The trusted source for
healthcare information and
Hospitals have to designate a privacy officer as mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. But hospitals are wondering: With so many privacy functions already falling under the health information realm, do they really need a separate position?
The American Health Information Management Association (AHIMA) in Chicago recently offered its thoughts on the subject by releasing a sample privacy officer job description. AHIMA supports the idea of HIM professionals being used in that capacity. "The privacy function is not new and has been conscientiously embraced by health information management (HIM) professionals for decades," the association says.
"Credentialed HIM professionals are uniquely qualified to be the designated privacy official as required by HIPAA through their academic preparation, work experiences, commitment to patient advocacy, and professional code of ethics," says AHIMA’s president, Linda L. Kloss, MA, RHIA.
A person approaching the privacy officer position from ground zero would have to make sure policies are consistent throughout each of the organization’s entities, standardize the policies, and promote privacy throughout the institutions and the entities as well as to the consumers, says Ray Pinder, MS, RHIA, director of Medical Record Services, Holy Redeemer Health System, Meadowbrook, PA.
"If some organizations are going to recruit [a privacy officer], I think there’s going to be quite a bit of overlapping of that person’s domain vs. the HIM director’s domain." he says. "Medical records and health information management folks have been dealing with information on privacy and confidentiality during their entire careers."
One industry analyst says she is not sure if many hospitals will actually build a privacy officer position. "I think most will either roll it right into the HIM Director’s normal responsibility or split the functions somewhere between the HIM director, compliance officer, IT director, and risk manager," says Darice Grzybowski, RHIA, manager, HIM Industry Relations with 3M Corporation -Health Information Systems, LaGrange Park, IL.
Issues such as the position of privacy officer are hot topics for Holy Redeemer’s HIPAA steering committee. The committee is made up of 24 members from the different entities in the health system, including long-term care facilities, visiting nursing associations, home care, a hospital, and an assisted living entity.
The committee is broken down into five subcommittees to handle the "five key areas of HIPAA": 1) electronic transactions/code sets and electronic signature; 2) assessments and contracts; 3) education; 4) security; and 5) privacy. Pinder is co-chair of the privacy subcommittee. The health system’s corporate compliance officer is the other co-chair.
The steering committee has actively discussed the AHIMA job description for privacy officer, Pinder says, and the need for the health system to have a privacy officer and a security officer. But the decision about how to fill those positions has been put on hold. "Because the security aspects of HIPAA have not been finalized yet through Congress, and because there is still a lot of debate about the privacy regulations, the organization doesn’t want to name or hire individuals to fill those capacities at this time."
The overlap of duties also gives the health system time to consider its choices. "Some of those duties mentioned in the AHIMA job description, such as the as policies and procedures on confidentiality and privacy, and patient access to information, are already overseen by the HIM director," Pinder says. "That’s why we are taking the stand right now that we don’t believe it’s the right time to hire the individuals until we really know the definite, final regulations on those two hot areas."
From its evaluation of the job description, the committee also knows that the duties of the subcommittees will be interrelated, such as the task of educating the employee population as well as the consumer population on privacy. "[The privacy subcommittee] will hook up with the subcommittee on education, help it to design the programs, and even be part of the programs when we roll them out."
In its job description, AHIMA assumed the privacy officer would report to the chief executive officer or maybe to the chief information officer. Pinder reports to the chief information officer. "Several members of senior management sit on the steering committees. Therefore, senior-level support is not in question," says Pinder.