HIPAA regulations require the designation of a privacy official by each covered entity, to be responsible for "the development and implementation of the policies and procedures" necessary for compliance.

Covered entities must also designate a "contact person or office" to be responsible for the administration of such tasks as:

• creating, posting and distributing the notice of information/privacy practices;

• in facilities with direct treatment providers, securing and recording each patient's acknowledgement of receiving it;

• processing authorizations for certain kinds of research, marketing, fundraising, etc.;

• meeting requests for correction/amendment of health records;

• considering requests for additional protection for, or confidential communications of, particularly sensitive health information;

• providing information to patients (or staff) who have questions about HIPAA or state privacy protections; and

• handling any complaints from patients (or staff) about possible HIPAA violations.

In a large health care facility, this position will typically require staff support just to handle all these administrative tasks. In a small clinic or practice, privacy officer responsibilities may be only a part of a single person's job responsibilities.

In some sectors of the economy, such as banking and finance, the privacy officer is typically a senior manager. In health care, such responsibilities have tended to fall on a middle manager, often one from medical records, even in large facilities.

Ideally, a privacy officer will be someone who is (or can quickly become) conversant with both HIPAA's privacy requirements and those of state law, and who also has a background in clinical care, health records management, information technology (particularly security issues), compliance and risk management.

In the real world, of course, few if any persons possess this range of knowledge even in a large facility, much less in a small clinic or practice. The title must usually fall instead on someone with a "jack of all trades" willingness to learn.

The person selected to be a privacy officer may seem to face an impossible training task, whatever the size of the organization. But remember that HIPAA's requirements for the most part do not displace the existing requirements of state law and professional codes of ethics. HIPAA may offer new administrative burdens, but it should not force organization-shattering changes.

Instead, the day-to-day reality should be one of routine compliance tasks. If appropriate privacy and security policies are in place -- and if the organization's workforce is trained and motivated to follow them -- problems should be few. If this is not the case, it is everyone's responsibility to take corrective actions, not just the privacy officer's.

See also:

• Guided Tour of HIPAA for Privacy Officers

  Last modified: 12-May-2005 [RC]