Journal of AHIMA - April 2012

The New Privacy Officer

Technology Changes Roles

In the years since HIPAA mandated the privacy officer role, health IT has radically changed the way privacy officers work. Technology has made the role more complex, Dinh says, because privacy officers must have a good understanding of electronic systems.

They must keep current on emerging technologies and the impact they could have on patient privacy. They must be able to make recommendations on technology and technology-driven data sharing such as health information exchange networks.

The increase in the adoption of EHR systems since 2003 has caused privacy officers to look at their protection policies and procedures and adapt them for the new environment.

“I think the role has continued to change, has continued to be challenging, partially because the laws have changed, but also partially because the environment has changed,” Davis says.

Hofman’s job changed drastically both times St. Charles implemented an EHR, she says. She worked with departments including human resources to define the appropriate data access permissions, sorting out which staff had access to patient records and determining the correct level of access.

Discovering and mitigating the unique privacy risks that EHRs pose required privacy officers to add technology expertise in short order.

Further, EHRs changed the way privacy officers could monitor who accessed patient records. Hofman had to learn how to use the EHR and other ancillary systems to audit records and assess processes.

An EHR offers a broader tool for monitoring privacy compliance, she notes, but it also means “there is a lot more to look at.” Even voluntary federal programs are having an impact on privacy officers. Patient engagement objectives in the meaningful use EHR incentive program require participants furnish patients with electronic copies of their medical records upon request. Privacy officers must work with colleagues to devise policies and procedures for protecting patient information when it is copied to a CD or delivered through a Web portal.

The development of risk management skills and even quality improvement skills are now necessary for privacy officers as they search for ways to mitigate risk in the EHR and other processes, Davis says.

Social Media and Mobile Devices

As the record becomes more accessible, it must also become more secure.

Health IT and EHRs allow easier manipulation and sharing of data. Privacy officers have recently found themselves in the position of the data usage police, calling into question necessary