The trusted source for
healthcare information and
One question facing hospitals now that the medical record confidentiality portion of the Health Insurance and Portability and Accountability Act (HIPAA) of 1996 has hit the street is: "Who to appoint as privacy officer?" The privacy standards, released in December, require health care organizations to designate a privacy official who will be responsible for the development and implementation of policies and procedures surrounding privacy.
There is no single right answer to who should be the privacy officer, according to Al Josephs, director of corporate compliance at Hillcrest Health System in Waco, TX. Some organizations may give privacy responsibilities to the compliance officer, but whether that happens or not, the compliance officer should have a role in monitoring the organization’s adherence to these rules, he asserts. "It has to fit well within the culture of the organization, and different organizations may have different skill sets."
"If the compliance officer is struggling to get the basic compliance program running, I don’t think the answer is to lay another job on them," warns Michael Hemsley, vice president of corporate compliance and legal services for Catholic Health East in Newton Square, PA. "Then the question is, Who should do that, and how does that tie in to the larger compliance program?’"
The Chicago-based American Health Information Management Association (AHIMA) this month attempted to offer some guidance in this area when it released a sample position description as a template for organizations to use as they develop privacy officer positions.
According to AHIMA, the privacy officer should oversee all ongoing activities related to the development, implementation, and maintenance of the organization’s policies and procedures covering the privacy. That person also should be charged with ensuring that access to patient health information is in compliance with federal and state laws as well as the health care organization’s information privacy practices.
AHIMA recommends the privacy officer’s immediate supervisor should be the CEO, senior executive, or head of the health information management department.
Among the responsibilities outlined by AHIMA, the privacy officer must:
s provide development guidance and assist in the identification, implementation, and maintenance of organization information privacy policies and procedures in coordination with organization management and administration, the privacy oversight committee, and legal counsel;
s work with the organization’s senior management and corporate compliance officer to establish an organizationwide privacy oversight committee and serve in a leadership role in the committee’s activities;
s perform initial and periodic information privacy risk assessments and conduct related ongoing compliance monitoring activities in coordination with the entity’s other compliance and operational assessment functions;
s work with legal counsel and management, as well as key departments and committees to ensure the organization maintains appropriate privacy and confidentiality consent, authorization forms, and information notices and materials reflecting current organization and legal practices and requirements;
s oversee, direct, deliver, or ensure delivery of initial privacy training and orientation to all employees, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties;
s participate in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed.
AHIMA’s entire sample position description is available at www.ahima.org.