Privacy Officer Job Description

Position Title: (Chief Privacy Officer) (Privacy Officer)

Immediate Supervisor: (Chief Executive Officer) (Chief Operating Officer) (President) (Vice President for ____) (Chief of Information Systems) (Chief of Health Information) (Other _____)

General Purpose: To comply with § 164(a)(1)(i) of the privacy regulations, [name of covered entity] must appoint a privacy officer. The privacy officer is responsible for oversight and management of all activities related to the development, implementation, maintenance of, and compliance with [name of covered entity]’s policies, procedures, and standards governing the privacy, confidentiality, and security of all individually identifiable health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and Human Services (“DHHS”) regulations implementing HIPAA, particularly the HIPAA privacy and security regulations, and other state and federal laws, professional ethics, and accreditation standards protecting the confidentiality and privacy of individuals and their health and other information, such as financial information.

Duties and Responsibilities:

  • Be a member of the overall HIPAA steering committee to bring [name of covered entity] into overall compliance with HIPAA. Oversee/conduct gap analysis and risk analysis.
  • Chair the HIPAA privacy regulations steering subcommittee to bring [name of covered entity] into compliance with such regulations. Oversee/conduct the selection of cost-effective security measures to protect individually identifiable health information and to comply with the privacy regulations, including writing consents, authorizations, and required policies and procedures.
  • Assist management in the strategic planning of privacy/confidentiality policies and procedures. Work with management, department heads, the compliance officer, risk management, quality assurance, human resources, and the legal department to ensure compliance with the privacy regulations and state and federal law protecting patient confidentiality and privacy.
  • Provide leadership to HIPAA committees, work groups, and others charged with oversight of [name of covered entity]’s privacy program.
  • Act as the responsible official/contact person for receiving and responding to individual complaints under § 164.530(a)(1)(ii) of the DHHS privacy regulations and for answering questions relating to [name of covered entity]’s notice of information practices.
  • Act as the responsible official to develop policies and procedures to ensure that individuals receive their rights under the privacy regulations and other state and federal laws, including the following rights under the following sections of the DHHS privacy regulations:
  • Access under §164.524.
  • Accounting under § 164.528.
  • Notice of information practices under § 164.520.
  • Request restriction on uses and disclosures and as to methods of communication under § 164.522.
  • Request correction/amendment under § 164.526.
  • Act as the responsible official to ensure that [name of covered entity] complies with its duties under the privacy regulations and state and federal law, including, but not limited to, the following duties:
  • Appointment of a privacy officer. § 164(a)(1)(i).
  • Appointment of a contact person to receive complaints. §164.530(a)(1)(ii).
  • Training. § 164.518(b).
  • Implementing and maintaining safeguards to protect privacy. §164.530(c)(1).
  • Verification procedures to verify the identity and/or authority of persons requesting protected health information (“PHI”). §164.518 (c)(2).
  • Sanctions against those who fail to comply with [name of covered entity]’s policies and procedures or the privacy regulations. §164.510(e).
  • Mitigation to lessen the deleterious effect of an improper use or disclosure.
  • Work with management and legal to draft, review, and implement required business associate contracts and to ensure, as required, business associates’ compliance with contract provisions, including the receipt of reports of noncompliance and taking appropriate action in the event of a breach.
  • Work with management, the medical staff, the director of health information management, and others to ensure protection of patient privacy and confidentiality in a manner that does not compromise [name of covered entity], its personnel, good medical practice, or proper health information management practices.
  • Work with the security officer to ensure appropriate coordination between [name of covered entity]’s security program and its privacy program.
  • Oversee the use and release of information throughout [name of covered entity] to ensure compliance with the privacy regulations, applicable state and federal law, professional standards, and accreditation requirements.
  • Monitor [name of covered entity] operations and systems for privacy compliance. Report to management on the status of privacy compliance.
  • Revise the privacy program as necessary to comply with changes in the law, regulations, professional ethics, and accreditation requirements and as necessary because of changes in patient/client mix, business operations, and the overall health care climate.
  • Cooperate with the Office of Civil Rights, DHHS, or other agencies monitoring compliance with HIPAA, the privacy regulations, applicable state and federal law, professional standards, and accreditation requirements.
  • With other [name of covered entity] personnel, such as management, legal, and other related parties, represent [name of covered entity]’s privacy interests with external parties who may attempt to enact or modify privacy protections to ensure that such laws or regulations do not unnecessarily adversely affect the entity.

Qualifications:

  • Bachelor’s degree (B.A./B.S.) or equivalent from an accredited college or university required. Graduate degree preferred.
  • Appropriate professional education and license/certification, including, but not limited to, law degree, admission to the bar, advanced degree in communication systems, certification as a Registered Health Information Administrator (“RHIA”) or Technician (“RHIT”), B.S. or M.S. in Nursing, with experience in protecting patient privacy/confidentiality.
  • Experience in health industry compliance.
  • Knowledge about information technology, medical records and other medical information, patient privacy and confidentiality, and release of information.
  • Ability to communicate and work with many disciplines, such as management, physicians, psychiatrists, psychologists, clinical social workers, alcohol and drug abuse counselors, information systems specialists, health information specialists, financial managers, state and federal agency officials, and patients/clients or other individuals upon whom the entity maintains or transmits individually identifiable health information.
  • Ability to apply management and leadership skills to attain and maintain compliance in a cost-effective manner.

Note: The above form is only a guide to get covered entities started with developing a job description for a privacy officer. It may need editing/additions/deletions.As with any sample of this nature, human resources and qualified legal counsel should review and approve the final version.

HIPAADocuments ResourceCenter CD, 5th ed.Page 1 of 5

© 2001-2011 Jonathan P. Tomes, Veterans Press, Inc., and EMR Legal, Inc.Allrightsreserved.