What Is a Privacy Officer?
A privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.
A privacy officer may be known by other titles like privacy compliance officer or a security officer.
If your healthcare business involves the collection, use, and disclosure of your clients' and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.
If You Don't Have a Privacy Officer
Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!
Here are some examples of what can happen if you don’t have a privacy officer:
- In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.
- A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. (See Do You Know Where Your Policies and Procedures Are?)
- Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. (See Snooping Conviction Earns 3 Years Probation )
Roles and Responsibilities
So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:
- Identify privacy compliance issues for the business.
- Ensure privacy and security policies and procedures are developed and keep them up to date.
- Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
- Monitor your clinic's ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
- Provide advice and interpretation of related legislation for the business.
- Respond to requests for access and corrections to personal information.
- Ensure the security and protection of personal information in the custody or control of the business.
- Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.
Get the FREE Practice Management Success Tip, Privacy Officer Job Description Template.
Who Should Be The Privacy Officer?
The custodian or the healthcare provider is, by default, the privacy officer. Alternatively, the custodian may designate a responsible affiliate for the purposes of the privacy legislation and given the title of Privacy Officer. In some practices, you may have co-privacy officers or, in practices with multiple locations, a privacy officer at each location.
In small practices, the clinic manager or practice manager is often named the privacy officer. In larger practices, an individual may be given the role and responsibilities of a privacy officer on a full-time basis.
The privacy officer should be in communication with both management and planning decision makers and the front-line staff who collect, use, disclose and provide access to personal health information (PHI).
Who Should A Privacy Officer Report To?
The privacy officer must report to the healthcare provider and custodians in the practice. They may also report to the clinic manager, business manager, or other senior management position.
In practices that are heavily dependent on computer network and medical devices technology, there may be both a privacy officer and a security officer. The security officer typically is focused on intrusion protection and detection and related technology safeguards. The privacy officer is more focused on the collection and use of disclosure of PHI.
What Should Privacy Officer Training Include?
The privacy officer role is challenging yet rewarding. Training should include privacy legislation awareness, privacy awareness, privacy management best practices, privacy breach management, risk assessment and mitigation, reasonable safeguards assessment and implementation. In addition, privacy officers may also learn how to complete a privacy impact assessment.
Training for privacy officers can include formal academic programs (U of A), sessional (CHIMA, Practical Privacy Officer Strategies), supported by professional associations (PACC), and/or self-directed learning including review of resources provided by regulators (like the OIPC) and ministry of health.
Many privacy officers in small healthcare practices have other roles – as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities each and every day.
You may be missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.
Bottom Line: If you are spinning your wheels trying to figure out how to get started, it will cost you time, money, and frustration!
Which means you never get around to implementing a robust privacy management program.
If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but can't figure out how to get started, here's the solution you've been looking for.
Practical Privacy Officer Strategies
On-line training to help you:
- Daily, weekly, monthly, and annual privacy tasks that make sense for your healthcare practice, that you understand, and that you can implement.
- Promote a culture of privacy compliance.
- Confidence in your role and responsibility as a privacy officer.
- Gain confidence in your understanding of the Health Information Act and other privacy legislation.
Next intake will be announced in Winter 2022!
Sharon Polsky is the president of AMINA Corp. and a Privacy by Design Ambassador with more than 30 years’ experience advising corporations, governments and organizations about privacy and access implications and unintended consequences of emerging laws, technologies and global trends. She is also president of the Privacy and Access Council of Canada, the nonpartisan national non-profit association of privacy and access professionals in Canada’s private and public sectors.
