AHIMA Position Statement: Privacy Official


The American Health Information Management Association (AHIMA) recognizes the increased complexity of protecting patients' privacy while managing access to, and release of, information about patients and other healthcare consumers. Credentialed health information management (HIM) professionals—because of their academic preparation, work experience, commitment to patient advocacy, and professional code of ethics—are uniquely qualified to assume positions as designated privacy officials as required by the Health Insurance Portability and Accountability Act (HIPAA).


Healthcare is a service industry that relies on information for every facet of its delivery. Health information has value to the patient it describes, the provider it serves, and the organization it supports, in addition to society as it directs the health of the population. It must be protected as a valuable asset, and in its primary form as the medical record of a unique individual, it must be safeguarded.

Privacy concerns grow as technology increases access to health information. Mental health, substance abuse, sexually transmitted disease, and now genetic information create a heightened awareness of the need for privacy. Documented cases of the use of health information to make decisions about hiring, firing, loan approval, and to develop consumer marketing have sensitized the public to the risks of sharing information with their healthcare provider.

For years, states have written laws and regulations to protect their citizens' privacy by limiting release of information based on the requestor, the type of information, and the use of that information. Due to the complexity of the issue, the number of concerned parties, and the variety of health information, no two states have the same laws.

Over the last 10 years, the federal government has tried to address the patchwork nature of state laws by developing comprehensive federal legislation, but has failed to complete that task. In an effort to ensure all citizens have a standard minimum protection, the Department of Health and Human Services has promulgated regulation under the authority of HIPAA to provide a universal floor of protection. However, the industry is already concerned with meeting this new minimal level.

To ensure the necessary leadership for compliance, the Standards for Privacy of Individually Identifiable Health Information released in December 2000, require that each health plan, healthcare clearinghouse, and certain healthcare providers must designate a privacy official who is responsible for the development and implementation of their policies and procedures relative to privacy.

HIM professionals have effectively managed the release of information in healthcare organizations for decades. Establishing policy, training staff, developing consents, releasing information, and documenting information use are key elements of the HIM role. Coursework that prepares HIM professionals to fulfill this role has long been included in the curriculum of all accredited HIM academic programs, and is included in the certification examination for both registered health information administrators and technicians. Since its formation in 1928, AHIMA has supported its members in their efforts to protect patient privacy.

Support for the position

To maintain the privacy, confidentiality, and security of health information, AHIMA members assume a leadership role in compliance with state and federal laws, develop appropriate organizational initiatives, and exercise ethical decision making. HIM professionals are uniquely qualified to assume the role of privacy officials, because we:

  • Interpret state and federal laws that apply to the use of health information, into policy
  • Understand the decision-making processes throughout healthcare that rely on information
  • Direct the flow of information within healthcare organizations and throughout healthcare
  • Apply HIM principles to information in all its forms
  • Understand the content of health information in its clinical, research, and business contexts
  • Apply the technologies used to collect, access, store, and transmit information in all its forms
  • Establish and recognize best practices in the management of privacy of health information
  • Collaborate with other healthcare professionals to ensure appropriate security measures are in place
  • Historically managed the release of information function
  • Advocate for the patient, relative to health information confidentiality
  • Live by a Professional Code of Ethics specific to maintenance of patient privacy