What Is a Privacy Officer?
A privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.
A privacy officer may be known by other titles like privacy compliance officer or a security officer.
If your healthcare business involves the collection, use, and disclosure of your clients' and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.
If You Don't Have a Privacy Officer
Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!
Here are some examples of what can happen if you don’t have a privacy officer:
- In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.
- A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. (See Do You Know Where Your Policies and Procedures Are?)
- Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. (See Snooping Conviction Earns 3 Years Probation )
Roles and Responsibilities
So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:
- Identify privacy compliance issues for the business.
- Ensure privacy and security policies and procedures are developed and keep them up to date.
- Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
- Monitor your clinic's ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
- Provide advice and interpretation of related legislation for the business.
- Respond to requests for access and corrections to personal information.
- Ensure the security and protection of personal information in the custody or control of the business.
- Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.