I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

What does a Privacy Officer do in a health care organization?

Posted by

I train Privacy Officers to understand their role. So, what does a Privacy Officer do for a health care organization?

In Ontario, every health care organization must have a “contact person” to do the following five tasks:

  1. Facilitate compliance with the health privacy law, PHIPA
  2. Ensure that everyone who works for the organization is informed of their privacy duties
  3. Respond to inquiries from the public about their information practices
  4. Respond to requests of an individual for access to or correction of their health information
  5. Receive complaints from the public about privacy breaches

These five tasks of a privacy contact person are broadly worded. So, what do they mean in practice? And does a Privacy Officer have to do all of them? What activities should be included in a Privacy Officer job description or at least assigned to someone in your organization?

Think about … a privacy champion who …

  1. Oversees the design, implementation, monitoring and reporting on the privacy compliance program and control measures to comply with legislation and best practice
  2. Maintains the relevant documentation of the privacy program
  3. Conducts a privacy inventory of personal health information
  4. Acts as organizational go-to person for privacy (answers questions from team members)
  5. Answers questions from the public and patients and their families
  6. Tracks privacy incidents and themes
  7. Makes presentations to senior leadership and Board
  8. Keeps up-to-date on privacy developments and shares those with the team and leadership – including in Ontario the transition and development of a provincial health record and opportunities for sharing of information with other health care organizations to coordinate care
  9. Liaises with the external privacy consultants and lawyers
  10. Delivers or organizes privacy training
  11. Responds to requests for access and correction (including requests for records outside the traditional health record)
  12. Responds to requests for release of information to third parties (such as insurance companies, police, WSIB, children’s aid societies, regulatory colleges)
  13. Reviews vendor agreements to ensure adequate privacy terms are included
  14. Conducts or coordinates the privacy impact assessments and threat risk assessments with security
  15. Initiates, investigates and manages the privacy breach protocol (including communicates with team members and affected patients/individuals and liaises with key internal and external stakeholders such as the Privacy Commissioner, regulatory Colleges, police, media and manages mandatory reporting obligations)
  16. Considers disciplinary action in response to poor privacy practices by team members
  17. Considers insurance needs

These activities do not have to be completed by a single person or “Privacy Officer” – but they must be performed by someone. For example, it is unusual to have the Privacy Officer do routine access and correction or release of information responses. But the Privacy Officer may need to be involved to resolve complicated requests.

Depending on the size of your organization, you may need a Privacy Committee to address the tasks of the Privacy Officer.

I am relaunching my Privacy Officer training in October/November 2017.  If you are interested, all the details are here.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s Upcoming events

Where immigration and health law issues collide

April 25, 2018

Presentation to invited Community Health Centre clients

In collaboration with immigration lawyer Jacqueline Swaisland.

2018 Privacy Officer Training

May 8 to June 12, 2018

16 hours live and online training

for Privacy Officers and Privacy Officers-to-be. Live sessions held in Toronto. Course is now full, but here are details and booking for Kate's October course.

De-escalation training

May 16, 2018

Training session for a Toronto Family Health Team

In conjunction with leadership coach Christine Burych.

Team Privacy Training Events

May 17, June 13

For Primary Care clinics and FHTs

Kate trains health professionals from another two primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Ask me anything (about health privacy)

12 noon, May 23, 2018

An hour webinar with Kate where you can ask Kate any privacy-related questions you have.

Open to all health Privacy Officers. Register here.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

The Commissioner provided an update on Latest Developments at the IPC. Here are some highlights.… https://t.co/XKVkb6Aunm

about 7 hours ago

Have you looked at your hospital’s Professional Staff Rules and Regulations lately? https://t.co/CTp6xa8OyC #HealthLaw #hospitals

about 9 hours ago

Bottom Line: This decision is consistent with the IPC’s other correction decisions. There is no specific response r… https://t.co/zvDZIRyi0M

about 13 hours ago

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557