A Chief Privacy Officer’s job is to uphold the standards of an organization’s patient privacy program. Duties typically involve:
- Providing the workforce with proper HIPAA training
- Documenting and enforcing patient privacy policies
- Investing in technology that supports the real-time monitoring of appropriate access to patients’ PHI
- Training personnel on how to investigate potential HIPAA violations.
Let’s dig into some best practices that can help patient privacy officers uphold their duties.
Patient Privacy Officer Best Practices
Here are the 7 best practices every healthcare privacy officer should keep in mind:
Audit every access to patient data
One of the best things Privacy Officers can do to ensure patient privacy is audit every single access to patient data. It’s not impossible and actually quite easy when using proactive privacy monitoring technology. Privacy Officers no longer have to struggle to determine where to focus their limited resources, the work is done for them. Overworked staff no longer need to be experts in writing reports or wading through a sea of false positives, spreadsheets and reports. When an alert is generated, the team has everything they need to know to immediately resolve the case.
Machine learning allows you to get back to top priorities
The bottom line is that machine learning has the ability to change the way the Privacy Officers currently identify and resolve inappropriate activity within the EHR. It’s not just about identifying the “bad guys,” it’s about identifying what normal behavior looks like for every individual within the organization and detecting when behavior deviates from the norm. The most impressive thing about machine learning powered privacy monitoring platforms is that it is always learning. All the necessary information for case resolution is provided on one dashboard, working as an intelligent companion to privacy officers, providing increased efficiency, cost savings, and the time and ability to focus on top priorities within the organization.
Become a HIPAA regulations expert
It’s a good idea for Chief Privacy Officers to become experts on all federal and state regulations regarding patient privacy. They must become their healthcare organization’s go-to person when it comes to HIPAA-related questions. A privacy officer does not necessarily need to be a lawyer, but he or she must be well-versed in all related regulations. This means keeping abreast of any new regulations that are introduced or updates that are made to existing regulations. Armed with this knowledge, a privacy officer will be able to answer any and all HIPAA-related questions, whether those questions come from fellow workforce members or patients.
Go beyond yearly training
Privacy officers can help prevent internal HIPAA violations by providing employees proper HIPAA training that creates an organization-wide culture of proactive patient privacy compliance and trust. But this training cannot be a one-time or even annual occurrence. In order for it to be effective, the privacy officer must conduct ongoing regular training, updating employees on any new or revised regulations concerning patient privacy. And of course, this training must encompass all personnel who will use, view, or share health patient data, including permanent, temporary, and even volunteer employees.
In addition, because privacy officers must be the leaders of their organizations when it comes to patient confidentiality, they must take point on creating policies and documentation related to patient privacy. Such policy and documentation include:
- Confidentiality consent forms
- Authorization forms
- Information notices
- Breach notification
Oftentimes, the creation of these policies will require privacy officers to work closely with their organization’s HR and legal teams, but it is primarily the privacy officer’s duty to ensure that such policies and documentation are put into place and enforced because he or she is ultimately responsible for protecting patient privacy. Bluesight also holds an annual Patient Privacy Symposium (previously PANADAS Live) in May where you can learn about privacy best practices and earn CEUs.
Schedule regular check-ins with your security officer
Once the groundwork has been laid – workforce members are routinely educated and policies and documentation created – privacy officers must turn to the most important aspect of their job: protecting patient information by monitoring it for potential threats and investigating any possible violations.
This is where security officers’ and privacy officers’ roles overlap and where building trust and internal relationships is critical. Working together, security and privacy officers must ensure that proper security measures have been put in place to protect patient information, and they must monitor information systems for unauthorized access, whether the intruders are external criminals using stolen credentials or internal employees inappropriately accessing patient information.
Moreover, privacy officers must oversee any requests by patients to view their PHI or make changes to it. They must also field any complaints from patients of possible HIPAA violations and conduct an investigation into any potential breach of patient information.
Privacy and Security – Different Roles, Same Goals
Although the role of security officer and privacy officer share the same goal of protecting patient information and often require the two officers to work closely together, they have different roles and perform different duties when it comes to safeguarding patients’ PHI.
A security officer’s job focuses on protecting the information itself, particularly the electronic PHI (ePHI). Security officers must make sure that proper technical safeguards are put into place to protect patient information, and they must also monitor PHI for potential threats, especially external ones.
Privacy officers, on the other hand, focus on ensuring that the employees who are authorized to access patient PHI are the only ones who do so. In other words, privacy officers must protect patient information from internal threats, such as employees who snoop or criminals who are using stolen credentials to access information. Thus, even though security officers and privacy officers do work closely together – and in some small healthcare organizations these roles may be filled by the same person – they each have their own areas of expertise.
Become a patient privacy leader within the organization
Every team needs a leader, and the privacy officer must be that leader when it comes to patient privacy. Regardless of org charts, privacy officers must work with security officers, HR and legal teams, as well as the leadership to foster a culture that values patient privacy and proactively to protect the information of their patients. Share new knowledge, make connections between teams, and build a reputation that is solution oriented.These healthcare privacy officer best practices will help the organization become proactive when it comes to defending their patient privacy. Make sure to review our Breach Barometer to help your organization better prepare to protect patient privacy.