February 2015

So You Want to Be a Privacy Officer?
By Mike Bassett
For The Record
Vol. 27 No. 2 P. 24

Experts in the field discuss the challenges of overseeing security compliance.

Under HIPAA, every health care practice or organization must designate a privacy officer. Consequently, it's a job whose origins are fairly recent, yet it continues to grow in importance as health care organizations face increasing challenges related to privacy and security compliance.

At the time the HIPAA privacy rule went into effect, Mary Poulson, CHPC, RHIT, now regional director of compliance for Mednax Services in Englewood, Colorado, was the HIM director for HealthONE, where she became part of the team implementing the new regulation. "I really enjoyed the action plans we were putting in place to develop policies and procedures, and that's how I got into privacy," she recalls. "Privacy really seems to be a natural fit for health information management."

A 40-year HIM veteran, Barbara Beckett, RHIT, CHPS, the system privacy officer for Saint Luke's Health System in Kansas City, Missouri, says her involvement with various EMR processes "pulled" her into the HIPAA world when the privacy rule debuted in the early 2000s. In 2009, she became the system's privacy officer.

"My background in medical records and my experience in nearly every aspect of health information management was critical in going into privacy," Beckett says. "When you look at HIPAA, a lot of it has to do with the release of information, and [those of us in HIM] have been the pros when it comes to releasing information. We've always followed the regulations and protected that information, so it wasn't that new to us when HIPAA came around."

Nancy Prade, MBA, RHIA, CHPS, senior director of compliance and chief privacy officer for University of Colorado Health, echoes those sentiments. "Health information management professionals have the necessary training, background, and knowledge and that helps me almost daily in doing this job," she says.

A Typical Day
There really is no such thing as a typical day, Poulson says. "The job is filled with variety," she notes, pointing out that "very few individuals hold just the privacy officer title and many are combined compliance/privacy or health information management/privacy."

Poulson, who is her organization's "go-to" person for answers to any HIPAA-related questions, is responsible for Mednax Services' western regions. In particular, she assists office-based practices that telephone daily with tricky questions such as, "If we send out medical records to another physician, can we include records that we received from other sources?" or "What do we do if a patient was referred to us by another physician, but that physician is requiring the patient's authorization to send over medical records?"

Poulson reviews requests for business associate agreements, amendments, and unauthorized disclosures of patient health information requiring investigation. She also provides HIPAA education and training, ensures the internal HIPAA website is up-to-date with the latest policies, forms, and information, and performs on-site privacy audits at office-based practices.

Prade also fields numerous questions on a daily basis. For example, staff members may inquire whether it's OK to call out a patient's name in a waiting room or post a thank-you note containing a patient's name on a bulletin board in a staff area. She also visits departments and clinics to get a firsthand look at whether there are any potential HIPAA violations at play such as patient charts being left out in the open or unattended computers logged on.

Prade's responsibilities are complicated by the fact that the University of Colorado health system consists of a number of entities, including an academic medical center (University of Colorado Hospital), Poudre Valley Hospital, and Memorial Hospital in Colorado Springs, all of which share the same medical record system. "So we are constantly trying to determine who should get access to information, and for what reason, because everyone wants access to the records," she says. "Right now I'm spending a lot of time on policies—we're trying to combine the policies of our three entities and make sure we are adhering to the rules."

One aspect of Prade's position that had been problematic was the process of adding amendments to medical records. Despite HIM now being responsible for that task at the University of Colorado health system, it remains on the shoulders of privacy officers at some organizations. "We have been opening up patient portals, and while patients have always had access to information, now it is more readily available and has increased the number of amendment requests," she explains.

Besides the introduction of portals, a pseudo-language barrier between patients and physicians can boost the number of amendment requests. Sometimes, patients can misinterpret physician documentation. For example, Prade recalls a situation in which a patient took umbrage with the term "patient denies history of"—typically used when the patient has no history of a condition—appearing in her radiology report. "But the patient says that made it sound like she was lying and she wanted it changed," she says. "So we are all going to have to be more cognizant of what goes into notes and how it will be interpreted by someone who isn't familiar with medical terminology or the way we typically say things."

Amending records can be a time-consuming process, Prade says. For example, the clinician who documented the note has to be contacted to determine whether the record should in fact be amended. If the request is denied, the patient must be notified within 60 days and given the opportunity to add something to the record or file a complaint with the Office for Civil Rights.

"Sometimes, a lot of these [requests] can just take a long time to track down," Prade says. "Some physicians are going to be more responsive than others, so I have to resort to what I call electronic nagging to make sure we get a response. I had to track one physician down late at night and told him, 'This is it—I gave you enough notice and we have to get this out tonight.' So we bought him some pizza and dragged him in."

Beckett, who works in a large system spread over two states, oversees privacy site coordinators at each facility. Patients can call her office directly and access a hotline as well, "which means I'll have to investigate those calls and forward them on to whomever needs to get involved," she says.

The job can be particularly stressful should a major privacy event occur. "But if you have a good workforce behind you and good policies and procedures in place on what to do if a big event occurs, then you can keep the stress down to a minimum," Beckett says. "But in a moment's notice you can have an emergency and have the marketing and public relations departments on your tail, as well as the government. You just never know."

An Evolving Role
Angela Dinh Rose, MHA, RHIA, CHPS, director of HIM practice excellence for AHIMA, says the privacy officer position has evolved in such a way that it's necessary to understand more about security safeguards. "Not necessarily the IT side of it; you don't have to be able to sit down and create a firewall and make sure it works correctly, but you have to know what it can and can't do," she says.

Possessing that knowledge is key to stopping breaches in their tracks. "You can't have a privacy breach these days without having a security breach first," Dinh Rose says. "Privacy and security go hand in hand."

Now that medical records have become a popular target for identity thieves, the pressure mounts on privacy officers to prevent such attacks and to be prepared in the event they do occur, Poulson says, noting that keeping HIT systems safe has become a major challenge.

In addition to the growing presence of cybercriminals, she also believes concerns related to social media use have created more sleepless nights for privacy officers. For example, how should situations in which physicians are asked to "friend" patients and/or their family members on Facebook be handled? "Our physicians may have spent months caring for these patients and come to know the families very well," Poulson says. "We recommend that they do not accept these requests, since the relationship is supposed to be on a professional basis. However, we leave it up to the physician to decide, knowing that he or she would need to respond to medical questions with the statement, 'The patient needs to see [his or her] physician.'"

Other modern-day developments such as the advent of smartphones add to the privacy officer's list of worries. For example, issues related to texting patient health information, including photos, must be addressed.

Beckett says the introduction of the HITECH Act and the 2013 publication of the HIPAA Omnibus Rule, a set of final regulations modifying HIPAA privacy, security, and enforcement rules, have reshaped the privacy landscape and created additional responsibilities for privacy officers. To further complicate matters, staff members are at a premium. "The amount of work is increasing, but a lot of facilities aren't allowing you to add staff," she says. "So you have to set priorities and come up with better ideas about what needs to be done to stay compliant with these regulations. And they don't get easier—they get more stringent, and without the staff it becomes more difficult for facilities to be as compliant as they want to be."

Dinh Rose says AHIMA can help ease the strain by providing education and guidance, noting that the organization offers privacy professionals access to articles, books, practice briefs, and toolkits to help them better understand and interpret laws and regulations and manage compliance.

Beckett recommends privacy officers take advantage of AHIMA resources and network with peers to stay educated and informed about industry changes. "And if we know that there are regulations that are coming into play that are going to involve some big changes, the chances are we'll know about it well before they become final," she says. "When the Omnibus Rule came out in 2013 we were well ahead of the game. We were sharing things not only among our peers but through our professional organizations on what we were going to need to do because of the new regulations, new restrictions, and the new notice of privacy practices."

What It Takes
For those looking to begin a career as a privacy officer, Poulson, Prade, and Beckett believe an HIM background is an excellent jumping-off point. "And get a privacy certification," Poulson adds.

Dinh Rose points out that AHIMA offers combined certification for health privacy and security while Poulson mentions certification from the Health Care Compliance Association as a viable option. "Either one of these certifications would be a great place to start," Poulson says. "Then it's just a matter of working in privacy and getting that experience. And working in health information management and medical records will give you a great background."

The profession appears to be gaining interest from industry newcomers, too. "I've had students at local colleges come by and visit my office and try to learn about compliance and privacy and they'll ask what they need to do to become privacy officers," Beckett says. "And what I tell them is get involved through health information management and maybe offer to do some audits and learn about compliance because privacy is usually part of compliance."

"It's a good job for anyone coming out of the health information management profession, but you have to be comfortable working with patients who sometimes are not going to be very happy with you," Prade says. "And you'll have to work with physicians who don't always do what you ask them to do. So if you don't like conflict, this may not be the right job for you. But I like it because it is mentally challenging and I feel like I'm really helping our patients and my organization."

— Mike Bassett is a freelance writer based in Holliston, Massachusetts.