The New Privacy Officer
Under the Compliance Umbrella
WHEN PRIVACY AND security officer jobs were first created, they typically were placed in HIM departments. Recently some facilities have moved the role to their compliance departments. The move is mainly strategic. As HIPAA
enforcement ramps up, some organizations consider that
privacy has become closer in function to compliance.
“Privacy has truly become sort of its own world, an off-
shoot of HIM and IT,” Davis says. “It has become its own
operational function, and it just seems logical to have it
connected to compliance.”
The privacy and security officer role at St. Charles Health
System was purposefully designed within the compliance
department, not HIM, says Hofman, the system’s privacy
and information security officer. While she feels her HIM ex-
pertise is invaluable to her role, aligning the role with com-
pliance positions her to not just monitor medical records
but also have oversight of the entire system’s operations
and compliance efforts, she says. Over the years Hofman
has taken on more compliance-related duties as the privacy
and security officer.
“This gives us an opportunity to have an oversight on the
release of records and audit without feeling like there is a
conflict of interest with medical records,” she says.
they determine that a breach is unlikely to pose harm to the individuals. Lacking direct guidance in the rule, privacy officers
and their colleagues had to establish protocols and parameters
for assessing and documenting potential for harm.
The in-depth investigations required the acquisition of new
skills. They also required a reorganization of job duties, as
breaches have been taking up large amounts of a privacy officer’s time, says Angela Dinh, MHA, RHIA, CHPS, professional
practice director at AHIMA.
For privacy officers overseeing several facilities, workload has
skyrocketed. Davis’s workload doubled, she says, as she worked
with local organization privacy officers to help determine the
risk of harm in individual privacy incidents.
More Rulemaking to Come
Two of the biggest modifications to HIPAA have yet to take effect. In fact, they have yet to receive final rules.
HITECH expanded a patient’s rights to an accounting of the
disclosures of their health information. Given the burden associated with accounting for disclosures—and the faint interest
patients have shown in receiving them—the announcement put
covered entities on edge waiting for the actual rulemaking.
In its proposed rule the Office for Civil Rights sought to shift
the focus from disclosures to access, proposing that covered entities create and maintain access reports that would show patients, upon request, who had accessed their information kept
in electronic health records.
22 / Journal of AHIMA April 12
Though the industry generally supported the attempt to ease
the accounting of disclosures burden, many still saw significant
challenges in producing access reports. OCR is handling the accounting of disclosure provision in rulemaking separate from
the other HITECH privacy-related measures. A final rule is expected this year, and when it arrives privacy officers are expecting a busy time teasing apart the rule and helping bring their
organizations into compliance.
Another HI TECH provision enables patients who pay for treatment out of pocket to request that the information regarding the
encounter not be reported to insurance companies. Covered
entities would be required to comply.
HIM professionals and privacy officers are still figuring out
how they would sequester information for these types of requests using today’s EHR systems. They will also require processes to ensure that months down the line the information is
not inadvertently disclosed in a routine record request.
HITECH’s modifications to the privacy rule have caused many
privacy officers to develop their research skills and legal knowledge. These are necessary in order to dig into statutes, interpret
the law, and then apply it back to their own facility.
Regulatory knowledge and having the ability to track state and
federal changes have always been key privacy officer skills, but
never more so than now, Dinh says.
“Today’s privacy officer really has to stay on top of the always-changing regulations and industry practices,” she says. In fact,
even that may not be enough—“It’s almost like they have to be
one step ahead.”
OCR Gets Serious about Enforcement
HITECH also strengthened the civil and criminal enforcement
The enforcement rule raised the maximum penalty amount
for a HIPAA violation to $1.5 million, and also spurred HHS and
OCR to step up their enforcement of HIPAA through privacy and
security audits and investigations.
The pressure increased on privacy officers and their organizations to perform regular audits, fully document privacy violation investigations, and update policies on completing risk assessments.
In turn privacy officers needed to sharpen their investigative
skills, their ability to organize and work with databases, and respond to government audits like those performed by OCR, says
Judi Hofman, CAP, CHP, CHSS, the privacy and information security officer at St. Charles Health System in Bend, OR.
Once an idle threat, OCR has followed through on HITECH’s
promise to investigate privacy and security breaches. Hofman
has led her organization through two OCR audits, requiring her
to increase her knowledge of federal regulations and the auditing process.
As OCR and HHS continue to promote patient privacy rights
to the public, government investigations will only increase as violation reports go up, requiring all privacy officers to adapt their
skills in order to be prepared for an investigation.