The Canadian Bar Insurance Association

What does a privacy officer do in a health care organization?

By Kate Dewhirst

I train privacy officers to understand their role. So, what does a privacy officer do for a health care organization?

In Ontario, every health care organization must have a “contact person” to do the following five tasks:

  1. Facilitate compliance with the health privacy law, PHIPA
  2. Ensure that everyone who works for the organization is informed of their privacy duties
  3. Respond to inquiries from the public about their information practices
  4. Respond to requests of an individual for access to or correction of their health information
  5. Receive complaints from the public about privacy breaches

These five tasks of a privacy contact person are broadly worded. So, what do they mean in practice? And does a privacy officer have to do all of them? What activities should be included in a privacy officer job description or at least assigned to someone in your organization?

Think about … a privacy champion who …

  1. Oversees the design, implementation, monitoring and reporting on the privacy compliance program and control measures to comply with legislation and best practice
  2. Maintains the relevant documentation of the privacy program
  3. Conducts a privacy inventory of personal health information
  4. Acts as organizational go-to person for privacy (answers questions from team members)
  5. Answers questions from the public and patients and their families
  6. Tracks privacy incidents and themes
  7. Makes presentations to senior leadership and board
  8. Keeps up-to-date on privacy developments and shares those with the team and leadership – including in Ontario the transition and development of a provincial health record and opportunities for sharing of information with other health care organizations to coordinate care
  9. Liaises with the external privacy consultants and lawyers
  10. Delivers or organizes privacy training
  11. Responds to requests for access and correction (including requests for records outside the traditional health record)
  12. Responds to requests for release of information to third parties (such as insurance companies, police, WSIB, children’s aid societies, regulatory colleges)
  13. Reviews vendor agreements to ensure adequate privacy terms are included
  14. Conducts or coordinates the privacy impact assessments and threat risk assessments with security
  15. Initiates, investigates and manages the privacy breach protocol (including communicates with team members and affected patients/individuals and liaises with key internal and external stakeholders such as the privacy commissioner, regulatory colleges, police, media and manages mandatory reporting obligations)
  16. Considers disciplinary action in response to poor privacy practices by team members
  17. Considers insurance needs

These activities do not have to be completed by a single person or “privacy officer” – but they must be performed by someone. For example, it is unusual to have the privacy officer do routine access and correction or release of information responses. But the privacy officer may need to be involved to resolve complicated requests.

Depending on the size of your organization, you may need a privacy committee to address the tasks of the privacy officer.

I am relaunching my privacy officer training in October/November 2017. If you are interested, all the details are here.

Read More at Kate Dewhirst Health Law Blog

To Read More Kate Dewhirst Posts Click Here
Lawyer Directory
New Media Forensics (keep up until June 30, 2019)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/18)Feldstein Family Law (post until May 31/19)Jordana Goldlist (post until Sept. 30/18)VR Law/Victoria Romero (post until June 30/19)SRH Litigation (post until May 31/19)MacDonald & Associates (post until July 31/19)