The role of privacy officer has changed since it was mandated in 2003 by HIPAA. New regulations, technology and data-sharing initiatives have reshaped the landscape, according to Chris Dimick, staff writer for Journal of AHIMA , who outlined the new role of the privacy officer in the April edition.
“Protecting patient health information has become much more complex since 2003, when nearly all healthcare organizations used time-tested systems to protect paper records,” Dimick wrote. “In turn privacy officers now require an expanding set of knowledge and skills, and as regulatory pressures and technological initiatives have advanced, their roles have grown in strategic importance within their organization.”
One of the biggest changes has been due to the HITECH Act that modified HIPAA enforcing stricter privacy protections to patients. “The HITECH provision that has had the biggest impact to date is the breach notification rule,” he wrote. “The interim rule, which is still awaiting its final version, requires healthcare facilities and their business associates to investigate and provide notification following a breach of unsecured protected health information.”
The rule describes how covered entities must notify individuals and the Department of Health and Human Services (HHS). In breaches affecting 500 or more individuals, covered entities must notify HHS and local media without unreasonable delay and within 60 days of discovery. Therefore, the importance of privacy officer roles quickly rose to great new heights.
When a privacy breach is suspected, privacy officers now must drop everything and begin their investigation to determine if a breach occurred and, if so, how to mitigate the damages and determine who is responsible, Dimick wrote.
One challenge of the rule has been the harm threshold, allowing organizations to forego notification if they determine that a breach is unlikely to pose harm to the individuals. “Lacking direct guidance in the rule, privacy officers and their colleagues had to establish protocols and parameters for assessing and documenting potential for harm,” he wrote.
Still, some significant modifications haven’t taken effect yet or received final rules. For example, the Office for Civil Rights (OCR) in the proposed rule sought to shift the focus from disclosures to access, proposing that covered entities create and maintain access reports that would show patients, upon request, who had accessed their information kept in EHRs. Dimick stated that though the industry generally supported the attempt to ease the accounting of disclosures burden, many still saw significant challenges in producing access reports.
OCR is handling the accounting of disclosure provision in rulemaking separate from the other HITECH privacy-related measures. A final rule is expected this year, and when it arrives privacy officers are expecting a busy time as professionals and privacy officers are still figuring out how they would sequester information for these types of requests using today's EHR systems. They also will require processes to ensure that months down the line the information is not inadvertently disclosed in a routine record request.
Modifications to the privacy rule have caused officers to develop research skills and legal knowledge, Dimick added.
HITECH also strengthened the civil and criminal enforcement of HIPAA, raising the maximum penalty amount for a HIPAA violation to $1.5 million, and also spurred HHS and OCR to step up their enforcement of HIPAA through privacy and security audits and investigations. This has created pressure on privacy officers and organizations to perform regular audits, fully document privacy violation investigations and update policies on completing risk assessments, he noted.
As OCR and HHS continue to promote patient privacy rights to the public, government investigations will only increase as violation reports go up, requiring all privacy officers to adapt their skills to be prepared for an investigation, Dimick concluded.