Blog Post

HIPAA Designated Privacy Officers

Richard P. Kusserow | February 2019

Under HIPAA (Health Insurance Portability and Accountability Act of 1996) every HIPAA covered entity must have a designated Privacy Officer. Results from the Ninth Annual Healthcare Compliance Benchmark Survey, conducted in 2018 by SAI Global and Strategic Management Services, found that three quarters of responding organizations reported that their Compliance Officer also served as their Privacy Officer. The Benchmark Survey also found that HIPAA was the number one compliance priority for the majority of organizations. A large organization may have a designated individual or even several people assigned to handle the duties of a Privacy Officer. But in smaller organizations, the individual tasked with acting as a Privacy Officer will likely be part-time and have intermittent time or effort to deal with HIPAA issues. Whatever the size of the organization, the person selected to be the Privacy Officer may face a seemingly impossible mission if the individual does not have the appropriate expertise.

Learn About Our HIPAA Compliance Services

Contact Us Today

Lisa Shuman has served as a Designated Privacy Officer (DPO) and consultant for a number of clients. In working with clients, she has found HIPAA to be a major challenge for most Compliance Officers. Especially since the HIPAA Privacy Officer has formidable duties and responsibilities, requiring vast knowledge and expertise that is often difficult to find within an organization.  As such, many companies are turning to outside HIPAA experts such as DPOs, especially smaller organizations that cannot afford to employ a full-time Privacy Officer with all the required expertise, knowledge, and experience. The use of DPOs may arise for a variety of reasons, but most often it is because the organization just does not have the size or resources to warrant having a full-time Privacy Officer. Also, an organization often cannot use someone part-time because of the time and effort required to stay current with the complexities of the laws, regulations, and HIPAA guidelines.  In addition, the work of the Privacy Officer ebbs and flows unevenly but can quickly peak with a data breach incident.  Lisa Shuman cites several advantages of using a DPO, including the following:

  • An organization does not have to pay the cost of a full-time employee;
  • DPOs are more efficient, because they already have HIPAA knowledge;
  • The organization only has to pay for the hours spent on privacy issues;
  • The DPO brings experience and detailed knowledge of federal and state privacy laws/regulations;
  • The DPO has prior experience in dealing with privacy issues, data breaches, and HIPAA risk assessment requirements;
  • The organization has better risk protection with a well informed and experienced DPO;

Regardless of the size of your organization, Designated Privacy Officers offer specialized knowledge and experience that can benefit any HIPAA Privacy Program. Strategic Management provides many services related to HIPAA, including DPO services. For more information, contact Lisa Shuman MPA, CHC, CHPC, CHRC at [email protected] or (703) 236-1272.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog