The trusted source for
healthcare information and
Question: When we implement the new federal privacy rules, who should be the privacy official who the rules say must oversee the implementation and ensure patient privacy is protected? I’m sure our administrators will say that’s another duty for the risk manager to assume.
Answer: You’re not alone. A great many risk managers are bracing for the moment when they have to assume yet another role, says Gregory J. Naclerio, JD, partner and co-chair of health care practice at Ruskin Moscou in Mineola, NY. Naclerio has helped many institutions set up corporate compliance programs, and he notes many risk managers took on the duty of corporate compliance officer a year or so ago. "I was at a meeting of compliance officers yesterday, and the scuttlebutt is that hospitals are going to make them privacy officers now," Naclerio says. "I can tell you it’s not going to work."
The problem is that risk managers already are overburdened and they have to draw the line somewhere, he says. If the risk manager is not already the compliance officer and not already saddled with some other type of duty, it is possible — but still not advisable — to take on the role of privacy officer. Recent trends in the health care industry make it unlikely that there are many risk managers who still do only pure risk management and haven’t been given more duties, Naclerio says.
With every additional task, the risk manager’s performance is likely to suffer, he says. Most risk managers/compliance officers already are not doing a sufficient job of monitoring corporate compliance, Naclerio says. "People are already wearing two or three hats, and the compliance hat always is on the lowest rung. If they have time, they get around to compliance," Naclerio says. "If you add privacy officer to that, it would be on the bottom rung, or maybe you’d shove compliance down even further. That’s not good."
Risk managers should resist any suggestion that they can take on the privacy officer role and do it effectively, he says. At some point, he says, health care organizations will have to start hiring more people to take on these new roles mandated by the government, instead of automatically turning to the risk manager.
"There has to be a limit somewhere to how many tasks a person is charged with," Naclerio says. "It’s one thing to say that this person has this responsibility and this responsibility and this one too, but that’s not going to matter if the person can’t actually do those jobs. You have it all spelled out on paper, but the government’s going to expect that the person actually does the job."