Under the Health Insurance Portability and Accountability Act, health care organizations are required to designate an HIPAA privacy officer. This company leader is responsible for establishing and monitoring compliance controls to keep patient health information protected. The officer oversees activities and processes associated with creating, introducing and maintaining workplace privacy policies that meet state and federal legal requirements.
Policies and Documentation
The privacy officer leads initiatives to establish policies, procedures and key documents addressing confidentiality and privacy requirements. In health care organizations, key documentation includes confidentiality consent and authorization forms, as well as information notices and other materials describing policies and requirements. The officer may work closely with legal, human resources and leadership team members to ensure all state and federal HIPAA requirements have been identified and met.
After implementing the necessary policies and documentation, the officer champions activities to promote employee awareness of individual and organizational obligations. HIPAA privacy requirements apply to health information that can be used, viewed or shared. So, everyone with any degree of access to this information must know his obligations to protect it. Employee training must reach both permanent and temporary or contract-based staff members, as well as volunteers.
Training is not a one-time event. The privacy officer fosters HIPAA privacy awareness on an ongoing basis for all employees. To promote a culture of awareness, the officer stays abreast of updates to requirements at both state and federal levels, and keeps employees informed. The officer also serves as the organization's representative to the U.S. Department of Health and Human Services and other legal organizations pertaining to any compliance reviews or investigations underway.
Monitoring and Investigating
The privacy officer oversees the monitoring of data access and investigations into breaches and complaints. Working closely with information technology team members, the officer makes sure adequate controls are in place to uphold privacy requirements. Controls range from data encryption to auditing of systems for proper access control levels. An investigation of any suspected breaches is prioritized over all other duties. If a breach affecting 500 or more patients is verified, the officer must notify both the media and the U.S. Department of Health and Human Services.