Why Assign a Privacy Officer?

Every company under HIPAA is required to assign a designated privacy or security officer within the company. Who should this person be and what are their responsibilities?
HIPAA's Privacy Rule mandates that each covered entity must designate a "privacy official" who is responsible for developing and implementing all policies and procedures relating to compliance. Additionally, covered entities must have a contact person that is responsible for providing information, taking complaints, and managing the administration of patients' rights with regard to their records.

Responsibilities of a Privacy Officer

The contact person is responsible for:

1) Distributing notices of information privacy practices

2) Securing each patient's acknowledgement of receiving these notices

3) Processing authorizations for research, marketing, and fundraising

4) Requesting meets for amendments or corrections of health records

5) Taking requests for additional confidentiality provisions

6) Providing information on HIPAA

7) Handling HIPAA violation complaints from patients and employees

HIPAA's Security Rule also states that a security official be designated, to handle similar tasks concerning security.

Finding A Qualified Officer

You will want to find a qualified officer who is not only familiar with HIPAA, but also knows how things operate in your workplace. This file contains a checklist that describes the qualifications and suggested skills for a compliance officer.

The ideal privacy officer is well-versed in both HIPAA's privacy requirements and those of state law. The officer should also have a background in clinical care, managing health records, IT (especially related to security), general compliance, and risk analysis/management.

It would be extremely difficult to find one person with the necessary range of knowledge mentioned, therefore usually the designated individual is someone with a willingness and ability to learn.

Training Privacy Officers

Depending on the size of the practice, there could be a single privacy officer, or multiple. Whatever the size of the organization, the privacy officer's training task may seem like an impossible one, with the scope of HIPAA alone.

However, by and large, HIPAA's requirements do not mean too much with the existing requirements of state law and professional codes of ethics. HIPAA may cause new administrative challenges, but the changes should not be that dramatic.

The daily tasks of a privacy officer revolve around performing routine compliance tasks. There shouldn't be too many challenges with a well-trained workforce. In the case of HIPAA-related problems within the organization, it's not only the privacy officer's job to correct issues, but everyone involved with the organization should take action.

More Articles