If not, you could be breaking the law. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, all doctors, physicians, dentists, chiropractors and other covered entities are required to designate a privacy officer. Failure to do so could result in your fines or other penalties handed down by the HHS.
So, what is the job description of a privacy officer and why is it necessary? As you may already know, HIPAA consists of several rules: Security, Privacy and Breach Notification, each of which has its own purpose. The Privacy Rule is a set of standards designed to protect the medical records and personally identifiable information of patients/customers (see below for a complete description).
“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically,” wrote the Department of Health and Human Services (HHS). “The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”
Part of the 400-plus-page document describing the HIPAA Privacy Rule mandates all covered entities to designate a privacy officer. As the name suggests, this individual is responsible for overseeing all activities associated with the development, deployment, implementation, and ongoing maintenance of the covered entity's privacy policies. Long story short, the privacy officer must ensure the healthcare practice for which he works is compliant with the HIPAA Privacy Rule.
It's important to note that the privacy officer may have other titles and/or duties. Just because an employee is given the title of “privacy officer” doesn't necessarily mean that he or she is only responsible for maintaining compliance with the HIPAA Privacy Rule. This person could be a nurse, for instance, who has a countless number of other duties.
Here's a short list of some of the responsibilities commonly associated with the HIPAA Privacy Officer:
- Create Business Associates Agreements (BAA) with any third-party entities or organizations who are given access to Protected Health Information (PHI).
- Train other employees on the HIPAA Privacy Rule.
- Create Privacy Authorization Forms when necessary.
- Perform periodic privacy risk assessments of the practice and its systems.
- Establish a process for receiving, documenting, tracking, and investigating all complaints regarding privacy.