Phreesia, a leading health technology company, manages more than 170 million patient visits annually, an extraordinary scale that reflects its mission to make healthcare easier and more personalized. Over the past two decades, the organization has built a robust suite of digital tools that streamline appointment prep, enable personalized messaging, and help patients actively participate in their care journey.

At its core, the platform is designed to deliver timely, relevant information at critical moments, while safeguarding patient trust through thoughtful data stewardship.

In this first installment of a three-part series, Melissa Mitchell, Chief Privacy Officer at Phreesia, speaks with Todd Foley, CISO at Lydonia, about how her team approaches privacy and compliance in a fast-evolving regulatory landscape.

With a background spanning legal practice, hospital systems, and a senior privacy role at Amazon Health Services, Mitchell brings a uniquely multifaceted perspective to the role. She discusses how Phreesia balances the technical demands of HIPAA and state-level regulation with a clear, patient-first philosophy – one that prioritizes transparency, consent, and meaningful engagement.

Edited Excerpts

Q: How does Phreesia approach the protection of patient health data, considering the dynamic nature of state regulations?

This is a foundational element of our program, and it must be, given the regulatory frameworks we need to comply with. Our core product and many of our services are regulated under HIPAA to some degree, so that’s always top of mind. We also have a privacy policy that integrates emerging state laws in this privacy space, as well as other regulations governing the data we handle.

It’s a large and complex framework that we’ve had to piece together, and it can be overwhelming, with plenty of legal checkboxes to tick. But it’s helpful to think of it through the lens of a privacy “North Star.” For us, that means ensuring patients fully understand their actions when interacting with our platform and are clear on their choices. This landscape is constantly evolving, especially with new state laws, but if we keep that principle in focus, it makes it easier to navigate.

Ultimately, what I ask every day and what these regulatory frameworks are steering us toward is this: Are we making things clear? Are we ensuring that patients truly understand what they’re doing? We have a complex business model, but are we explaining it in a way that allows them to make informed decisions that are right for them? When you’re constantly focused on that, you’re on the right path as a privacy professional at Phreesia.

Q: Phreesia has a very unique direct engagement with patients. Are you giving them a lot of flexibility too?

What sets us apart is that, even as patients make decisions or progress through different stages of their journey, we make ourselves readily available to answer their questions and gather their feedback. While we’re certainly not alone in facing the challenges of an evolving landscape and the responsibility of safeguarding patient data, we do have a distinct advantage. We’ve been committed to this mission for a long time, well before state regulations came into play.

Additionally, we offer multiple avenues for patients to engage with us, whether they want to ask questions, provide feedback, or change their mind about a decision they’ve made. If someone opts in and later decides to opt out, they can easily reach out to us to make that change. This flexibility and openness is really what makes us unique.

We’re also focused on humanizing the process. It’s incredibly frustrating for people to wade through legalese and privacy policies to make informed decisions. That’s why, in addition to providing all the legal information, we strive to present it in a more accessible, relatable way. On our website, for example, we have a dedicated privacy commitment page and a FAQ section to help answer questions.

For those who want to dig deeper, they can write to us directly. We take those inquiries seriously, sometimes even entire teams review them, and I go through them as well. If necessary, I even reach out to patients myself to offer direct, personal responses.

CDO Magazine appreciates Melissa Mitchell for sharing his insights with our global community.