The Privacy Department is led by the HIPAA Privacy Manager, but who is the Department? For some small organizations, it’s just the Privacy Officer. For others, there is a team of people who work diligently to keep the Privacy Officer informed and the organization compliant. When someone asks what you do for a living, how would you explain it? If I say to staff that I’m a Privacy Manager, I typically get blank stares. I then mention HIPAA or Patient Rights, and that’s when I get a head nod or two.

Privacy Officer sounds official, but honestly, what I do every day is way more involved in privacy operations than your typical privacy officer. This is the time to learn and soak up everything you can. Having a team is so important, even if it’s just one extra person. The Privacy Officer is limited without the people who make the department functional every day. Whether you’re a specialist just starting out or a manager like me with years of experience, the daily grind is tackled by us. We are diligent and timely in keeping our patients’ PHI safeguarded, giving our colleagues guidance, and keeping our organization compliant. It really falls to the department team. With that said, credit is due to the unicorns of the privacy world who work for smaller organizations and run the whole privacy office by themselves. I know they are out there, and I applaud you all.

The daily operations are our bread and butter. From handling the daily investigations and incident reports to addressing patients’ requests and helping our colleagues with privacy concerns/questions. All the daily tasks add up to enable us to be the privacy subject matter experts for our company. But is it enough? How many years of experience or certifications does it take to rise to the privacy officer title? What other traits are required?

I’m fortunate to work in a multifunctional healthcare organization that has allowed me to experience a variety of privacy scenarios over my time, from occupational health to continued care, urgent care, and hospitals. I think it’s important to experience as much as you can to really feel confident in your decisions and take accountability for the department. This can be the difference between a team member and a department leader. I think a lot can be said about being not only a sponge for information but also motivational. A positive mindset has always been a strong trait I would encourage any leader to possess. We should be thinking of this as we continue to strengthen our craft.

In the healthcare privacy space, where do you see yourself in five or ten years? For me, it’s always been as a Privacy Officer, the end game. But what does it take to get there? I have spent over 13 years in the healthcare compliance/privacy industry and still feel like I’m learning something new every day. The policies, rules, and laws change, so we adapt. This industry keeps evolving and growing, so my advice is to do the same. 

Helping people must be a big part of this journey, personally and professionally. Learning and becoming an expert in the healthcare privacy field can make it possible to help fellow colleagues and patients every day. As I continue my role, I hope to never forget this. What we do as privacy experts is important. We may be behind the scenes, but we keep our company compliant and lawful. We keep striving to be better than we were yesterday and help those who need it. Continue to do the work, keep your company HIPAA compliant, and never stop learning. One day, you might be a Privacy Officer. 

The post I’m a HIPAA Privacy Manager. What’s That Mean? appeared first on The HIPAA Journal.

Almost everyone gets into healthcare for one reason: to help people. Whether it’s at a hospital as a provider or a corporate office as a Privacy Officer, the goal tends to lean towards helping those in need.  In the healthcare sector, what comes to mind when you think of Patient’s Rights? Hopefully you thought about the different rights patients have under HIPAA.  The right to Access records, Restrict Disclosure of records, amend records, confidential communication of records, disclosure of accounting of records, and right to file a HIPAA complaint. Your organization should have a process or practice in place on how to address each of these.

A patient comes in for an employer paid pre-employment drug screen. They sign the HIPAA form and proceed with the service. The next day the patient contacts the center and says they would like to revoke their authorization. What do you do? A recurring patient emails the hospital requesting an amendment to their medical record. What do you do? A patient calls the clinic and requests a copy of their medical records to be sent to them via email. What do you do? These requests can seem trivial and be dismissed as headaches but are central to trust with a patient and a compliant privacy program. It is another way we can help our patients. Whether as simple as a record request or as complicated as a revocation request, we are required to treat with importance and help our patients and organization through this process. Every one of these requests reflects a concern or vulnerability from a patient. So, your readiness and ability to humanize the process while respecting their rights is, in my opinion, supreme.

Treating patient requests seriously reinforces that privacy is not just a regulation, but a core value of your organization. As a Privacy Officer creating an environment that puts safeguarding patients’ information at its forefront also would mean safeguarding their rights as patients. Each request should be reviewed and handled timely with your organizations standardized practices. In my opinion, the more prepared you are to handle the easier it will be once these requests come in, and they will come in. Training your staff to recognize and correctly route or address these requests timely is critical. This will help reduce delays and frustrations for both staff and patients. Failure to address can lead to patient complaints and OCR involvement. Things we absolutely want to avoid.

When responding to these requests, doing so with compassion, especially when they can’t be granted, is important to establish and keep the patients trust and cooperation through the process. When a patient is told an amendment request is denied, this can be frustrating for the patient and understandable. Showing compassion while still providing the required determination, in my opinion, is best practices for the most desirable outcome for the patient and organization.

In my experience, patients want to be heard. They don’t want to feel like they are just a number in a EMR system. When a HIPAA complaint comes into my privacy office, the first thing I do is listen. When an amendment request comes in, the first thing I do is let the patient know we have received their request, and we are internally reviewing. I am letting them know they are heard. The rest is following the process in place. Remembering to be HIPAA compliant and care at the same time.

Responding to HIPAA complaints and amendment requests are given rights under HIPAA and you should put yourself in the shoes of the patient. How would you want to be treated if it was you requesting these same rights granted to all of us under HIPAA? We can’t lose sight of the reason why people get into healthcare, which is to help people. I recommend, building a privacy program that reinforces the importance of helping people. Be relatable, safeguard, and address these requests with care. Remembering the reason most get into healthcare is to help people. So, let’s help them one patient request at a time.

The post The Human Side of HIPAA Privacy is Patient’s Rights appeared first on The HIPAA Journal.