State Government

Division Level Privacy Officer

Primary Purpose of Organizational Unit:

The Privacy Office is the component within this agency where the leadership and direction for privacy and confidentiality of the health information, that is maintained within this organization, is located.  This office administers an agency-wide program that ensures agency staff, business associates and trading partners are knowledgeable of department and division requirements for protecting the privacy of health information; and for instituting policies, procedures, forms and other materials that support this effort.

Primary Purpose of Position:

The primary purpose of this position is to assume the leadership role in the administration of a privacy program that ensures the protection of health information that is maintained by the agency.   Such responsibilities include the development, coordination, implementation, maintenance of and adherence to all policies and procedures required to fulfill these responsibilities. An understanding of state and federal laws addressing privacy, security and confidentiality of health information is required in order to carry out the primary purposes of this position.

Work Schedule:

8:00 am to 5:00 pm.  Occasionally, may need to work during second or third shift or on weekends to carry out monitoring activities.

Change in Responsibilities or Organizational Relationship:

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that requires any healthcare provider, health plan or clearinghouse that creates or receives protected health information to designate a Privacy Official to ensure compliance with its requirements.  This is a new position.

Description of Responsibilities and Duties:

LEADERSHIP IN THE DEVELOPMENT AND IMPLEMENTATION OF ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS TO PROTECT THE PRIVACY OF HEALTH INFORMATION
This position must be knowledgeable of all state and federal requirements with regard to the privary of health information and be able to provide sound interpretation of the federal Health Insurance Portability and Accountability Act (HIPAA) that directly impacts the maintenance of health information.  Administrative duties include the development and administration of a privacy program that meets state and federal requirements. Position must work with the DHHS Privacy Officer, legal counsel, management and specific committees to provide the framework for development of a privacy program that ensures the agency maintains appropriate privacy and confidentiality consents, authorization forms, information notices and materials reflecting current legal practices and requirements. 

Position is expected to develop, maintain and monitor operating policies and procedures that reflect current business practices, as required by privacy legislation. Accordingly, this position provides development, guidance and direction in the initial and ongoing identification, implementation and maintenance of health information privacy policies and procedures for the agency. The position analyzes all privacy forms to ensure they meet state and federal requirements for privacy and confidentiality, develops and updates the agency's Notice of Information Practices, and establishes a process for handling information. 

Provides agency staff with legal analysis of questions and issues relating to protection of health information and provides guidance in decisions regarding the minimum information that is necessary to accomplish a task.  Serves as the contact person responsible for receiving complaints about unauthorized disclosure of health information. 

Coordinates activities between program professionals and information technology professionals in order to ensure that both paper and electronic health information is protected from unauthorized disclosure.

Serves as a member of the DHHS Privacy Committee that will oversee the department's efforts to ensure the protection of health information.  Position responsiblities to such Committee are to provide complete and accurate data that will enhance the Committee's ability to evaluate the level of departmental compliance and to participate in the determination of acceptable practices and remedial measures. 

Provides technical assistance to agency staff who are drafting legislation relating to privacy and security of health information. 

This position is directly responsible to the agency director (or his/her deputy) and is given the authority to carry out the duties and responsibilities associated with this position.  Position is the agency liaison with the Attorney General’s Office and as such, establishes and maintains a good working relationship with the attorney assigned to the HIPAA program.  

RISK MANAGEMENT/MONITORING
Risk Management activities include initial and ongoing analyses of current practices, forms, policies and procedures, along with ongoing compliance monitoring activities in coordination with other compliance and operational assessment functions.  Ongoing assessment of current practices must be compared to current department/agency requirements in order for determination to be made as to the current level of compliance, as related to the nature and extent of change to be implemented.

Participates in the development, implementation and ongoing compliance monitoring of all trading partner and business associate agreements to ensure all privacy concerns, requirements and responsibilities are addressed.   Monitors all reports of non-compliance and documents agency actions in response to information. Maintains master log of compliance progress and actions taken.  

Establishes a mechanism to track access to protected health information maintained within the agency, and maintains an inventory of current safeguards for health data.  Provides information to management for review and interpretation.  

Monitors federal and state legislation, reports level of compliance to management and provides technical assistance to department as needed.  Reports to department concerning agency level of compliance with standards and legislation mandates. 

Maintains logs and documentation of findings within the agency as well as with trading partners/business associates, including compliance and non-compliance issues, along with recommendations for remediation of non-compliance issues.

TRAINING
Creates and conducts initial and ongoing privacy training programs for agency employees. Provides updated training to agency staff as necessary based on changes in laws and/or department/division policies/procedures.

Monitors to ensure that agency employees complete required training.  

Evaluates current business practices to determine level of staff understanding and adjust training efforts to meet the needs of staff. 

Creates educational and ongoing awareness programs for all trading partners and business associates.     

Develops appropriate training materials such as electronic training modules that can be sent to external service providers in order to accomplish training efforts.

Updates training modules as new requirements are disseminated. 

Attends departmental and outside training offerings in order to keep current with latest requirements and to share agency experiences that have enhanced the privacy program with other agencies.       

AGENCY LIAISON FOR PRIVACY PROGRAM
This position serves as the agency "expert" for issues relating to privacy of health information and represents the agency on state and federal legislation issues related to compliance with HIPAA privacy standards. Individual will develop and/or participate in interagency committees to coordinate efforts between this agency and other state agencies to ensure that shared private healthcare information is being stored and disseminated appropriately.  Administrative duties will also include meetings with private contractors, health care providers and business partners, coordinating with them to ensure that information sharing and dissemination is consistent and in conformity with department/division policy.

Monitors compliance to ensure privacy concerns, requirements and responsibilities are addressed.

Position directs the preparation of data and materials as required by the department and the legislature when requesting funds, for justifying current funding and for ensuring compliance with state and federal privacy laws. 

Provides information and assistance in the development and ongoing activities of the security efforts toward the protection of health information.   Participates in monitoring security efforts with regard to protection of health information.

Other Position Characteristics

Accuracy Required in Work
A high degree of accuracy is required in order to perform the duties and responsibilities of this position.  The employee in this position must have the ability to read legislative jargon and make sound interpretations of regulations and standards.  The employee in this position must be able to follow directions and provide reliable leadership in applying privacy regulations on a daily basis, in a changing work environment.  The work performed by this position serves as the documentation and basis of management decisions by this agency.

Consequence of Error:
The consequence of error is quite significant.  The decisions made based upon the work of this position could have significant impact on this agency’s approach to handling of health care services.  Errors in judgment could result in severe monetary penalties for the agency/department.

Instructions Provided to Employee
It is expected that this employee will function with a high degree of independence on a daily basis, making decisions related to the privacy of health information.  This position must be able to understand the scope of legislative and departmental requirements and provide instruction and leadership as to the most efficient and effective method of implementation.  Instructions are usually verbal or written and are usually limited to an outline of desired outcomes.  The employee must be able to structure and plan work independently to meet these outcomes.

Guides, Regulations, Policies and References Used by Employee:    
A thorough knowledge of federal and state privacy legislation and regulations as well as the principles for the protection of health information is vital to the functioning of this position.  The HIPAA standards are available for use on a day-to-day basis.  The position utilizes the North Carolina General Statutes, APA Rules, Federal Law, DHHS Directives, DHHS Policies and Procedures, and NCHICA and other outside organization materials for reference and guidance. Professional guidance is available from the Attorney General’s Office.

Supervision Received by Employee:     
Supervision is from the agency Director (or Deputy Director) and is usually limited to discussion of expected outcomes.  Employee is expected to work in an independent, self-directed manner with insight to know when to request assistance. 

Variety and Purpose of Personal Contact
Extensive public contact is required frequently, including but not limited to the following:  Legislative staff, Attorney General’s Office, DHHS staff, other agency staff, and  external service providers.

Physical Effort:
Medium level of physical activity is required, primarily in the form of attending meetings inside and outside the office.  A fair amount of travel is usually involved.  Because timeframes with which to respond to issues are usually short, the ability to respond quickly and accurately is essential.

Work Environment and Conditions: 
Most work is performed in an office environment with the need for occasional overnight travel.  No unpleasant or hazardous environmental conditions exist.

Machines, Tools, Instruments, Equipment and Materials Used:
Personal computer and printer, calculator, telephone, manuals, legislation, printouts and other written materials.

Visual Attention, Mental Concentration and Manipulative Skills:
A high degree of mental concentration is required in the reading and understanding of legislation and their application to current business operations.  Likewise, attention and concentration is required in analysis of issues and problems as well as solutions and procedures.  Good visual attention to detail is important as this employee will be interpreting statutes as well as rules and regulations.  Attention to detail is critical to this position due to the criticality of performing tasks with a high degree of accuracy and the adverse consequences to the agency if errors occur.

Safety for Others:
This position is heavily involved in the safety of information about others.  Physical safety for others is not the responsibility of this position. Professional guidance is available from the Attorney General’s Office.

Dynamics of Work: 
Work is very dynamic.  There are no routine daily tasks.  Constant change in legislation, regulations, policies and procedures require this position to adapt to ever-changing situations.  Position requires frequent contact with individuals within and outside the agency, who have varying levels of understanding of the privacy regulations and the administrative requirements that accompany them.  The individual in this position must be able to work under pressure, have good communication skills , meet short timeframes and perform work with accuracy.  This position is expected to manage multiple tasks simultaneously, moving between various issues in a timely manner.

Knowledge, Skills, & Abilities, and Training & Experience Requirements

Knowledge, Skills and Abilities:

Knowledge of law and administrative procedures sufficient to serve as a technical expert before DHHS policy committees, other governmental agencies and other public forums, information technology resources, and project planning and operations.

Knowledge and experience in general health information access, release of information and release control technologies.  Knowledge of project management and change management.  Demonstrated organization, facilitation, communication and presentation skills sufficient to clearly communicate, develop, understand, persuade, motivate and collaborate with and lead others.

The person holding this position must have an understanding of the agency’s business environment and possess skills in negotiating complex solutions to programmatic and technical programs.  Position must be able to clearly communicate complex information to the highest levels of the agency/department as well as collaborate with technical specialists working on DHHS computer systems.

The employee in this position must be able to analyze the nature and classification of health data in question and the status of the person or entity requesting the health data; determine which provisions in HIPAA  apply to the data; determine if other state or federal laws , rules or regulations are in conflict with the applicable provision of HIPAA; determine if there are court decisions that address the issue; and recommend procedures or processes that reduce or eliminate the conflicts in law ans assure compliance with applicable statutes and/or regulations. 

Required Minimum Training:

Required Training and Experience:
GRADUATION FROM A FOUR-YEAR COLLEGE OR UNIVERSITY AND FOUR YEARS OF SUPERVISORY, CONSULTATIVE OR ADMINISTRATIVE EXPERIENCE IN HUMAN  SERVICES PROGRAMS OR IN DIRECT SUPPORT OF SUCH PROGRAMS WHICH DEVELOPED KNOWLEDGE OF THE PROGRAMS AND INSIGHT INTO THEIR FUNCTION; OR A MASTER'S DEGREE IN SOCIAL SCIENCES, PUBLIC ADMINISTRATION OR HEALTH ADMINISTRATION

Additional Training/Experience:     
Other areas in which knowledge and experience would benefit in this position would include information technology systems, public speaking and time management.

Equivalent Training and Experience: NA

License or Certification Required by Statute or Regulation:  NA

Certification:  Signatures indicate agreement with all information provided, including designation of essential functions.

Supervisor's Certification:  I certify that (a) I am the Immediate Supervisor of this position, that (b)  have provided a complete and accurate description of responsibilities and duties and (c) I have verified (and reconciled as needed) its accuracy and completeness with the employee.

Signature                                                          Title                                                      Date

Employee's Certification:  I certify that I have reviewed this position description and that it is a complete and accurate description of my responsibilities and duties.

Signature                                                          Title                                                      Date

Section or Division Manager's Certification:  I certify that this position description, completed by the above named immediate supervisor, is complete and accurate.

Signature                                                          Title                                                      Date

Department Head or Authorized Representative's Certification:  I certify that this is an authorized, official position description of the subject position.

Signature                                                          Title                                                      Date