CMA: Choosing a Privacy and Security Official

Disclaimer: CMA/PrivaPlan PrivaGuide: Choosing a Privacy and Security Official.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.


 

PrivaGuide: Choosing a Privacy and Security Official

By Lesley Berkeyheiser and David Ginsberg


 

Introduction

HIPAA requires that one person in your organization be designated as the Privacy Official. The Privacy Official is responsible for developing and implementing HIPAA policies and procedures. The Privacy Official may also assign various HIPAA compliance responsibilities to other individuals within the organization. HIPAA also requires that one person in your organization be designated as the Security Official. The Security Official is responsible for developing and implementing HIPAA policies and Procedures related to the Security rule (safeguarding electronic PHI), and may assign responsibilities to other individuals within the organization. The Privacy and Security Official can be one individual. HIPAA requires that you formally assign privacy and security responsibilities to one or more individuals.

How to do this:

This section contains implementation and maintenance suggestions for processing access, amendment and disclosure accounting requests. “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities. Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy and security regulation and California law applies to you.

PROCEDURE — CHOOSING A PRIVACY OFFICIAL

  • Implementation Suggestion: In Stat step 1 you selected a member of the workforce to act as the Privacy Official and the Security Official. HIPAA requires documentation! Using the document template “Job Responsibilities with Respect to PHI” record the name and title of the Privacy and Security Official(s) you selected and the date of the selection.
  • Implementation Suggestion: It may be important for your “corporate” records to also document the selection of a Privacy and Security Official(s) and the adoption of a HIPAA Privacy and Security Compliance program! For this reason you should consider passing a resolution at the next Board meeting of your corporation and recording into the corporate minutes the adoption of a HIPAA Privacy and Security Compliance program and the assignment of the Privacy and Security Official(s). Please contact your corporate attorney for more information! (Note: This suggestion is not a HIPAA requirement, however it serves the purpose of increasing awareness by the practice owners and providing the Privacy and Security Official(s) with sufficient management mandate to accomplish HIPAA required tasks such as sanctioning members of the workforce who violate HIPAA).
  • The Office Manager is likely the most common choice for privacy and Security official. Other choices could be the lead physician or a medical records staff member.
  • Implementation Suggestion: Determine the names and/or job titles of the people who are responsible for the following:
    1. Processing requests from the patient or their personal representative for access to protected health information. Access includes inspection, request for restriction of uses and disclosures (special privacy protections), requests for amendment and/or requests for alternate confidential communication channels. Members of your office staff should know in advance who is responsible for addressing all requests for protected health information.
    2. Processing requests from law enforcement, legal sources or public “purposes” (for example a state or federal health agency) for access to protected health information. This access is usually confined to inspection. Your practice may choose to have such requests only handled by the Privacy Official and not by subordinate staff.
    3. Processing requests (and recording them) for an “accounting of disclosures.” HIPAA allows the patient (or their personal representative) to obtain an “accounting of disclosures”.
    4. Receiving and recording complaints. Patients need to clearly know to whom they can talk if they wish to complain about how PHI that relates to them is being handled.
    5. Developing and maintaining the privacy policy. The work you are doing with PrivaPlan ultimately is creating a “privacy policy” as well as the other necessary steps to complete a compliance project. Thus, it is important to identify who is responsible for this effort. Usually this will be the Privacy Official.
    6. Developing and maintaining the security policy. Security policies relate to the technical security areas defined in Stat Step 4.
    7. Developing and maintaining the sanctions policy. If an employee or other member of the workforce violates your HIPAA Privacy or Security policy who will discipline them and what will the punishment be? Perhaps in your practice only the physician can “fire” an employee. In this case, if the Privacy Official is the Office Manager, you must document that it is the physician who will “sanction” employees!
    8. Developing and maintaining procedures. The procedures describe how you will implement and maintain the policies!

    Document these names job responsibilities on the Job Responsibilities with Respect to PHI form.

  • Maintenance Suggestions:
    1. Complete a job description for the Privacy Official. A sample can be found in the Privacy Official Job Description procedure in the Procedures Manual Template or as an appendix to this PrivaGuide.
    2. Stay up to date with changes in HIPAA or State laws that affect Privacy and Security. PrivaPlan will release periodic updates with new Federal laws or clarifications. These updates should be reviewed by the Privacy Official and where necessary implemented. The Privacy Official should document their periodic review of such updates or changes. Additionally, the Privacy Official should document any training or continuing education they obtain.
    3. Keep the lists of assignments of functions up to date, routinely monitor for changes in staff, as well as changes in job functions and change the lists accordingly. As responsibilities change in the practice due to staff turnover, or HIPAA itself changes, the Privacy Official must maintain a written record of these changes.
    4. If the Privacy Official leaves the workforce, the practice must immediately name a new Privacy Official. If the Official was named in the Notice a revised Notice of Privacy Practices is necessary (see PrivaGuide: “Notice, Acknowledgement and Restriction Requests”).

PROCEDURE — CHOOSING A SECURITY OFFICIAL

  • Implementation Suggestion:  Determine the names and/or job titles of the people (even if they are an outside consultant or your system vendor) who are responsible for the following:
    1. Creating an inventory the security assets—that is, the location and description of electronic PHI.
    2. Determining the threats to this inventory of electronic PHI as well as the probability of these threats.
    3. Determine safeguards and measures (and implement these) to minimize these threats.
    4. Developing and maintain contingency plans (how to operate in an emergency or during a system failure).
    5. Developing and maintaining data back up and restore functions.
    6. Develop and maintain passwords and related access and authorization procedures.
    7. Develop and maintain hardware and software installation procedures, version control, and inventory.
    8. Develop and maintain physical and administrative safeguards (in coordination with the Privacy Official if they are a separate individual).
    9. Developing and maintaining the security policy. The work you are doing with PrivaPlan ultimately is creating a “security policy” as well as the other necessary steps to complete a compliance project. Thus, it is important to identify who is responsible for this effort. Usually this will be the Security Official.
    10. Developing and maintaining workforce security training and sanctions policy. If an employee or other member of the workforce violates your HIPAA Security policy who will discipline them and what will the punishment be? Perhaps in your practice only the physician can “fire” an employee. In this case, if the Security Official is the Office Manager, you must document that it is the physician who will “sanction” employees!
    11. Developing and maintaining security procedures. The procedures describe how you will implement and maintain the policies!

    Document these names and/or job responsibilities on the Job Responsibilities with Respect to PHI form.

Maintenance Suggestions:

  1. Complete a job description for the Security Official. A sample can be found in the Security Official Job Description procedure in the Procedures Manual Template or as an appendix to this PrivaGuide.
  2. Stay up to date with changes in HIPAA or State laws that affect Security. PrivaPlan will release periodic updates with new Federal laws or clarifications. These updates should be reviewed by the Security Official and where necessary implemented. The Security Official should document their periodic review of such updates or changes. Additionally, the Security Official should document any training or continuing education they obtain.
  3. Keep the lists of assignments of functions up to date, routinely monitor for changes in staff, as well as changes in job functions and change the lists accordingly. As responsibilities change in the practice due to staff turnover, or HIPAA itself changes, the Security Official must maintain a written record of these changes.
  4. If the Security Official leaves the workforce, the practice must immediately name a new Security Official. If the Official was named in the Notice a revised Notice of Privacy Practices is necessary (see PrivaGuide: “Notice, Acknowledgement and Restriction Requests”).

Is the Office Manager the best choice for Security Official? This depends. The Security Official needs some level of computer knowledge. In small practices it may be practical to have this job shared with Privacy Official. Other choices include your network administrator if you have someone in house doing that, or even an outside vendor or consultant.

About the Authors:

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.

Lesley Berkeyheiser

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDi SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.

Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610) 558-3332.  E-mail: lberkeyheiser@theclaytongroup.org.

David Ginsberg

Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.

David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.

Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  (877) 218-7707.  E-mail:  dginsberg@PrivaPlan.com.

APPENDIX — SAMPLE PRIVACY OFFICIAL JOB DESCRIPTION

Job Title:

Privacy Official

Job-Sharing? Yes — this job is performed by the Office Manager

Job Description:

The privacy official is responsible for implementing and maintaining this practice’s HIPAA Privacy and Security requirements.

Reporting structure:

The privacy official reports directly to the physician in charge.

Job Duties:

  1. Develop, implement and maintain this practice’s HIPAA Privacy and Security policies.
  2. Develop, implement and maintain this practice’s HIPAA Privacy and Security procedures and forms.
  3. Develop and implement this practice’s HIPAA records filing system.
  4. Handle all patient privacy complaints in accordance with this practice’s complaint procedure.
  5. Mitigate the effects of any unauthorized use or disclosure of PHI or other privacy and security violations.
  6. Implement appropriate safeguards for protection from intentional or unintentional unauthorized uses and disclosures of PHI.
  7. Handle all patient requests for access to their PHI in accordance with this practice’s access procedure, including requests for access to psychotherapy notes as well as requests for information related to minors and requests from minors.
  8. Handle all patient requests for amendment to their PHI in accordance with this practice’s amendment procedure.
  9. Handle all patient requests for alternate confidential communication channels in accordance with this practice’s confidential communication channel procedures.
  10. Handle obtaining individual permission from patients, or their personal representatives including oral permission and authorizations in accordance with this practice’s individual permission procedure.
  11. Handle requests for special privacy protections in accordance with this practice’s special privacy protection procedures.
  12. Handle the publishing and maintenance of this practice’s Notice of Privacy Practices in accordance with this practice’s procedure for Notice.
  13. Handle obtaining written acknowledgements of receipt of this practice’s Notice of Privacy Practices in accordance with this practice’s acknowledgement procedure.
  14. Handle review and response to requests for an accounting of disclosures in accordance with this practice’s procedure for disclosure accounting.
  15. Handle access requests by law enforcement, subpoenas, court orders, and public purpose entities in accordance with this practice’s procedures for this access.
  16. Handle patient requests to designate a personal representative in accordance with this practice’s personal representative procedure.
  17. Handle requests for access, amendment, confidential channels, obtaining acknowledgement, special privacy protections, and other requests from the patient’s personal representative in accordance with the relevant procedure for these requests.
  18. Handle requests for access to PHI related to deceased individuals in accordance with this practice’s procedure on deceased individuals.
  19. Ensure the minimum necessary rule is applied to access, request and disclosure events within this practice, in accordance with this practice’s minimum necessary procedure.
  20. Ensure regulatory currency for this practice in accordance with this practice’s regulatory currency procedure.
  21. Ensure that records are retained in accordance with this practice’s records retention procedure.
  22. Handle all workforce training and awareness programs in HIPAA Privacy and Security requirements in accordance with this practice’s workforce training procedure.
  23. Handle all workforce sanctions where any member of this practice’s workforce intentionally or unintentionally violates any of this practices privacy or security policies.
  24. Ensure all business associates are identified and have signed business associate agreements in accordance with this practice’s business associate policy.
  25. Cooperate with any privacy investigation by the Department of Health and Human Services.
  26. Handle any other privacy and security practice as defined in this practice’s Notice of Privacy Practices.

APPENDIX— SAMPLE SECURITY OFFICIAL JOB DESCRIPTION

Security Official

Job-Sharing? Yes — this job is performed by the Office Manager who is also the Privacy Official

Job Description:

The security official is responsible for implementing and maintaining this practice’s HIPAA Security requirements.

Reporting structure:

The security official reports directly to the physician in charge.

Job Duties:

  1. Complete the risk analysis and periodically review and revise.
  2. Assess the threats to electronic PHI.
  3. Implement safeguards to minimize these threats and periodically monitor these safeguards to be sure they are working. This will encompass both technical and non-technical issues.
  4. Implement contingency plans such as emergency mode operations (finding alternate locations to run critical applications like billing, appointment scheduling or electronic medical records.
  5. Implement the data back up process, including identifying who will take back up tapes off site.
  6. Maintain and periodically check the back up process including ensuring tapes are taken off site, and not damaged in transit.
  7. Manage the restoring data when the system fails and the most recent back up is needed or during emergency mode operations.
  8. Manage access authorization (passwords, user IDs) for all applications and systems and for all workforce (includes granting access, changing access privileges, terminating privileges and access).
  9. Coordinate (with the human resources person, office manager or other appropriate party) workforce clearance procedures for all new hires and for existing staff who may require increased privileges (if applicable).
  10. Implement and manage physical safeguards (or coordinate with Privacy Official if separate personnel).
  11. Implement and manage administrative safeguards (or coordinate with Privacy Official if separate personnel).
  12. Implement security incident reporting.
  13. Respond to security incident reporting including investigating incidents and if necessary correcting vulnerabilities (mitigation).
  14. Review business associates and implement business associate agreements with business associates who use electronic PHI or coordinate with Privacy Official if separate personnel).
  15. Implement workforce sanctions for members of workforce who violate this organization’s security policies and procedures (or coordinate with Privacy Official if separate personnel).
  16. Implement workforce security training and awareness and maintain training programs (or coordinate with Privacy Official if separate personnel).
  17. Ensure all new hardware that is connected to the existing system is secure (virus free, has all security programs running and so forth).
  18. Ensure that all new software applications that are installed on the existing system, or will interface with the existing system is secure (virus free, has security features installed such as passwords).
  19. Maintain version control (downloading security patches, updating virus and firewall software).
  20. Manage user identification and authentication systems that are software, hardware and password related.
  21. Manage the information systems activity review procedures and audit procedures.
  22. Ensure ePHI integrity.
  23. Ensure appropriate encryption or protection of any ePHI that is transmitted.
  24. Routinely evaluate security and audit processes. Keep triggering events chart (HIPAA Ready Reference under Document Templates) up to date.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates