Ultimately, the Privacy Officer (PO) is the person responsible for the privacy policy compliance at the health facility. The privacy officer is not automatically the personal information controller “who controls the collection, holding, processing or use of personal information.” While the latter is directly accountable for the protection of privacy, the PO sees to it that overall compliance is observed at the institution.
The PO is responsible for developing and implementing privacy policies and procedures
The PO assumes advocacy, capacity-building, and stake-holding functions.
The PO manages the privacy aspect in the different areas of the operations.
The PO and the privacy team shall identify the governance structure from national level down to RHU and align with them their facilities' privacy goals and initiatives.
The PO ascertains the authority and delegates data collection to staff. He or she regularly audits the quality and integrity of patient records.
The PO ensures that the entire process of editing data is documented: request for editing, reason for editing, who did the editing, the process followed in editing, and closing the editing.
The PO identifies how protected health information (PHI) is created, stored, used or disclosed in paper and electronic format and maintains an inventory of how we use or disclose all PHI.
The PO is the contact person responsible for receiving complaints and providing individuals with further information about matters contained in the health facility's Privacy Protocols.
The PO maintains a record of complaints and brief description of how they were resolved.
The PO distributes the health facility's privacy protocols to all new patients and post the updated health facility's privacy protocols on the institution's website or on its public bulletin boards.
The PO continually updates the staff's knowledge of privacy rule guidelines, developments, and new regulations and must train workforce on these requirements. The PO shall update the health facility's privacy protocols, acknowledgement forms, authorization, consents, and other forms as required and ensures that the workforce adheres to the policies and procedures, including imposing sanctions on workforce members that breach an individual's privacy.
The PO effectively communicates technical and legal information to nontechnical and non-legal staff for employee training.
The PO and privacy team shall account for devices used in facility and ensure devices containing electronic protected health information are encrypted as required by health facility's privacy protocols.
The PO shall review all business associate agreements or contracts for privacy compliance.
The PO shall consistently apply sanctions, in accordance with the facility's policies and procedure.
The PO shall regularly communicate the status of legal complaints, risks, and sanctions imposed on workforce members.
The PO shall serve as the practice's resource for regulatory and accrediting bodies on matters relating to privacy and security.
The PO shall perform system or quality data check, compliance on the reporting form and safekeeping of backup data.
The PO shall coordinate privacy safeguards with the practice's security officer to ensure consistency in development, documentation, and training for security and privacy requirements.
The PO shall coordinate and communicate to practice leaders and audits of the National Health Privacy Board or any other governmental or accrediting organization.
The PO shall coordinates with the institution's Risk manager (if any) to address privacy risks.
The PO reports directly to the hospital director, president, board of directors.