Oversees the system’s efforts to ensure patient and data privacy in accordance with applicable regulations (i.e., HIPAA, HITECH, etc.). Most organizations recognize the need for implementing good privacy practices. However, the challenge is sustaining these good practices. With the proliferation of technology that enabled the collection, use, disclosure, retention, and destruction of personal information in large volumes as well as numerous databases, organizations have difficulty identifying where this data is stored, how it is protected, who has access to it, and how it is securely disposed. In addition, accountability and responsibility for maintaining a privacy program is not always clearly assigned and is often distributed throughout the organization. This can lead to inconsistency and uncertainty when it comes to ensuring good privacy practices are in place and are working effectively.
To implement and manage an effective privacy program, the organization should clearly define its privacy policies, communicate those policies, and document the procedures and controls relating to the collection, use, retention, and disclosure of personal information to ensure compliance with laws, regulations, and the organization’s policies. Specific criteria that are relevant, objective, complete, and measurable should be established for evaluating each of this element’s effectiveness. Establishing these criteria can provide a consistent approach to protecting personal information in a way that individuals can understand easily and the organization can implement and evaluate readily. Established frameworks like the Organization for Economic Co-operation and Development (OECD) Privacy Guidelines as well as recent legislation and professional guidance provide sound and tested criteria against which to benchmark.