HIPAA requires practices to designate a Privacy Officer.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA applies to your practice if you transmit or maintain protected health information (PHI).
If your practice is a covered entity, HIPAA applies to you. The Centers for Medicare & Medicaid Services has a free tool to help you figure out if your practice is a covered entity. Generally, dental and medical practices are covered entities and subject to HIPAA.
HIPAA is important because it protects your patients from being victims of identity fraud. It also protects your practice from the hefty HIPAA noncompliance fines.
To remain compliant, your practice needs a HIPAA Privacy Officer or Manager. This can be an internal employee, or your practice can outsource the job. Internally, you can assign this role to an existing employee, or hire a new one.
This blog post is the ultimate guide for your Privacy Officer.
What is the HIPAA Privacy Officer’s role?
As the HIPAA Privacy Officer, you are the focal pain point for privacy issues and compliance activities. However, the Privacy Officer’s responsibilities can vary depending on how large the practice is. In smaller practices, the Privacy Officer may wear more than one hat.
Here’s a description of the HIPAA Privacy’ Officer’s role:
- Monitor Federal and State privacy laws (for example, if you’re in Texas, know House Bill 300)
- Co-create privacy policies and procedures, and help implement them
- Communicate with the CEO, Counsel, Chief Compliance Officer, and IT Provider
- Account for PHI disclosure, manage recordkeeping procedures, and audit disclosures
- Deal with health oversight committees, coroners, medical examiners, and government data collectors
- Assist with disclosure of PHI, requests from financial institutions, judicial proceedings, and researcher requests
- Ensure proper HIPAA documentation—all records should be kept for 6 years (including Employee Privacy Policies and Business Associate Agreements)
What’s the difference between the HIPAA Privacy Officer vs. the HIPAA Security Officer?
There is a difference between the roles of the Privacy Officer versus the Security Officer. However, the positions are similar, and in smaller practices, the two roles can be combined. Both of these positions need to be well-educated in HIPAA.
Here’s an easy way to think of the difference: the Privacy Officer is more focused on people, while the Security Officer protects PHI. Another way to think about it: the Privacy Officer ensures compliance with the HIPAA Privacy Rule, while the Security Officer implements the HIPAA Security Rule safeguards.
The Security Officer is responsible for developing security policies, implementing procedures, conducting employee HIPAA training, and monitoring compliance. This role also involves creating a Disaster Recovery Plan. The Security Officer implements mechanisms for preventing unauthorized PHI usage, and ensures secure ePHI transmission and storage. This job requires technical skills, or at least the Security Officer will have to find outside technical help.
The Security Officer also performs the HIPAA Risk Analysis—on Smart Training's software, completing the Risk Analysis is painless.
As the HIPAA Privacy Officer, you are a leader.
You provide leadership and help ensure compliance in these areas:
To be an effective HIPAA Privacy Officer, you should have personal and organizational leadership skills. Be authoritative, enforce the rules, and penalize employees when necessary.
What are your first priorities?
As always, patients are a priority. Here are your high-priority patient duties:
- Handle patient privacy complaints
- Give patients up-to-date copies of the Notice of Privacy Practices
- Respond to patient requests to PHI (your patients can request changes—the practice doesn’t have to make these changes—but you document the processes)
What is safe ground for the HIPAA Privacy Officer?
In the following situations, you don’t have much to worry about regarding PHI:
- Ensuring continued operation
Let’s call this safe ground the TPO (treatment, payment, operation).
When should you be involved?
Anytime PHI is disclosed outside TPO, employees should note the date, what was sent, and to whom. Review the information and take action.
What should you know about PHI disclosures?
Here’s what you need to know about PHI disclosures:
- Patients must be shown disclosure records for 6 years following the disclosure
As a HIPAA Privacy Officer, you need to:
You oversee employee HIPAA training.
A covered entity is required to train its entire workforce on HIPAA-directed privacy policies and practice procedures. Employees need to know how to comply with HIPAA.
Here are some tips:
- Document training with proof of comprehension
- Require employees to complete training on time initially and periodically
- Broaden the scope of training to include business associates, contractors, and volunteers
When is data at risk?
As the HIPAA Privacy Officer, be aware of the risk of breaches in the following situations:
- Communication with radiological partners and testing entities
- Using technology (email, flash drives, medical equipment)
- Natural disasters and severe storms
- Inadvertent deletion or destruction
What are common unauthorized uses of PHI?
Unauthorized use of PHI happens via:
- Stolen passwords
- Illicit employee activity
What if a HIPAA privacy breach occurs?
If a HIPAA breach occurs:
- Document the incident
- Investigate the cause
- Document your findings
- Log the disclosure
As the HIPAA Privacy Officer, ensure compliance with the Breach Notification Rule. Ignoring your practice’s responsibility to report breaches causes larger HIPAA fines.
Need more HIPAA help?
HIPAA is complicated—we’re here to make it easier for your practice. We have HIPAA Privacy Officer training modules—one for dental practices, and one for medical practices.
If you more HIPAA help, our Certified HIPAA Professional will help you every step of the way. Our compliance solutions (Platinum+, Essentials, and Complete Compliance Solution) include HIPAA policies, procedures, documents, training, and Risk Assessments.
Request a demonstration today to speak to a Smart Training Compliance Adviser.