterprise risk around privacy? How do we prevent privacy disclosures from happening again?’ I quickly realized the law wasn’t going to answer those questions, and that the composition of my team and what skill sets I needed to have would need to change.” As she began to mature the privacy program at Aetna and later, with CVS Health, her goal was to make the privacy organization more of a data-driven operation. “That is really unusual in a legal department,” confesses Scraba. To achieve this goal, Scraba has started to develop a three-year strategic plan related to the privacy program at CVS Health. “In my experience, lawyers don’t usually do three-year strategic plans,” Scraba remarks, laughing. Even Scraba’s role had to and continues to change and evolve.
Scraba’s desired impact, which stems from her rooted passion for the law and for healthcare, aligns with the overall mission of CVS Health: helping people on their path to better health. According to Scraba, the privacy team can do this by thinking about the use of data through a different lens. “I’ve been trying to tell my team–no matter who they are–when you get a question about a use of data, don’t be so reactionary. Reflect on the question and think about our enterprise strategy: helping people on their path to better health.”
Could the right combination and analysis of data points collected by a conglomerated pharmacy, insurance, and wellness retailer participate in both individual and community-oriented preventative care? Is society ready to consent and explore the potential advantages of sharing sensitive data to companies capable of aggregating and analyzing it? In the decade ahead, privacy professionals will play a meaningful role in not just the regulation of data, but more meaningfully, the use of it.