(Chief) Privacy Officer Job Description
Position Title: (Chief)
Chief Executive Officer, Senior Executive, or Health Information Management
(HIM) Department Head2
General Purpose: The
privacy officer oversees all ongoing activities related to the development,
implementation, maintenance of, and adherence to the organizations
policies and procedures covering the privacy of, and access to, patient
health information in compliance with federal and state laws and the healthcare
organizations information privacy practices.
Provides development guidance
and assists in the identification, implementation, and maintenance
of organization information privacy policies and procedures in coordination
with organization management and administration, the Privacy Oversight
Committee,3 and legal counsel.
Works with legal counsel
and management, key departments, and committees to ensure the organization
has and maintains appropriate privacy and confidentiality consent,
authorization forms, and information notices and materials reflecting
current organization and legal practices and requirements.
Oversees, directs, delivers,
or ensures delivery of
initial and privacy
training and orientation to all employees, volunteers, medical and
professional staff, contractors, alliances, business associates,
and other appropriate
Participates in the development,
implementation, and ongoing compliance monitoring of all trading partner
and business associate agreements, to ensure all privacy concerns,
requirements, and responsibilities are addressed.
Establishes and administers
a process for receiving, documenting, tracking, investigating, and
taking action on all complaints concerning the organizations
privacy policies and procedures in coordination and collaboration
with other similar functions and, when necessary, legal counsel.
Ensures compliance with
privacy practices and consistent application of sanctions for failure
to comply with privacy policies for all individuals in the organizations
workforce, extended workforce, and for all business associates, in
cooperation with Human Resources, the information security officer,
administration, and legal counsel as applicable.
Serves as a member of,
or liaison to, the organizations IRB or Privacy Committee,4
should one exist. Also serves as the information privacy liaison for
users of clinical and administrative systems.
Works with organization
administration, legal counsel, and other related parties to represent
the organizations information privacy interests with external
parties (state or local government bodies) who undertake to adopt
or amend privacy legislation, regulation, or standard.
Certification as an RHIA
or RHIT with education and experience relative to the size and scope
of the organization.
Knowledge and experience
in information privacy laws, access, release of information, and release
Knowledge in and the ability
to apply the principles of HIM, project management, and change management.
facilitation, communication, and presentation skills.
This description is intended
to serve as a scalable framework for organizations in development of a
position description for the privacy officer.
title for this position will vary from organization to organization,
and may not be the primary title of the individual serving in the
position. "Chief" would most likely refer to very large
integrated delivery systems. The term "privacy officer"
is specifically mention in the HIPAA Privacy Regulation.
the supervisor for this position will vary depending on the institution
and its size. Since many of the functions are already inherent in
the Health Information or Medical Records Department or function,
many organizations may elect to keep this function in that department.
"Privacy Oversight Committee" described here is a recommendation
of AHIMA, and should not be considered the same as the "Privacy
Committee" described in the HIPAA privacy regulation. A privacy
oversight committee could include representation from the organization's
senior administration, in addition to departments and individuals
who can lend an organization-wide perspective to privacy implementation
all organizations will have an Institutional Review Board (IRB) or
Privacy Committee for oversight of research activities. However, should
such bodies be present or require establishment under HIPAA or other
federal or state requirements, the privacy officer will need to work
with this group(s) to ensure authorizations and awareness are established
where needed or required.
"Sample Position Description: (Chief) privacy officer." Journal of AHIMA 72, no.6 (2001): 37-38.