Journal of AHIMA - April 2012

The New Privacy Officer

Under the Compliance Umbrella

WHEN PRIVACY AND security officer jobs were first created, they typically were placed in HIM departments. Recently some facilities have moved the role to their compliance departments. The move is mainly strategic. As HIPAA enforcement ramps up, some organizations consider that privacy has become closer in function to compliance.

“Privacy has truly become sort of its own world, an off-
shoot of HIM and IT,” Davis says. “It has become its own
operational function, and it just seems logical to have it
connected to compliance.”
The privacy and security officer role at St. Charles Health
System was purposefully designed within the compliance
department, not HIM, says Hofman, the system’s privacy
and information security officer. While she feels her HIM ex-
pertise is invaluable to her role, aligning the role with com-
pliance positions her to not just monitor medical records
but also have oversight of the entire system’s operations
and compliance efforts, she says. Over the years Hofman
has taken on more compliance-related duties as the privacy
and security officer.

“This gives us an opportunity to have an oversight on the release of records and audit without feeling like there is a conflict of interest with medical records,” she says.

they determine that a breach is unlikely to pose harm to the individuals. Lacking direct guidance in the rule, privacy officers and their colleagues had to establish protocols and parameters for assessing and documenting potential for harm.

The in-depth investigations required the acquisition of new skills. They also required a reorganization of job duties, as breaches have been taking up large amounts of a privacy officer’s time, says Angela Dinh, MHA, RHIA, CHPS, professional practice director at AHIMA.

For privacy officers overseeing several facilities, workload has skyrocketed. Davis’s workload doubled, she says, as she worked with local organization privacy officers to help determine the risk of harm in individual privacy incidents.

More Rulemaking to Come

Two of the biggest modifications to HIPAA have yet to take effect. In fact, they have yet to receive final rules.

HITECH expanded a patient’s rights to an accounting of the disclosures of their health information. Given the burden associated with accounting for disclosures—and the faint interest patients have shown in receiving them—the announcement put covered entities on edge waiting for the actual rulemaking.

In its proposed rule the Office for Civil Rights sought to shift the focus from disclosures to access, proposing that covered entities create and maintain access reports that would show patients, upon request, who had accessed their information kept in electronic health records.

22 / Journal of AHIMA April 12

Though the industry generally supported the attempt to ease the accounting of disclosures burden, many still saw significant challenges in producing access reports. OCR is handling the accounting of disclosure provision in rulemaking separate from the other HITECH privacy-related measures. A final rule is expected this year, and when it arrives privacy officers are expecting a busy time teasing apart the rule and helping bring their organizations into compliance.

Another HI TECH provision enables patients who pay for treatment out of pocket to request that the information regarding the encounter not be reported to insurance companies. Covered entities would be required to comply.

HIM professionals and privacy officers are still figuring out how they would sequester information for these types of requests using today’s EHR systems. They will also require processes to ensure that months down the line the information is not inadvertently disclosed in a routine record request.

HITECH’s modifications to the privacy rule have caused many privacy officers to develop their research skills and legal knowledge. These are necessary in order to dig into statutes, interpret the law, and then apply it back to their own facility.

Regulatory knowledge and having the ability to track state and federal changes have always been key privacy officer skills, but never more so than now, Dinh says.

“Today’s privacy officer really has to stay on top of the always-changing regulations and industry practices,” she says. In fact, even that may not be enough—“It’s almost like they have to be one step ahead.”

OCR Gets Serious about Enforcement

HITECH also strengthened the civil and criminal enforcement of HIPAA.

The enforcement rule raised the maximum penalty amount for a HIPAA violation to $1.5 million, and also spurred HHS and OCR to step up their enforcement of HIPAA through privacy and security audits and investigations.

The pressure increased on privacy officers and their organizations to perform regular audits, fully document privacy violation investigations, and update policies on completing risk assessments.

In turn privacy officers needed to sharpen their investigative skills, their ability to organize and work with databases, and respond to government audits like those performed by OCR, says Judi Hofman, CAP, CHP, CHSS, the privacy and information security officer at St. Charles Health System in Bend, OR.

Once an idle threat, OCR has followed through on HITECH’s promise to investigate privacy and security breaches. Hofman has led her organization through two OCR audits, requiring her to increase her knowledge of federal regulations and the auditing process.

As OCR and HHS continue to promote patient privacy rights to the public, government investigations will only increase as violation reports go up, requiring all privacy officers to adapt their skills in order to be prepared for an investigation.