Click Here to Return to the Intro Page

1. One Person; More than One Person.

   A healthcare provider should consider whether one person or more than one person will be required to perform the duties of a CPO. In part, the answer to this question may depend on the size and resources of the healthcare provider.The answer may also depend on the qualifications and capabilities of the applicant pool. The small size or limited resources of a healthcare provider may dictate that one person be appointed as CPO, which has the benefit of vesting this responsibility with one source. For large healthcare providers, the CPO may serve more of a management role, coordinating a multi-disciplinary team drawn from various aspects of the healthcare provider’s operations such as medical records, the IT department, human resources, etc. This approach may require appointing more than one person as CPO, which has the benefit of bringing strengths and inputs from different areas of the healthcare provider’s operations, all of which may be subject to HIPAA. By dividing responsibilities in this fashion, the healthcare provider may be able to achieve a well-educated, global solution to a multi-dimensional problem. However, if a multi-person approach is used, it is important to implement a reporting structure so that the healthcare provider is well-informed and so that all committee members have a stake in achieving the healthcare provider’s privacy goals.
   

2. Responsibilities Beyond HIPAA Privacy
   

   A healthcare provider may consider coupling the job responsibilities of the CPO with those of the healthcare provider’s Security Official or with the general Compliance Officer for the healthcare provider. The benefits of this approach include having an organized and integrated system of HIPAA compliance, or, more generally, legal compliance. If, however, the healthcare provider is not careful, this multi-tasking approach runs the risk of overburdening the person(s) appointed to this role(s).
   

3. Job Description
   

   It is critical for the healthcare provider to advertise, fill, and treat the CPO position as a high-level management position in order to achieve buy-in and support for its compliance program.Coupled with this authority, the CPO should also have the responsibility of reporting directly and on a regular basis to the healthcare provider’s designee, such as the Board of Directors, the general compliance officer, if one exists, the general counsel or attorney, or the chief executive officer. Generally, the healthcare provider should expect the CPO to be responsible for assessing the healthcare provider’s potential liabilities; developing policies and procedures to address these weaknesses; implementing the policies and procedures; conducting or arranging for the necessary educational programs; achieving employee buy-in; monitoring compliance with the programs that are implemented; and taking corrective or ameliorative action when breaches or weaknesses in the compliance program are detected. The specific job functions of the CPO may include the following, depending on the healthcare provider’s needs: (1) researching and assessing the healthcare provider’s privacy strengths and weaknesses; (2) identifying protected healthcare information (“PHI”); (3) mapping the flow of the healthcare provider’s PHI; (3) establishing uniform documentation for PHI; (4) limiting unnecessary PHI collection; (5) recognizing, assessing, controlling and monitoring risks posed by the healthcare provider’s relationships with vendors, suppliers, and independent contractors, (6) working with key employees to develop strategic solutions to capitalize on the healthcare provider’s strengths and to correct any weaknesses; (7) educating or arranging for the education for all employees of the healthcare provider on a routine and periodic basis; (8) setting a budget for a compliance program; (9) establishing an internal system for ensuring compliance with patient rights; (10) developing a crisis response strategy; (11) serving as the healthcare provider’s public relations point person, (12) monitoring compliance; (13) making revisions to policies and procedures as required; (14) addressing actual and potential areas of non-compliance through quality improvement, re-education, corrective measures, sanctions, and potential self-disclosure; and (15) seeking outside advice as needed.
   

4. Job Applicants
   
   In interviewing applicants for the CPO position, healthcare providers should look for candidates who meet the following criteria: (1) are familiar with the healthcare provider’s internal operations; (2) have leadership qualities and have the respect of the chief executive officer, the employees, and persons/entities with whom the healthcare provider conducts business; (3) have a working knowledge of HIPAA’s requirements and the capabilities to understand its legal requirements; (4) understand, appreciate, and are familiar with JCAHO and other accreditation requirements; (5) have experience with and understand technology systems and operations, including collection, access, storage, and transmittal of information in all forms; (5) are familiar with contract relationships between healthcare providers and their various vendors and suppliers; (6) are capable of setting up a systematized structure for the healthcare provider; (7) possess effective communication and advocacy skills; (8) understand the importance of training and education to the healthcare provider and its employees; (9) have the ability to manage projects and command budgets; (10) have the capabilities of enforcing compliance; (11) have the imagination to create innovative solutions; and (12) have the ability to obtain the trust of providers.