The New Privacy Officer
Technology Changes Roles
In the years since HIPAA mandated the privacy officer role,
health IT has radically changed the way privacy officers work.
Technology has made the role more complex, Dinh says, because privacy officers must have a good understanding of electronic systems.
They must keep current on emerging technologies and the impact they could have on patient privacy. They must be able to
make recommendations on technology and technology-driven
data sharing such as health information exchange networks.
The increase in the adoption of EHR systems since 2003 has
caused privacy officers to look at their protection policies and
procedures and adapt them for the new environment.
“I think the role has continued to change, has continued to be
challenging, partially because the laws have changed, but also
partially because the environment has changed,” Davis says.
Hofman’s job changed drastically both times St. Charles implemented an EHR, she says. She worked with departments
including human resources to define the appropriate data access permissions, sorting out which staff had access to patient
records and determining the correct level of access.
Discovering and mitigating the unique privacy risks that EHRs
pose required privacy officers to add technology expertise in
Further, EHRs changed the way privacy officers could monitor
who accessed patient records. Hofman had to learn how to use
the EHR and other ancillary systems to audit records and assess
An EHR offers a broader tool for monitoring privacy compliance, she notes, but it also means “there is a lot more to look at.”
Even voluntary federal programs are having an impact on privacy officers. Patient engagement objectives in the meaningful
use EHR incentive program require participants furnish patients with electronic copies of their medical records upon request. Privacy officers must work with colleagues to devise policies and procedures for protecting patient information when it
is copied to a CD or delivered through a Web portal.
The development of risk management skills and even quality improvement skills are now necessary for privacy officers as
they search for ways to mitigate risk in the EHR and other processes, Davis says.
Social Media and Mobile Devices
As the record becomes more accessible, it must also become
Health IT and EHRs allow easier manipulation and sharing of
data. Privacy officers have recently found themselves in the position of the data usage police, calling into question necessary