Privacy officer: It's a living, sorta

Thursday, October 31, 2002

When we last walked down the HIPAA Trail, we were at the trail marker called the Privacy Notice. If you recall, the Privacy Notice is one of the most important pieces in the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.

The provider's Privacy Notice is that provider's public document regarding all uses and disclosures of the patient's protected health information (PHI) and the patient's rights with respect to that information.

Since the Privacy Notice is essentially the provider's declaration to the public on how they intend to comply with HIPAA, it better be a good one. Whereas the government can be vague and confusing in it's writing of rules and regulations, provider's need to have clear and concise written policies and procedures detailing how they intend to follow them. Who is going to write these policies and procedures, as well as the Privacy Notice? If you are the first one to be reading this article, then I would suggest you immediately volunteer anyone but yourself to take on that job.

Yet, the job must be filled because HIPAA requires all providers to designate a privacy official, or HIPAA Privacy Officer (HPO). It's the HPO who will be leading your company along the HIPAA trail come April 2003, so appoint a someone who is going to be part of your business for a long time. Actually, since HIPAA requires the HPO be available to answer all questions about the provider's HIPAA privacy policies, it would be best if a provider has two or more HPOs.

The Privacy Rule does not require the position of HPO to be a full-time one. However, the Rule does list the necessary requirements of the job. Some of these requirements are:

- Assist in the implementation and maintenance of the privacy policies and procedures.

- Perform risk assessments and related compliance monitoring.

- Oversee training of privacy policies and procedures to all employees, contractors, business associates and other related parties.

- Be available to address any questions or concerns that patients have about their rights under the Privacy Rule.

Also, the Rule requires the HPO to be the contact person with the Office of Civil Rights or other legal entities dealing with HIPAA compliance review or investigation. In other words, if the Law comes to your business in regards to an actual, or perceived, HIPAA violation, it's the HPO the Law wants to deal with. What's that sound I hear provider's employees chanting in the background … "Just say no, to being the HPO"?

Randy Schluter is President and COO of Dragonfly Technologies, L.L.C. and also serves as a business consultant to Arrow Professional Enterprises in matters pertaining to HIPAA. Reached him at 1-888-430-6919.