Small practices may assign this role to one or more persons, while larger group practices most likely will designate a specific person to oversee the integrity of PHI. The privacy officer has numerous roles such as performing a risk assessment of the practice to determine where vulnerabilities lie with respect to PHI and ensuring that privacy security measures and policies are implemented and adhered to by the practice. He or she serves as the designated contact person required by the final Rule to receive complaints and provide further information about the practice’s privacy policy procedures.

What steps or activities should a privacy officer take to assure compliance?
Key activities are really basic risk management techniques. A privacy officer should conduct the following steps:

A. Identify the internal and external risks of disclosure of protected health information (PHI).
B. Create a plan to reduce the risk of releasing PHI in those areas identified.
C. Implement the plans.
D. Train all personnel on the practice’s privacy and security of PHI.
E. Monitor the implementation and enforce appropriately for any breaches of policy. 

A. Identifying the risks of disclosure is the first step so policies and procedures can be created to address the use and release of PHI. A risk assessment should be conducted to ascertain where privacy and security threats may exist. Make a list of all activities that involve the use or disclosure of PHI and evaluate whether there are policies and procedures already in place to reduce the risk of release.

B. Once areas are identified, create a plan of action around those areas identified to reduce the risks. The plan development communicates to staff the importance to the practice of the safe and proper utilization of protected health information.

C. Policies and procedures should be modified or developed to integrate compliance into everyday activities. Implementation of the plan should consider the needs and ability of the staff to assimilate and follow the policies and procedures. It applies to the actual medical records as well as electronic or computerized records containing PHI.

D. During implementation, all personnel must be trained in the relevant areas that affect their interaction with PHI. Staff must understand what information is protected, when PHI may be released, and when PHI may be in jeopardy of improper release. Training should be integrated into the practice’s compliance plan including documentation of the training that has occurred. The training is germane to the responsibilities of the staff member. Changes in job descriptions or positions that allow greater access warrants additional training within a reasonable time frame following the change in responsibilities.

E. Monitoring is an important part of the privacy officer’s duties. This means actively checking to make sure the practice is adhering to the policies and procedures related to PHI. It is important to always follow your own rules to mitigate the opportunity for an error to occur, but also to reduce the damage if improper use or release is detected.

What if information is misused or improperly released?
HIPAA requires that medical practices provide a complaint process to individuals who feel the practice is not following their own policies and procedures. As privacy officer, you need to implement this process if it is not in place already. This complaint process allows individuals to resolve complaints at both a local and a federal level.