The mission of the Privacy Office is to create, administer, and maintain a business transaction framework of best practices for privacy compliance throughout the spectrum of Springfield Clinic business operations. The Privacy Office reviews and translates into policy relevant ethical, legal, accreditation, and regulatory standards, to ensure that Springfield Clinic is able to provide the highest quality of healthcare privacy to the people of central Illinois.
DEFINITION OF PRIVACY OFFICER
The Privacy Officer is a person designated by an organization who routinely handles protected health information, to develop, implement, and oversee the organization's compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) privacy rules. As the point of contact for all patient privacy issues, she is also called as the entity's Contact Person.
Privacy Officers ensure privacy of protected healthcare information among the beneficiary and their providers, and protect such private information from unauthorized access. They also oversee all activities related to the development, implementation, maintenance, and adherence to the covered entity’s policies and procedures. Information Privacy Officers allow access to patient health information only in compliance with federal and state laws and the healthcare organization’s information privacy practices.
The scope of work of the Privacy Office includes monitoring regulations, standards, and industry trends relative to healthcare privacy, with application of this knowledge base to Springfield Clinic operations, translation into policy, and privacy education of the workforce. She serves as the contact point for the Office of Civil Rights and Illinois Attorney General for privacy investigations, internally mitigates and reports privacy incidents, assists patients with their privacy rights and forms translation, and evaluates Business Associate contracts.
The Privacy Office is a functional component of the Enterprise Risk Management Program.
THE PRIVACY OFFICE REPORTING RESPONSIBILITY
The Privacy Officer (PO) reports directly to the Chief Information Officer (CIO). The PO reports a summary of incidents to the Compliance Committee and to Springfield Clinic Administrators. Administration refers risk acceptance and other high-level reviews to the Board of Directors for direction or approval.
The Privacy Officer is authorized to:
- Have unrestricted access to protected health and billing information in evaluating compliance and risk.
- Certify status (declare compliance) of the Organization regarding privacy-related laws.
- Assign risk ratings to issues from annual Gap Analysis/Risk Assessment for privacy practices.
- Implement systems or procedural modification as required to achieve and maintain compliance with Federal and State Law including but not limited to: HIPAA Privacy rules, HITECH, FACT Act, Orders of Protection, Federal Rules of Civil Procedure, Illinois Combined Statutes, Worker’s Compensation, Mental Health and Developmental Disability, Alcohol and Substance Abuse, Illinois Divorce law, Emancipation of Minors, Protected Minors, and Genetic Testing.
- Modify internal operations in all business areas by working with Directors as required for privacy and security compliance.
- Determine Springfield Clinic Policy regarding privacy practices, and transactions affecting patient rights or the legal health record.
- Minimize risk of inappropriate access, use, disclosure, storage, retention, or destruction of protected health and billing information, as well as confidential business information via ongoing review and revision of enterprise-wide procedures.
- Recommend the appropriate level of sanction for privacy-related violations, and notify Human Resources when a violation has occurred in order to ensure that corrective actions are consistently enforced.
- Contact legal counsel when urgent matters do not allow for administrative prior approval.
- Request Internal Audit to conduct change management audits on compliance modifications to operations to ensure ongoing cooperation.
- Evaluate personal, reputational, or financial risk to the patient for privacy violations, and determine whether government and patient notification are required by HITECH Rules.
- Exercise financial, human resource, and management responsibilities consistent with Director-level positions.
PO COMPLIANCE REPORTING RESPONSIBILITIES
The Privacy Officer has the responsibility to:
- Report to the Compliance Committee regarding HIPAA violations, deliverables, and new legal requirements as they arise.
- Report privacy metrics to Administration.
- Report issues to the CIO prior to attorney contact (excluding emergent circumstances).
- Report to the CIO any violations committed by a Physician.
- Report to the Human Resources Director when a privacy incident requires sanction, so that these are applied consistently across the enterprise.
- Assist the other Springfield Clinic compliance professionals with any external review or investigation, or any internal incident response initiatives.
- Respond for Springfield Clinic to the Office of Civil Rights or Attorney General’s Office when an investigation is initiated, and until resolution.
- Notify the patient when a violation of privacy is determined to have potential for personal, reputational or financial damages.
- Report to the Department of Health and Human Services any violations that required patient notification, or any individual data breach violation involving 500 or more patients.
Provide privacy compliance advice to the Springfield Clinic workforce when policy does not provide clear direction regarding issue resolution. Interpret patient directives for proper observance of legal authority. Assist with ePHI systems selection, and with planning recovery from any systems malfunction affecting legal health record documentation.
Assist OHCA associates with understanding and structure of the legal health record, and work flow processes for especially sensitive records. Review merger electronic record systems for integration planning, assist with data mapping and transfer procedures, and assure that the prior practice legal health record is retained for medicolegal and audit purposes.
The PO should administratively remain independent of operations management to be fully functional in objectively applying standards to workflow and transactions across departmental lines without bias.
STANDARDS OF PRIVACY PRACTICE
The PO maintains active membership in the American Health Information Management Association (AHIMA) as well as the State (ILHIMA) and Regional branches (CIHIMA)of this Organization, incorporating professional ethics, continuing education, and best practice standards into all functions.
The Privacy Officer should annually re-assess whether the mission, authority, and responsibility, as defined in this charter, continue to be adequate to enable the Privacy Office to accomplish its objectives. The result of this periodic assessment should be communicated to the Chief Human Resources Officer.