T he New
It has been a decade since the first
privacy officers took their jobs in
response to the HIPAA privacy rule.
A slew of changes since then have
added more responsibility, required
more skills, and demanded more
time of them than anyone could
have imagined.
PR I VAC Y
OFFICER
By Chris Dimick
WHEN NANCY DAVIS, RHIA, was first appointed as a privacy
officer in 2002, the position was intended to last one year. Set up
HIPAA-compliant processes, train staff on the new regulation,
and then occasionally refresh the program. Done.
Ten years later Davis is still the director of privacy and the security officer at Ministry Health Care in Wisconsin, and her program still isn’t “done.” In fact, she has few routine, work-a-day
duties—her role continues to evolve.
“I’ve been doing this for 10 years, and I don’t feel like I’m do-
ing ‘maintenance’ work yet,” she says. “There always seems to be
something happening.”
The privacy officer role has changed immensely since it was
first mandated for covered entities under HIPAA in 2003. Privacy
officers have seen their jobs grow as new regulations, technol-
ogy, and data-sharing initiatives have reshaped the landscape.
Protecting patient health information has become much more
complex since 2003, when nearly all healthcare organizations
used time-tested systems to protect paper records.
In turn privacy officers now require an expanding set of
knowledge and skills, and as regulatory pressures and technological initiatives have advanced, their roles have grown in strategic importance within their organizations.
Regulation Changes Roles
One of the biggest changes to the privacy officer role came with
the passage of the HITECH Act in 2009. HITECH, a part of the
broader American Recovery and Reinvestment Act, introduced
the biggest set of changes in health information privacy regulation since HIPAA.
HITECH provisions modified and added to HIPAA, sending
healthcare facilities and their privacy officers scrambling to
understand and respond to stricter privacy protections, better
information access tracking, and steeper penalties for noncom-
pliance.
Responding to the Breach Notification Rule
The HITECH provision that has had the biggest impact to date
is the breach notification rule. The interim rule, which is still
awaiting its final version, requires healthcare facilities and their
business associates to investigate and provide notification following a breach of unsecured protected health information.
The rule describes how covered entities must notify individuals and the Department of Health and Human Services.
In breaches affecting 500 or more individuals, covered entities
must notify HHS and local media without unreasonable delay
and within 60 days of discovery.
Privacy officers quickly saw their role heightened in awareness and importance.
A corporate privacy officer for 10 years at multifacility hospital
system Orlando Health, Linda Noel, MEd, RHIA, has seen her
role drastically change over the last several years due to HITECH’s breach notification rule.
“While the early years were focused on implementation, poli-
cy writing, and education, my role has now changed to investi-
gator,” Noel says. “Most of my time is spent completing risk as-
sessments and documenting [privacy incident] cases.”
When a privacy breach is suspected, privacy officers now
must drop everything and begin their investigation in order to
determine if a breach occurred and, if so, how to mitigate the
damages and determine who is responsible.
A challenging aspect of the rule has been the so-called harm
threshold, which allows organizations to forego notification if
