HIPAA PRIVACY OFFICER – How to Select One?

The HIPAA rule mandates that each covered entity and business associate of a covered entity designate a HIPAA Privacy Officer (PO), and the job’s a big one.

With the many ongoing changes to HIPAA, the Privacy Officer’s role requires growing responsibility, a larger skill set, and heavier time demands than it did when HIPAA first went into effect. New regulations and ever-changing technology have made protecting PHI a complex job, and the trend will likely continue.

If you’re a small to mid-sized organization, we understand that you’re likely not hiring out a HIPAA Privacy Officer and that the role is probably given to someone who already has a full plate, like the office or practice manager.

So, how can you choose the best candidate for the HIPAA Privacy Officer role?

How can you divvy up the work of the HIPAA Privacy Officer so that it’s not a burden to one person?

Our blog post this week delves into the job of the HIPAA Privacy Officer, explaining what a PO does and the qualifications they need to make HIPAA compliance successful, as well as tips to make the job as effectively as possible.

Privacy Officer Duties and Responsibilities

What, exactly, is the role of the Privacy Officer?

The HIPAA Privacy Officer oversees all ongoing activities related to the development, implementation, and maintenance of the practice/organization’s Privacy Policies and Procedures in accordance with applicable federal and state laws.

They are responsible for the organization’s privacy program, which defines, develops, implements, and maintains policies and processes that provide effective privacy practices. Above all, these practices minimize risk and ensure the confidentiality of protected health information (PHI).

The responsibilities of a HIPAA Privacy Officer include:

  1. Firstly, adopting appropriate Policies and Procedures to comply with the HIPAA Privacy Rule.
  2. Updating Privacy Policies and Procedures (annually)
  3. Sending out the Notice of Privacy Practices to all patients/individuals
    1. Notify patients when you modify your Notice of Privacy Practices
    2. Health plans must notify individuals covered by the plan of the availability of the notice and how to obtain the notice at least once every three years.
  4. Collecting Business Associate Agreements from all Business Associates and updating any Business Associate Agreements as needed (initially, distribute)
  5. Monitoring Business Agreements to make sure they are correctly implementing their HIPAA compliance program
  6. Ensuring all HIPAA-related documents and information is correct and up-to-date
  7. Overseeing the implementation of client and/or employee Privacy Rights
  8. Monitoring all covered items for compliance with Privacy Policies and Procedures
  9. Receiving and responding to complaints of alleged non-compliance with the HIPAA Privacy Rule
  10. Working closely with legal counsel and the Security Officer
  11. Coordinating the training of all employees that come in contact with PHI
  12. Lastly, answering HIPAA-related questions from fellow employees and clients

Qualifications of a HIPAA Privacy Officer

Now that you understand what a HIPAA Privacy Officer does, you can understand the type of person that would be the best fit for the job.

Manager or Officer Within the Company

The HIPAA Privacy Officer’s high position and broad understanding of the company will give them the respect from fellow employees that is required when setting a receptive environment for HIPAA.

HIPAA compliance needs to be regarded as a vital part of the company’s focus. As well, a respected leader is necessary to sanction employees that are not following HIPAA. Certainly, corrective actions are a key component of the HIPAA Law.

HIPAA Privacy Officer Should Have Strong Organizational Skills

Your HIPAA Privacy Officer is in charge of HIPAA compliance, and with that comes attention to detail. It’s all in the details!

In a small to medium sized practice or business, the HIPAA Privacy Officer role is likely an additional job for someone. Needless to say, you’re going to need someone who is quite organized!

Privacy Officer Should Understand HIPAA

The Privacy Officer must have a solid understanding of the HIPAA law. They will be the “go to” for HIPAA questions in the company.

Your HIPAA Privacy Officer will need to stay abreast of HIPAA updates and news through online training or seminars. They need to have the resources and the drive to stay on top of the law!

The HIPAA Privacy Officer has to be aware that HIPAA compliance requires planning and time.

HIPAA Privacy Officer Should Have Good Interpersonal Relations

Your HIPAA Privacy Officer is not only going to be working behind the scenes, but they will also be required to deal with any client complaints that may arise. You will want a person who is compassionate and sympathetic to your clients’ concerns… kindness can go a long way in solving disagreements!

If your organization provides healthcare coverage, you will need to have a HIPAA plan in place to protect your employees’ health information.

Privacy Team – Many Hands Make Light Work

By now, you’re likely overwhelmed by discovering all that’s involved in the job of a HIPAA Privacy Officer! Share all of the work typically assigned to one person with a Privacy Team.

While the HIPAA Privacy Officer is still in charge of and ultimately responsible for HIPAA compliance within the company, fellow employees can certainly help by taking on certain responsibilities. The following are examples of small teams or individuals who might help.

Policies and Documentation Delegate or Team

This team would establish policies, procedures and key documents addressing confidentiality and privacy requirements like the Notice of Privacy Practices. The team ensures that the company meets all state and federal HIPAA requirements. This team could be in charge of these items from the Privacy Officer Responsibilities section listed previously in the blog post.

  1. Firstly, adopting appropriate Policies and Procedures to comply with the HIPAA Privacy Rule.
  2. Updating Privacy Policies and Procedures (annually)
  3. Sending out Notice of Privacy Practices to all patient
  4. Sending Business Associate Agreements to all Business Associates and updating any Business Associate Agreements as needed
  5. Monitor BA to make sure they are correctly implementing their HIPAA compliance program
  6. Lastly, ensuring all HIPAA-related documents and information are correct and up-to-date

Sanctioning Delegate or Team

Likewise, the Sanctioning Team might be responsible for the corrective actions of any HIPAA mistakes or breaches. This team could help the HIPAA Privacy Officer with these items from the Privacy Officer Responsibilities list.

  1. Overseeing the enforcement of client and/or employee Privacy Rights
  2. Monitoring all covered items for compliance with Privacy Policies and Procedures
  3. Receiving and responding to complaints of alleged non-compliance with the HIPAA Privacy Rule
  4. Working closely with legal counsel and Security Officer

Finally, an Employee Training Delegate or Team

The Employee Training Team would be in charge of employee awareness of individual and organizational HIPAA obligations. Employees who see PHI must know how to protect it. 

Also, annual training must be a top priority for all employees, including permanent, or temporary workers, volunteers, contractors, and business associates. Most noteworthy, the employee training team could be in charge of:

  1. Coordinating the training of all employees that come in contact with PHI
  2. Answering HIPAA-related questions from fellow employees and clients

In conclusion, the responsibilities of PO are much less intimidating when others in the organization are helping!

Although you may disperse the work among others, it’s important to note that the Privacy Officer is ultimately responsible for the organization’s HIPAA compliance.

Sharing is caring!