It further states that these health care organizations must designate a contact person or office that is responsible for receiving privacy complaints and offering information about the organization's privacy policies and procedures.
The rule, however, doesn't give any guidance as to specific qualifications for the privacy officer or offer any further details concerning the duties or job description of the new official.
The Department of Health and Human Services released a guidance document July 7 to clarify several of the privacy regulations. But the document did not give any guidance on how health care organizations should handle the privacy officer position.
"The role of the privacy officer is daunting," says Scott Wright, director of information security services and HIPAA national practice executive at Netplex Group Inc., a Reston, Va.-based information security consulting firm. "A lot of organizations still are looking for help to understand what that person will have to do."
The confusion over privacy officer duties has led some organizations to delay naming one until they have finished formal enterprisewide risk assessments to determine what specific policies and procedures they must modify or implement to comply with the privacy rule. But other organizations are charging full steam ahead with their compliance efforts and already have installed a privacy officer to lead initiatives.
Because the privacy officer regulation leaves so much room for interpretation, even acting privacy officers differ in their background and the way they have prioritized their tasks.
"The rule doesn't say that organizations must comply with the privacy officer regulation in a certain way," says Rhys Jones, national director of HIPAA privacy services at the Tampa, Fla. office of PricewaterhouseCoopers LLC, a consulting firm. "It's just a matter of perspective. There's no one single way to do it."
Make room for privacy
Some health care organizations have yet to name a privacy officer because they are unsure how to hire and supervise such a person.
HIPAA traditionally had been considered a function of the I.T. department, or under the jurisdiction of the CIO. But the privacy rule, which incorporates internal business practices more so than technologies, doesn't stipulate where within an organization the officer should fall.
Some organizations have named privacy officers who report to the CEO, while others have found that the new duties are better suited for a position under the direction of the CFO or COO. And these new privacy officers are coming from a variety of backgrounds. Some have come through the ranks of the medical records or compliance departments, while others are high-ranking officers that have taken on the extra duties.
"HIPAA is a set of rules that touch the entire business. I have a responsibility for the entire business, so it was a natural fit that I would take on the privacy officer duties," says Chuck Berg, president, COO and privacy officer at Oxford (N.Y.) Health Plans, a payer offering HMO, POS and TPA services.
"Our organization created a HIPAA division under my jurisdiction because complying with HIPAA is really about a business process."
About a year ago, Berg led Oxford in creating a team of four employees-from the HIPAA division's customer service, claims and technology group, as well as the organization's legal and compliance divisions-to help determine what the organization needed to do to comply with all the HIPAA rules.
The new HIPAA division has a director, who reports to Oxford's senior vice president of operations, who then reports to Berg. The new director and staff now are beginning to spend more time on the privacy rule than the other HIPAA rules, Berg says.
Making their own rules
Like Berg, other privacy officers are writing their own rules for how they should go about their jobs. At Kaiser Permanente Hawaii Region, Honolulu, a delivery system that offers payer and provider services, Cathy Makishima, director of health information management, was on her own in August 2000 when she took on the role of privacy officer. She recently submitted a job description for her new duties to her CEO, to whom she ultimately reports.
Makishima only has half a full-time employee who helps her with the privacy duties. But she receives a lot of guidance from Kaiser Permanente's national privacy committee.
The group is made up of representatives-including Makishima and three other Hawaii region employees-from each of Kaiser Permanente's seven regional locations. The group, which meets monthly, has been divided into subgroups, which each focus on a different aspect of the privacy rule.
One subgroup in April provided each of Kaiser Permanente's regions with an outline to guide them through a formal privacy risk assessment and gap analysis of their hospital operations, clinical operations and health plans. By this fall, another subgroup is scheduled to provide a set of training recommendations to each region's privacy officer so they can train all Kaiser Permanente employees about privacy in the same manner, Makishima says.
"Our national privacy group has been a blessing to have," she says. "A lot of my privacy officer colleagues who aren't affiliated with a national group are really struggling with their jobs right now."
Whether privacy officers are relying on a corporate HIPAA team, like Makishima, or calling the shots on their own, like Berg at Oxford Health Plans, many have begun their privacy rule compliance efforts by conducting assessments of which specific areas of their business might be vulnerable to a gap in privacy.
Some privacy officers are taking on this daunting task by themselves or enlisting their staff to help out. Others-like Berg and Joan Bisterfeldt, HIPAA project manager and privacy officer at Wheaton (Ill.) Franciscan Services Inc., a health care and shelter delivery system-have hired consultants to help with their privacy analyses.