I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

What does a Privacy Officer do in a health care organization?

Posted by

I train Privacy Officers to understand their role. So, what does a Privacy Officer do for a health care organization?

In Ontario, every health care organization must have a “contact person” to do the following five tasks:

  1. Facilitate compliance with the health privacy law, PHIPA
  2. Ensure that everyone who works for the organization is informed of their privacy duties
  3. Respond to inquiries from the public about their information practices
  4. Respond to requests of an individual for access to or correction of their health information
  5. Receive complaints from the public about privacy breaches

These five tasks of a privacy contact person are broadly worded. So, what do they mean in practice? And does a Privacy Officer have to do all of them? What activities should be included in a Privacy Officer job description or at least assigned to someone in your organization?

Think about … a privacy champion who …

  1. Oversees the design, implementation, monitoring and reporting on the privacy compliance program and control measures to comply with legislation and best practice
  2. Maintains the relevant documentation of the privacy program
  3. Conducts a privacy inventory of personal health information
  4. Acts as organizational go-to person for privacy (answers questions from team members)
  5. Answers questions from the public and patients and their families
  6. Tracks privacy incidents and themes
  7. Makes presentations to senior leadership and Board
  8. Keeps up-to-date on privacy developments and shares those with the team and leadership – including in Ontario the transition and development of a provincial health record and opportunities for sharing of information with other health care organizations to coordinate care
  9. Liaises with the external privacy consultants and lawyers
  10. Delivers or organizes privacy training
  11. Responds to requests for access and correction (including requests for records outside the traditional health record)
  12. Responds to requests for release of information to third parties (such as insurance companies, police, WSIB, children’s aid societies, regulatory colleges)
  13. Reviews vendor agreements to ensure adequate privacy terms are included
  14. Conducts or coordinates the privacy impact assessments and threat risk assessments with security
  15. Initiates, investigates and manages the privacy breach protocol (including communicates with team members and affected patients/individuals and liaises with key internal and external stakeholders such as the Privacy Commissioner, regulatory Colleges, police, media and manages mandatory reporting obligations)
  16. Considers disciplinary action in response to poor privacy practices by team members
  17. Considers insurance needs

These activities do not have to be completed by a single person or “Privacy Officer” – but they must be performed by someone. For example, it is unusual to have the Privacy Officer do routine access and correction or release of information responses. But the Privacy Officer may need to be involved to resolve complicated requests.

Depending on the size of your organization, you may need a Privacy Committee to address the tasks of the Privacy Officer.

I am relaunching my Privacy Officer training in October/November 2017.  If you are interested, all the details are here.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .