For discussion only. Do not cite without permission. Contribute by editing this document directly. Use the Discussion section below for suggestions.

The Privacy Team of a Health Facility

The Privacy Officer

In so far as practicable, a Privacy Officer (PO) shall be designated at a health facility. The PO's identity shall be made known to any data subject upon request. It is recommended that the PO has to be on the VP level (or equivalent) to have sufficient authority to uphold privacy in the institution. Expected to have some personnel with specialized privacy roles are regional health units (RHUs) and bigger health facilities. In a facility where plantilla position for a privacy officer could not be immediately secured, a Privacy-Officer-Designate shall be appointed.


  • Hospitals with at least 300 authorized bed capacity shall employ a full time privacy officer. Hospitals with less than 300 authorized bed capacity and other health facilities such as infirmaries, birthing homes, BHS, OFW clinics, dialysis clinics, ambulatory-surgical clinic, psychiatric facilities, etc. may federate and designate a shared privacy officer.

*The Development Management Officer (DMO) shall be assigned as the Privacy Officer Designate for Rural Health Units. This shall be in addition to their responsibilities as DMO.


  • At least a bachelor's degree in management, information systems, human resources, health administration, or other relevant fields
  • Minimum 5 years experience in health care or data security.
  • Familiar with regulatory development and compliance, including standards, laws and regulations concerning information security and privacy
  • Familiar with business functions and operations of large institutions (preferably health-related)
  • Strong organizational and problem-solving skills
  • Work effectively with teams and stakeholders
  • Has the ability to communicate with clarity both orally and in writing

Roles and Functions

  • Ultimately, the Privacy Officer (PO) is the person responsible for the privacy policy compliance at the health facility. The privacy officer is not automatically the personal information controller “who controls the collection, holding, processing or use of personal information.” While the latter is directly accountable for the protection of privacy, the PO sees to it that overall compliance is observed at the institution.
  • The PO is responsible for developing and implementing privacy policies and procedures
  • The PO assumes advocacy, capacity-building, and stake-holding functions.
  • The PO manages the privacy aspect in the different areas of the operations.
  • The PO and the privacy team shall identify the governance structure from national level down to RHU and align with them their facilities' privacy goals and initiatives.
  • The PO ascertains the authority and delegates data collection to staff. He or she regularly audits the quality and integrity of patient records.
  • The PO ensures that the entire process of editing data is documented: request for editing, reason for editing, who did the editing, the process followed in editing, and closing the editing.
  • The PO identifies how protected health information (PHI) is created, stored, used or disclosed in paper and electronic format and maintains an inventory of how we use or disclose all PHI.
  • The PO is the contact person responsible for receiving complaints and providing individuals with further information about matters contained in the health facility's Privacy Protocols.
  • The PO maintains a record of complaints and brief description of how they were resolved.
  • The PO distributes the health facility's privacy protocols to all new patients and post the updated health facility's privacy protocols on the institution's website or on its public bulletin boards.
  • The PO continually updates the staff's knowledge of privacy rule guidelines, developments, and new regulations and must train workforce on these requirements. The PO shall update the health facility's privacy protocols, acknowledgement forms, authorization, consents, and other forms as required and ensures that the workforce adheres to the policies and procedures, including imposing sanctions on workforce members that breach an individual's privacy.
  • The PO effectively communicates technical and legal information to nontechnical and non-legal staff for employee training.
  • The PO and privacy team shall account for devices used in facility and ensure devices containing electronic protected health information are encrypted as required by health facility's privacy protocols.
  • The PO shall review all business associate agreements or contracts for privacy compliance.
  • The PO shall consistently apply sanctions, in accordance with the facility's policies and procedure.
  • The PO shall regularly communicate the status of legal complaints, risks, and sanctions imposed on workforce members.
  • The PO shall serve as the practice's resource for regulatory and accrediting bodies on matters relating to privacy and security.
  • The PO shall perform system or quality data check, compliance on the reporting form and safekeeping of backup data.
  • The PO shall coordinate privacy safeguards with the practice's security officer to ensure consistency in development, documentation, and training for security and privacy requirements.
  • The PO shall coordinate and communicate to practice leaders and audits of the National Health Privacy Board or any other governmental or accrediting organization.
  • The PO shall coordinates with the institution's Risk manager (if any) to address privacy risks.
  • The PO reports directly to the hospital director, president, board of directors.



  • While the PO is responsible for privacy management and compliance, he or she may delegate responsibilities to others within the organization if they are trained and would communicate promptly with the privacy official on these matters.

See Also