State Government

Department Level Privacy Officer

The  ****** Office is a unit which is located within the Office of the Secretary in the Department of Health and Human Services, where the leadership and direction for the department's privacy program with associated requirements and policies is located.  This office administers a department-wide Privacy program that targets DHHS division/office staff, business associates and trading partners and is designed so that staff are knowledgeable of department requirements for protecting the privacy of health information and for instituting policies, procedures, forms and other materials that support this effort.

Primary Purpose of Position:

The primary purpose of this position is to assume the leadership role in the administration of a privacy program that ensures the protection of health information that is maintained by divisions and offices within the department. Such responsibilities include administering a program that assures compliance with federal and state laws related to privacy and confidentiality; chairing and/or providing leadership to appropriate boards and committees as relates to privacy; serving as liaison to regulatory and accrediting bodies for matters relating to privacy of health information; developing and administering enterprise privacy policies; collaborating with departmental and division staff for developing, implementing and administering division/office procedures; devising a monitoring system for all divisions and offices that provides timely privacy status information with corrective actions; receive and address complaints from clients and staff relative to possible violations of privacy practices.

Work Schedule:

Monday – Friday, 8:00 a.m. to 5:00 p.m.  Occasionally, may need to work during second or third shift or on weekends to carry out monitoring activities.

Change in Responsibilities or Organizational Relationship:

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that requires any healthcare provider, health plan or health care clearinghouse that creates or receives protected health information to designate a Privacy Officer to ensure compliance with its requirements.  The North Carolina Attorney General’s Office has determined that NC DHHS is a hybrid entity as defined in the HIPAA Privacy Regulations and DHHS has ultimate responsibility for ensuring that the health care components covered under the HIPAA Privacy Regulations comply with the regulations.

Description of Responsibilities and Duties:

ADMINISTRATION OF DEPARTMENTAL ENTERPRISE PRIVACY PROGRAM   50%
This position must be knowledgeable of all state and federal requirements with regard to the privary of health information and must be able to provide sound interpretation of the federal Health Insurance Portability and Accountability Act (HIPAA) that directly impacts the maintenance and privacy of health information.  Administrative duties include the development and administration of a privacy program that meets state and federal requirements. Position must work with legal counsel, management and specific committees to provide the framework for development of a privacy program that ensures department compliance with required policies and procedures, appropriate privacy and confidentiality consents, authorization forms, privacy practice notices and materials reflecting current legal practices and requirements. 

Position is expected to develop, maintain and monitor enterprise policies and procedures that reflect current business practices, as required by privacy statutes and regulations. Accordingly, this position provides the department development, guidance and direction in the initial and ongoing identification, implementation and maintenance of health information privacy and security policies and procedures.  This position analyzes all privacy forms to ensure they meet state and federal requirements, develops and updates the agency's Notice of Information Practices and establishes an acceptable process for handling health information. 

Seeks legal guidance in the analysis of complex issues relating to the protection and security of health information and provides direction for decisions requiring subjective determinations, such as the minimum health information that is necessary to accomplish a task.

Serves as the contact person responsible for receiving complaints regarding unauthorized disclosure of health information. Coordinates activities between program professionals and information technology professionals in order to ensure that both paper and electronic health information is protected from unauthorized disclosure.

Works with management to establish a DHHS Privacy Committee that will oversee the department's efforts to ensure the protection of health information.  Position responsiblities to such Committee are to provide complete and accurate data that will enhance the Committee's ability to evaluate the level of departmental compliance and to participate in the determination of acceptable practices and remedial measures.  This position may chair the DHHS Privacy Committee.

Provides technical assistance to departmental staff when drafting state legislation relating to privacy and security of health information.

This position is ultimately responsible to the Secretary of the Department and is given the authority to carry out the duties and responsibilities associated with this position.  This position is the department's liaison with the Attorney General’s Office for privacy matters and as such, establishes and maintains a good working relationship with the attorney assigned to the department and to the attorney in the Attorney General's office who is assigned to the HIPAA program.

Participates in the development, implementation and ongoing compliance monitoring of business associate agreements to ensure privacy concerns, requirements and responsibilities are addressed.   Monitors all reports of non-compliance and documents agency actions in response to information. Maintains master log of compliance progress and actions taken.  

Establishes a mechanism to track access to protected health information, and maintains an inventory of current safeguards for health data.  Provides information to management for review and interpretation.

Monitors federal and state legislation, reports level of compliance to management and provides technical assistance to divisions and offices as needed.  Reports to department Secretary concerning agency level of compliance with standards and legislation mandates. 

Maintains logs and documentation of findings within the department as well as with division/office business associates, including compliance and non-compliance issues, along with recommendations for remediation of non-compliance issues.

EDUCATION AND AWARENESS   20%
Creates and conducts educational and ongoing awareness programs for department employees.  Provides initial and ongoing training for all division privacy officers on privacy requirements based on state and federal laws that protect health information.  Provides updated training as necessary based on changes in laws and/or departmental policies.

Monitors to assure that employees complete required training.  

Evaluates current business practices to determine level of staff understanding and adjust training efforts to meet the needs of staff. 

Creates educational and ongoing awareness programs for business associates. 

Develops appropriate training materials such as electronic training modules that can be sent to external service providers in order to accomplish training efforts.

Updates training modules as new requirements are disseminated. 

Attends departmental and outside training offerings in order to keep current with latest requirements and to share agency experiences that have enhanced the privacy program with other agencies.       

Position directs the preparation of data and materials as required by the department and the legislature when requesting funds, for justifying current funding and for ensuring compliance with state and federal privacy laws. 

Provides information and assistance in the development and ongoing activities of the security efforts toward the protection of health information.   Participates in monitoring security efforts with regard to protection of health information.  Position works closely with the DHHS Security Officer to ensure coordination of privacy and security efforts within the department.

Other Position Characteristics

Accuracy Required in Work
A high degree of accuracy is required in order to perform the duties and responsibilities of this position.  The employee in this position must have the ability to read legislative jargon and make sound interpretations of regulations and standards.  The employee in this position must be able to follow directions and provide reliable leadership in applying privacy regulations on a daily basis, in a changing work environment.  The work performed by this position serves as the documentation and basis of management decisions by the department relative to privacy.

Consequence of Error:
The consequence of error is quite significant.  The decisions made based upon the work of this position could have significant impact on the department’s approach to handling of health care services.  Errors in judgment could result in severe monetary penalties for the department.

Instructions Provided to Employee
It is expected that this employee will function with a high degree of independence on a daily basis, making decisions related to the privacy of health information.  This position must be able to understand the scope of legislative and departmental requirements and provide instruction and leadership as to the most efficient and effective method of implementation.  Instructions are usually verbal or written and are usually limited to an outline of desired outcomes.  The employee must be able to structure and plan work independently to meet these outcomes.

Guides, Regulations, Policies and References Used by Employee:    
A thorough knowledge of federal and state privacy legislation and regulations as well as the principles for the protection of health information is vital to the functioning of this position.  The HIPAA standards are available for use on a day-to-day basis.  The position utilizes the North Carolina General Statutes, APA Rules, Federal Laws and Regulations, DHHS Directives, DHHS Policies and Procedures, and NCHICA and other outside organization materials for reference and guidance.  Professional guidance is available from the Attorney General’s Office.

Supervision Received by Employee:     
Supervision is from immediate supervisor and is usually limited to discussion of expected outcomes.  Employee is expected to work in an independent, self-directed manner with insight to know when to request assistance. 

Variety and Purpose of Personal Contact
Extensive public contact is required frequently, including but not limited to the following:  Legislative staff, Attorney General’s Office, DHHS staff, other agency staff, external service providers and clients served by DHHS agencies.

Physical Effort:
Medium level of physical activity is required, primarily in the form of attending meetings inside and outside the office.  A fair amount of travel is usually involved.  Because timeframes with which to respond to issues are usually short, the ability to respond quickly and accurately is essential.

Work Environment and Conditions: 
Most work is performed in an office environment with the need for occasional overnight travel.  No unpleasant or hazardous environmental conditions exist.

Machines, Tools, Instruments, Equipment and Materials Used:
Personal computer and printer, calculator, telephone, manuals, legislation, printouts and other written materials.

Visual Attention, Mental Concentration and Manipulative Skills:
A high degree of mental concentration is required in the reading and understanding of legislation and their application to current business operations.  Likewise, attention and concentration is required in analysis of issues and problems as well as solutions and procedures.  Good visual attention to detail is important as this employee will be interpreting statutes as well as rules and regulations.  Attention to detail is critical to this position due to the criticality of performing tasks with a high degree of accuracy and the adverse consequences to the agency if errors occur.

Safety for Others:
This position is heavily involved in the safety of information about others.  Physical safety for others is not the responsibility of this position.

Dynamics of Work: 
Work is very dynamic.  There are no routine daily tasks.  Constant change in legislation, regulations, policies and procedures require this position to adapt to ever-changing situations.  Position requires frequent contact with individuals within and outside the department, who have varying levels of understanding of the privacy regulations and the administrative requirements that accompany them.  The individual in this position must be able to work under pressure, have good communication skills, meet short timeframes and perform work with accuracy.  This position is expected to manage multiple tasks simultaneously, moving between various issues in a timely manner.

Knowledge, Skills, & Abilities, and Training & Experience Requirements:

Knowledge, Skills and Abilities:

Knowledge of law and administrative procedures sufficient to serve as a technical expert before DHHS policy committees, other governmental agencies and other public forums, information technology resources, and project planning and operations.

Knowledge and experience in general health information access, release of information and release control technologies. Knowledge of project management and change management.  Demonstrated organization, facilitation, communication and presentation skills sufficient to clearly communicate, develop, understand, persuade, motivate and collaborate with and lead others.

The person holding this position must have an understanding of the department’s business environment and possess skills in negotiating complex solutions to programmatic and technical programs.  Position must be able to clearly communicate complex information to the highest levels of the agency/department as well as collaborate with technical specialists working on DHHS computer systems.

The employee in this position must be able to analyze the nature and classification of health data in question and the status of the person or entity requesting the health data; determine which provisions in HIPAA apply to the data; determine if other state or federal laws, rules or regulations are in conflict with the applicable provision of HIPAA; determine if there are court decisions that address the issue; and recommend procedures or processes that reduce or eliminate the conflicts in law and assure compliance with applicable statutes and/or regulations. 

Required Minimum Training:

Required Training and Experience:
GRADUATION FROM A FOUR-YEAR COLLEGE OR UNIVERSITY WITH A DEGREE IN PUBLIC ADMINISTRATION, SOCIOLOGY, PSYCHOLOGY, POLITICAL SCIENCE, OR A RELATED FIELD, AND SIX YEARS EXPERIENCE IN ADMINISTRATIVE, CONSULTATIVE OR RELATED WORK, TWO OF WHICH MUST HAVE BEEN IN A SUPERVISORY CAPACITY; OR AN EQUIVALENT COMBINATION OF TRAINING OR EXPERIENCE.

Additional Training/Experience:     
Other areas in which knowledge and experience would benefit in this position would include information technology systems, public speaking and time management.

Equivalent Training and Experience:    NA

License or Certification Required by Statute or Regulation:   NA

Supervisor's Certification:  I certify that (a) I am the Immediate Supervisor of this position, that (b) I have provided a complete and accurate description of responsibilities and duties and (c) I have verified (and reconciled as needed) its accuracy and completeness with the employee.

Signature                                                          Title                                                      Date

Employee's Certification:  I certify that I have reviewed this position description and that it is a complete and accurate description of my responsibilities and duties.

Signature                                                          Title                                                      Date

Section or Division Manager's Certification:  I certify that this position description, completed by the above named immediate supervisor, is complete and accurate.

Signature                                                          Title                                                      Date

Department Head or Authorized Representative's Certification:  I certify that this is an authorized, official position description of the subject position.

Signature                                                          Title