Four Healthcare Privacy Officer Best Practices
by Kira Caban, Director of Communications, Protenus on February 22, 2017
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule made many sweeping changes to the healthcare world. One of the most significant was the requirement that all healthcare organizations – no matter their size – designate a privacy officer whose primary duty is to protect the confidentially and privacy of patients’ protected health information (PHI).
With this important role comes the critical task of maintaining patient privacy. It begs one to ask what are the top healthcare privacy officer best practices necessary to safeguard patient health data?
The short answer is that the privacy officers must lead on all matters relating to patient privacy.
A privacy officer must ensure that workforce members receive proper HIPAA training, that policies and documentation regarding patient privacy are put into place, that there is ongoing monitoring of appropriate access to patient’s PHI, and to investigate potential HIPAA violations.
Here are the 4 best practices every healthcare privacy officer should keep in mind:
1. Become a HIPAA regulations expert
For privacy officers, their area of expertise must be HIPAA regulations. A key best practice for successful privacy officers is to become experts on all federal and state regulations regarding patient privacy. They must become their healthcare organization’s go-to person when it comes to HIPAA-related questions. A privacy officer does not necessarily need to be a lawyer, but he or she must be well-versed in all related regulation. This means keeping abreast of any new regulations that are introduced or updates that are made to existing regulation. Armed with this knowledge, a privacy officer will be able to answer any and all HIPAA-related questions, whether those questions come from fellow workforce members or patients.
2. Go beyond yearly training
Privacy officers can help prevent internal HIPAA violations by providing employees proper HIPAA training. The privacy officer’s objective with this training extends beyond merely informing employees of what constitutes a HIPAA violation; it also includes increasing awareness of workforce members’ obligations towards patient information and thus creating an organization-wide culture of patient privacy and trust. But this training cannot be a one-time or even annual occurrence. In order for it to be effective, the privacy officer must conduct ongoing regular training, updating employees on any new or revised regulations concerning patient privacy. And of course, this training must encompass all personnel who will use, view, or share health patient data, including permanent, temporary, and even volunteer employees.
In addition, because privacy officers must be the leaders of their organizations when it comes to patient confidentiality, they must take point on creating policies and documentation related to patient privacy. Such policy and documentation include:
- Confidentially consent forms
- Authorization forms
- Information notices
- Breach notification
Oftentimes, the creation of these policies will require privacy officers to work closely with their organization’s HR and legal teams, but it is primarily the privacy officer’s duty to ensure that such policies and documentation are put into place and enforced because he or she is ultimately responsible for protecting patient privacy.
Privacy and Security - Different roles, same goals
Although the role of security officer and privacy officer share the same goal of protecting patient information and often require the two officers to work closely together, they have different roles and perform different duties when it comes to safeguarding patients’ PHI.
A security officer’s job focuses on protecting the information itself, particularly the electronic PHI (ePHI). Security officers must make sure that proper technical safeguards are put into place to protect patient information, and they must also monitor PHI for potential threats, especially external ones.
Privacy officers, on the other hand, focus on ensuring that the employees who are authorized to access patient PHI are the only ones who do so. In other words, privacy officers must protect patient information from internal threats, such as employees who snoop or criminals who are using stolen credentials to access information. Thus, even though security officers and privacy officers do work closely together – and in some small healthcare organizations these roles may be filled by the same person – they each have their own areas of expertise.
3. Schedule regular check-ins with your security officer
Once the groundwork has been laid – workforce members are routinely educated and policies and documentation created – privacy officers must turn to the most important aspect of their job: protecting patient information by monitoring it for potential threats and investigating any possible violations.
This is where security officers’ and privacy officers’ roles overlap and where building trust and internal relationships is critical. Working together, security and privacy officers must ensure that proper security measures have been put in place to protect patient information, and they must monitor information systems for unauthorized access, whether the intruders are external criminals using stolen credentials or internal employees inappropriately accessing patient information.
Moreover, privacy officers must oversee any requests by patients to view their PHI or make changes to it. They must also field any complaints from patients of possible HIPAA violations and conduct an investigation into any potential breach of patient information.
4. Become a patient privacy leader within the organization
Every team needs a leader, and the privacy officer must be that leader when it comes to patient privacy. Regardless of org charts, privacy officers must work with security officers, HR and legal teams, as well as the leadership to foster a culture that values patient privacy and proactively to protects the information of their patients. Share new knowledge, make connections between teams, and build a reputation that is solution oriented.
These healthcare privacy officer best practices will help the organization become proactive when it comes to defending their patient privacy. Make sure to review our Privacy Primer to help your organization better prepare to protect patient privacy.