What does a Privacy Officer do in a health care organization?
I train Privacy Officers to understand their role. So, what does a Privacy Officer do for a health care organization?
In Ontario, every health care organization must have a “contact person” to do the following five tasks:
- Facilitate compliance with the health privacy law, PHIPA
- Ensure that everyone who works for the organization is informed of their privacy duties
- Respond to inquiries from the public about their information practices
- Respond to requests of an individual for access to or correction of their health information
- Receive complaints from the public about privacy breaches
These five tasks of a privacy contact person are broadly worded. So, what do they mean in practice? And does a Privacy Officer have to do all of them? What activities should be included in a Privacy Officer job description or at least assigned to someone in your organization?
Think about … a privacy champion who …
- Oversees the design, implementation, monitoring and reporting on the privacy compliance program and control measures to comply with legislation and best practice
- Maintains the relevant documentation of the privacy program
- Conducts a privacy inventory of personal health information
- Acts as organizational go-to person for privacy (answers questions from team members)
- Answers questions from the public and patients and their families
- Tracks privacy incidents and themes
- Makes presentations to senior leadership and Board
- Keeps up-to-date on privacy developments and shares those with the team and leadership – including in Ontario the transition and development of a provincial health record and opportunities for sharing of information with other health care organizations to coordinate care
- Liaises with the external privacy consultants and lawyers
- Delivers or organizes privacy training
- Responds to requests for access and correction (including requests for records outside the traditional health record)
- Responds to requests for release of information to third parties (such as insurance companies, police, WSIB, children’s aid societies, regulatory colleges)
- Reviews vendor agreements to ensure adequate privacy terms are included
- Conducts or coordinates the privacy impact assessments and threat risk assessments with security
- Initiates, investigates and manages the privacy breach protocol (including communicates with team members and affected patients/individuals and liaises with key internal and external stakeholders such as the Privacy Commissioner, regulatory Colleges, police, media and manages mandatory reporting obligations)
- Considers disciplinary action in response to poor privacy practices by team members
- Considers insurance needs
These activities do not have to be completed by a single person or “Privacy Officer” – but they must be performed by someone. For example, it is unusual to have the Privacy Officer do routine access and correction or release of information responses. But the Privacy Officer may need to be involved to resolve complicated requests.
Depending on the size of your organization, you may need a Privacy Committee to address the tasks of the Privacy Officer.