TUTORIALS | May 16
What Does a Company Privacy Official Do?
A company privacy official works to ensure their healthcare organization is following HIPAA laws as best it can.
According to Subpart E of Section 164 of the Office of Civil Rights’ HIPAA Administrative Simplification regulation text:
“A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”
This person’s duty is to ensure that all members of a healthcare-related organization - and its business associates - remain in compliance with HIPAA rules and regulations at all times.
Of course, this means that at least one individual within such an organization needs to know all there is to know about HIPAA protocol - right down to the most minute details.
Not only must they understand HIPAA protocol completely, but they also need to be able to efficiently explain such rules to others within their organization in order to minimize the potential of violations occurring in the future.
Before we dig into the main responsibilities of the position, let’s discuss how an organization can go about designating an individual as a privacy official.
Company Privacy Officials and HIPAA
According to the US Department of Health and Human Services, a company privacy official oversees ongoing activities related to the development, implementation, and maintenance of a covered entity’s privacy policies in accordance with federal and state law.
In the above section, we mentioned that all healthcare practices must have a designated company privacy official on staff - regardless of the organization’s size.
However, the way in which a company designates a CPO can vary depending on the company’s scope and size, as well as the resources it has at its disposal.
For instance, a larger organization will likely have the ability to hire someone specifically as the company’s privacy official. This individual’s sole responsibility will revolve around ensuring the organization maintains HIPAA compliance.
On the other hand, smaller companies might not have the capital to be able to make a new hire. In these cases, a doctor, nurse, or clerical staff member can be designated as the company’s privacy official. Of course, this is in addition to their other work-related duties - so taking on the extra responsibility will require extreme diligence on the part of the designee.
Now that we understand the overarching role of a privacy official, as well as who can take on this role, let’s discuss the specific duties this individual will have within their organization.
The Main Responsibilities of a Company Privacy Official
We’ve discussed the general responsibilities of a healthcare organization’s privacy official, so now let’s dive into exactly what is expected of this individual on a daily basis.
Resident HIPAA Expert
As we’ve established, a company privacy official’s main responsibilities lie in understanding HIPAA protocol and how an organization can put its best foot forward in terms of maintaining compliance.
Not only must a CPO have a firm understanding of HIPAA laws, but they must also keep up to date with any changes or amendments that take place within the legislature over time. Best practices suggest CPOs check in with HIPAA-related news and press releases on a weekly, monthly, and quarterly basis. In doing so, a company privacy official can ensure their organization is never blindsided by newly-implemented laws or policies - thus remaining in good standing with the OCR.
A company privacy official also acts as the go-to person for other faculty members regarding HIPAA-related inquiries. When necessary, the CPO will provide further explanation of policy changes or newly-instituted mandates to ensure all personnel understand exactly what is expected of them and why. If needed, the CPO will dig deeper into specific documentation provided by the OCR in order to clarify recent changes within the organization.
Additionally, the CPO will spearhead educational initiatives within the organization. This can manifest in one of two ways:
- The CPO can develop in-house training programs focused on the responsibilities of doctors, nurses, clerical workers, and other staff members with regard to HIPAA law.
- The CPO can assess third-party training programs to determine their efficiency and accuracy.
While all faculty members within a healthcare organization should have a general working knowledge of HIPAA law, a CPO is expected to go above and beyond this general knowledge, ensuring that all operations within a covered entity maintain HIPAA compliance.
A covered entity’s privacy official is also responsible for a number of patient-facing duties, as well.
As you may or may not know, all healthcare organizations are required to create and post a Notice of Privacy Practices, and make it as accessible as possible to incoming patients. The organization’s CPO is responsible for creating this document and determining the most effective ways in which to provide it to patients. This may mean creating both physical and electronic forms of the document, and displaying it in multiple languages throughout the company’s office as well as its website.
If a patient has a question regarding their privacy rights, the CPO will step in and provide specific information about the organization’s policies and HIPAA law as a whole. The CPO will also help the patient understand who has access to their protected health information (PHI), and ensure the patient understands their rights in terms of limiting this access.
A company privacy official also handles all patient requests dealing with their PHI. As with the Notice of Privacy Policies mentioned above, CPOs need to ensure patients’ PHI is available through a variety of means - including physical and electronic forms. Also, CPOs need to make sure their organization allows patients the ability to amend certain aspects of their PHI - such as contact information - at all times.
In the event of a breach of HIPAA protocol in which patients’ PHI is exposed, the CPO will maintain contact with each affected individual throughout the mitigation process, explaining:
- How the breach occurred
- Who their PHI was accidentally released to
- How the organization is working to fix the problem
- What they (the patient) can do to minimize potential damage
The CPO acts as a bridge between the healthcare organization and its patients, ensuring all patients understand their rights to privacy under HIPAA law - and that the organization will do everything in its power to maintain this expected level of privacy.
The company privacy official of a healthcare organization also acts as the point of contact between third-party business associates, as well as the OCR itself.
With regard to business associates, a CPO’s duties include:
- Implementing and maintaining business associate agreements
- Ensuring these agreements are followed by all parties involved
- Ensuring mitigation processes commence (on the part of both the covered entity and the business associate) in the event of a breach
When communicating with the Office of Civil Rights, company privacy officials will:
- Maintain contact with a representative of the OCR throughout compliance reviews, audits, and investigations
- Ensure the covered entity’s managers understand the specific reasons a violation occurred, the most efficient way of correcting the problem, and the implications of not immediately addressing the issue.
- Provide the OCR representative with updates regarding improvements made to the covered entity’s policies and procedures.
An organization’s CPO is responsible for maintaining close contact with all third-party organizations they do business with, as well as the offices which govern over them. Though the CPO is an employee of the healthcare organization in question, they must remain objective during such communication to ensure rules and regulations are followed properly.
A covered entity’s privacy official is, as the name implies, responsible for all things privacy-related within the organization.
While it is possible for a current employee to take on the added responsibilities of a CPO, it may be in your organization’s best interest to hire an individual whose sole duties are that of a company privacy officer.
Accountable’s HIPAA training program can help your CPO - and the rest of your organization - stay up to speed with the latest in privacy rules and regulations as dictated by HIPAA and the OCR. Sign up for a free demo of Accountable’s training program on our website.