By Amanda Walden, Ph.D., RHIA, CHDA; Kendall Cortelyou-Ward, PhD; and Alice Noblin, Ph.D., RHIA, CCS
The study’s objective is to examine the role of healthcare privacy officers, including their personal and organizational knowledge, and the facilities where they work. A survey was conducted of privacy officers that are members of the American Health Information Management Association (AHIMA). This resulted in 123 responses that were analyzed for this study. Descriptive statistics were used to characterize factors. The results showed the characteristics predominant among privacy officers are female, higher age, employed in healthcare for numerous years, mostly hold credentials, higher educated, with higher self-reported knowledge levels. Privacy officers are housed in several departments, with the majority within health information management (HIM). Their facilities are typically acute-care hospitals or healthcare systems located in states without additional privacy laws and are primarily non-profit.
Keywords: Healthcare data breaches, privacy officers.
A significant concern in healthcare is that of patient privacy and how organizations protect against unauthorized access to protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA), was enacted to, among other things, protect the privacy and security of a patient’s PHI.1 This legislation established patient rights to their healthcare information, as well as restrictions on breaches or other unauthorized disclosures of patient information. However, HIPAA lacked federal enforcement capabilities, which negated its effects.2
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA laws, including enforcement, penalties, and breach notification.3 It re-defined breaches, specifically in terms of healthcare information.
Reportable breaches are instances where there has been an “acquisition, access, use, or disclosure of [PHI] in a manner not permitted by the HIPAA Privacy Rule, which compromises the security or privacy of [PHI].”4 Under these guidelines, a healthcare organization must notify patients and the Office for Civil Rights (OCR) of instances of breached PHI.5 However, HIPAA did not provide strict guidance to identify reportable breaches. This has left gaps in the legislation where individuals and organizations are making subjective decisions about patient privacy concerns.
Federal legislation mandated that all covered entities are required to have a designated privacy official to develop and implement the organization’s privacy and security policies and procedures (P&P). The specific legislative language only discusses a privacy official in terms of being responsible for P&P development and implementation; there is a separate bullet point that the facility must have a designated contact person for handling complaints and investigations. It is important to note that the legislation itself has many standards for facilities to implement. However the only personnel designation comes from 164.530 Personnel designations with the language outlined above.6 Many facilities and studies view these positions as interconnected as they are under the same header in the legislation. The industry has identified this role as a privacy officer. If a privacy breach occurs, privacy officers make critical choices about reporting that may have lasting impacts on the healthcare organizations in which they work and on the patients that are served by the organization. These choices can be based upon personal knowledge, organization factors, or prior breach reporting.
In 2016, the Government Accountability Office recommended that the Department of Health and Human Services (HHS) increase its oversight of security and privacy guidance provided to healthcare facilities covered by HIPAA.7 This recommendation was based on an investigation that found that the increased use of electronic health records leaves , patient information vulnerable to cyber-based threats.8
The Annual Report to Congress by HHS found that in 2016, healthcare breaches affected almost 27 million patients. Per a report from OCR, daily ransomware attacks increased 300 percent from 2015 to 2016 to 4,000 daily attacks.7
While healthcare facilities are making great strides towards protecting patient privacy, there are still many cases where they are unable to provide protection.9 These types of breaches are difficult to define and currently have unofficial guidance from the oversight body, OCR; meaning privacy officers are making determinations internally whether to report.
Little is known about individual factors regarding privacy officers. This is the first study to focus on healthcare privacy officers. While there are guidelines, in the case of HIPAA and breach notifications, the organization and its privacy officer(s) make critical decisions to determine whether a breach is reportable. Some individual factors may influence decisions. Patients can be at risk for harm if the organization and the privacy officer make the wrong decision in regards to breach reportability.
This study aimed to exploring the following factors: (1) personal information regarding privacy officers; (2) facility information regarding their place of employment; and (3) the impact of these factors on a privacy officer’s domain knowledge. Several research questions (RQ) were used for the study, including:
RQ1: Does the privacy officers’ level of education impact their perceived knowledge level of healthcare privacy?
RQ2: Does the attainment of credentials impact privacy officers’ perceived knowledge level of healthcare privacy?
RQ3: Does the percentage of years of healthcare experience impact the privacy officers’ perceived knowledge level of healthcare privacy?
RQ4: Does the privacy officers’ facility classification impact their perceived knowledge level of healthcare privacy?
Data Sources. This study utilizes data collected via a survey of privacy officers in the United States and was conducted over the course of a year. The population targeted for this study is AHIMA-affiliated privacy officers.
AHIMA is a global organization that represents the health information management (HIM) profession by credentialing and membership. AHIMA has taken the lead in HIPAA and privacy educational program-credentialing exams, as well as the focus of a specialized credential, the Certified in Healthcare Privacy and Security (CHPS).10
Credentialed privacy officers are likely to be AHIMA members due to the nature of the regulations, ensuring access, privacy, and security of patient records. Potential participants were contacted using the AHIMA internal networking site, Engage. Only individuals identified with “Privacy” in their title were sent the survey. (See Appendix)
Survey. As there were not validated surveys available, it was necessary to develop a new questionnaire. Care was taken during its development to identify issues that could lead to threats to internal validity. Pilot study participants and a subject-matter experts reviewed the questionnaire for ease of use by survey participants and provided guidance on the scenarios to identify any bias or ambiguity in the wording 23. Prior to data collection, the University’s Institutional Review Board completed an initial and secondary review of the study.
The survey of privacy officers included demographic questions and information regarding educational attainment, certifications held, and experience. The survey also asked questions about current work environment, including facility information. The survey was developed using the variables described in the “Variables to Characterize Privacy Officers” subhead below. . The variables were identified and developed according to the information available through AHIMA Engage and using the classification methods within that portal.
An advanced search was conducted for participants by state and by job level, which was limited to Director (e.g., HIM IT)/Officer (e.g., Privacy). Individuals identified with “privacy” in their title were the only ones sent the survey questionnaire. Identified AHIMA members were contacted by messaging through AHIMA Engage. Data collection utilized a Qualtrics online survey tool.
Variables to Characterize Privacy Officers. Variables used to characterize privacy officers include:
3. Level of education
4. Credentials held
5. Number of years worked in healthcare
6. Number of years worked in healthcare privacy
7. Percentage of years worked in healthcare privacy
8. Knowledge level
Age was reported from the individual and then divided into categories based on previous studies regarding AHIMA members.11 These categories were 10-year age ranges beginning with age 25 and ending with 65 plus. Gender was reported from the individual and included male, female, or prefer not to report. Level of education was listed as high school, associate degree, Bachelor’s degree, Master’s degree, and doctoral degree.
Credentials held was restricted to AHIMA credentials as that was the population of the study. Respondents were first asked whether they held a credential (Y/N) and then to select all that apply from a provided list. Years worked in healthcare and years worked in healthcare privacy were reported from the respondents, and then the percentage of years worked in healthcare privacy was calculated. Percevied leve of knowledge of healthcare privacy was self-reported on a five-point Likert scale.
Variables to Characterize Facilities. Variables used to characterize the facilities that privacy officers worked in include facility classification, department classification, state privacy laws, and profit status.
The categories for facility classification were determined by the AHIMA Engage website, which stores the contacts for the individuals contacted for the survey.
When creating an account for the website directory, individuals select from a list of primary job settings. These were used to create the categories available for facility classification. Respondents were asked to identify the department(s) that their position reports to from a provided list. This list included 1.) HIM; 2.) information technology (IT); 3.) a joint HIM/IT appointment; 4.) executive team, or 5.) other.
If a privacy officer works in a state that has additional breach reporting requirements outside of the federal regulations, this may impact their choice in reporting. Participants were asked if they were in a state with additional laws rather than asking them to identify their state. A list was provided of states with additional laws. Facilities were identified by respondents as well with their profit status, 1.) for-profit and 2.) non-profit.
Data Analysis. Requests for participation using AHIMA Engage by the state showed 5,293 individuals with the Director/Officer classification. Of those, 479 individuals that had “privacy” in their title were contacted. With a margin of error of 8 percent, a significance (alpha) level of 0.05, and a population of 479, the minimum sample size required was 115 individual responses. In total, there were 123 respondents with completed surveys. Analysis used IBM SPSS Statistics 24 software to run the descriptive analyses, correlation, and the cumulative odds ordinal logistic regression model.
The average age of the 123 respondents was 53 years old as shown in Table 1. The average number of years they worked in healthcare was 27. Repondents also on worked a significant amount of time in privacy, with a mean of 12 years. Many respondents worked a majority of their time in healthcare in the privacy field, with the average being close to 50 percent.
Table 2 shows the demographics of the respondents. The ages of the respondents fell in greater numbers in the 35-64 year old range, 92.7 percent which is consistent with numbers from an AHIMA study which found 77.3 percent of their members fell within the same range when taking into account their population of student members who were ineligible for this study.11 Gender was also consistent with the study from AHIMA which showed a 91 percent to 9 percent ratio of women to men in comparison with this study, which was 92 percent to 8 percent.11
A large percentage of respondents held at least one credential, 89.4 percent. The highest number had a Registered Health Information Administrator (RHIA) credential, 37.4 percent. The other two credentials that stood out were the coding credential category and Certified in Healthcare Privacy and Security (CHPS). The CHPS is the dedicated credential that best fits with the privacy officer position and was only held by 14.6 percent of respondents. Also of note, the majority of the respondents had at least some level of higher education, with the majority graduating with a Bachelor’s (46.3 percent) or Master’s degree (30.1 percent).
Knowledge Level was a self-reported variable that included five categories: Poor, Below Average, Average, Above Average, and Excellent. No respondents classified themselves as Below Average or Poor. The highest percentage self-rated as Above Average with 48 percent, followed by Excellent with 38.2 percent and finally the least at Average with 13 percent.
Over 63 percent of respondents have worked in healthcare between 20-39 years as shown in Table 2. However, looking back at Table 2, the average time spent in healthcare privacy was 12.5 years, and the higher percentages of respondents have been in privacy for less than 20 years. This is as expected as HIPAA was only created in 1996 with a 2003 effective date, which was 20 years ago. The push for privacy officers was not urgent until the 2009-2013 legislation as well. This is also shown with the majority of respondents having worked 50 percent or less of their healthcare career in the privacy arena.
Table 3 shows the demographics of the facilities where respondents are employed. Respondents of the survey worked, by a majority, in an acute-care hospital, 41.5 percent. The second highest category was an integrated healthcare delivery system, with 29.3 percent. The other categories fell below 10 percent of respondents with each coming closer to 1 percent to 2 percent. This is somewhat in line with a 2015 study where the sample came in at about 52 percent for acute care; 9 percent with Integrated Systems; 8 percent for physician clinics; and under 10 percent for the other categories.11
When analyzing the statistics for the ‘Department’ classification variable, the Other category held numerous write-ins for compliance, which necessitated the creation of another category split from Other.
Compliance was the third highest department, with 17.1 percent, behind Executive (21.1 percent) and HIM (48 percent). The majority of respondents—86 percent—fell into these three categories. Write-in responses that remained in the Other category were director of revenue cycle, physician practice, information security, patient business service, quality, risk management, and corporate. More of the respondents worked for facilities that had a non-profit status over for-profit facilities (72 percent to 28 percent, respectively).
A cumulative odds ordinal logistic regression was performed to identify if a privacy officer’s personal or organizational aspects had an effect on the likelihood of how they would self-rate in terms of knowledge level. The assumption of proportional odds was met, as assessed by a full likelihood ratio test comparing the fit of the proportional odds model to a model with varying location parameters, χ2(14) = 9.925, p = .768. The final ordinal regression model predicted the knowledge level variable over and above the intercept-only model, χ2(14) = 35.412, p = .001.
The presence of a CHPS credential has an effect on the prediction of whether knowledge level is thought to be higher, Wald χ2(1) = 5.273, p = .022. The odds of CHPS credential holders ranking higher in knowledge level was 0.237 times higher than those who did not hold the CHPS credential. An increase in percentage of years worked in healthcare privacy was associated with an increase in the odds of reporting a higher knowledge level, with an odds ratio of 4.847 (95% CI, 1.031 to 22.796), Wald χ2(1) = 3.993, p =0.046. For every one point increased (as expressed by percentage of years worked in healthcare privacy), the odds of reporting a higher knowledge level increases 4.847 times.
The OCR has previously guided on areas of breach determination; however, the process still has gaps where privacy officers are making their own decisions. The current legislation of the Omnibus Final Rule under the HITECH Act does not have requirements for privacy officers outside of the fact that covered entities are required to have a “privacy official.”
A driving force behind this study was to understand the background of privacy officers. The findings from the study indicate that the privacy workforce is aging, with the majority of individuals nearing retirement. This finding is in line with other studies, particularly at the federal level, which shows an aging workforce along with a decline in participation from individuals under 40 years of age.12-17
This aging workforce and decline in participation from a younger generation could lead to a shortage of qualified individuals. Without guidance on standards, these workers may be replaced with others less suited to the needs of the positions. The federal studies about workforce discussed gaps in institutional knowledge, as well as a potential skill.16,17 An 2015 study18 regarding its workforce had respondents identify the importance of specific competencies at that moment and 10 years in the future. The respondents ranked privacy/security as one of the top competencies at that moment, along with increasing importance in 10 years.18
Healthcare is an industry where professionals have large amounts of experiential knowledge, in addition to formal education, as it is a rapidly evolving field.19 It is understandable that the findings of this study showcase that with an increase in formal education (attainment of a specialized credential) and increased experience (higher percentage of years working in healthcare privacy) that the likelihood of reporting a higher evel of self-reported knowledge increases. The knowledge and skills for privacy and security in healthcare are valuable and need to be considered by employers in terms of the individuals they have working in these areas.
There will be a continued demand for experienced, knowledgeable, skilled professionals within privacy and security in healthcare who can make decisions regarding breach reportability. There are new developments and changes to the laws consistently which impact the breach determination requirements.
For example, the 21st Century Cures Act (Cures Act) has lofty goals and focuses on rapidly developing treatments for many illnesses through changes to research requirements and information sharing.20 The policy has many benefits including reducing “bureaucratic red tape” in certain areas; however, it may not be as favorable for patient privacy as the original authors intended.21 As this policy is relatively new, it has not been determined if there is a balance between an individual’s privacy and the “insatiable demand for data that’s needed to fuel new research.”22
An example of this comes from the Cures Act which provides the director of the National Institute of Health (NIH) to require data sharing from research conducted with funds awarded from NIH.20 This does not seem alarming in a sense due to the general de-identified nature of the data, but researchers found on multiple occasions that de-identified data can be used to identify individuals, especially in the case of genetic information with Direct to Consumer testing providers like 23andME and Ancestry.com.23 This is a prime example of how an individual privacy officer may need to make a case by case determination of a breach reporting, and they would need considerable expertise to do so.
There are several suggestions which may be beneficial for discussion within organizations and the industry at large. First, recommendations were made from the federal government studies that include making concerted efforts to hire and retain older workers, in these cases, they were discussing workers 55 years and up.16,17 Second, hiring, advancement, and retention of younger workers can be prioritized through initiatives that emphasize characteristics of high performance, mentoring, and practices that enhance knowledge transfer.24
Lastly, it is essential that the federal government take into account the regulatory burden placed on businesses; however, protecting the privacy of patients must still be a priority. Healthcare privacy is paramount due to the sensitive nature and amount of information collected by care providers. Legislation could be updated to outline the requirements and suggestions for minimum qualifications for privacy officials within healthcare organizations.
A limitation of this study is that there were self-reported measures which may have led to bias in the results. One key variable to monitor was that of Knowledge Level, where all respondents chose Average or higher, no respondents chose Below Average or Poor.
One of the critical limitations of this study is that the population was restricted to AHIMA members available on the Engage community. Therefore, we cannot say that this study is generalizable to all privacy officers in the United States.
The subject of the study may have led to non-participation from those contacted. While privacy and ethical concerns were addressed and reviewed by the Institutional Review Board, potential respondents may not have been allowed or felt it inappropriate, to participate due to the sensitive nature of the questionnaire or their facility’s legal requirements.
Little is known about privacy officers, especially in healthcare organizations. This is the first study that describes these important people that are responsible for, and take precautions to protect, patient privacy. This study showed that these privacy officers are in higher age ranges and may be nearing retirement in the next 10 years. These positions require institutional and technical knoweldege so there may be a potential skills gap from the impending retirement and slowdown in growth of the labor supply. The role of privacy officers will only increase in prominence and without properly trained individuals in these roles, patients and their privacy will be at risk.
Amanda Walden, PhD, RHIA, CHDA, (firstname.lastname@example.org) is associate lecturer, Department of Health Management and Informatics, College of Community Innovation and Education, University of Central Florida.
Kendall Cortelyou-Ward, PhD, (email@example.com), is associate professor and program director, Department of Health Management and Informatics, College of Community Innovation and Education, University of Central Florida.
Alice Noblin, Ph.D., RHIA, CCS, (Alice.Noblin@ucf.edu), is associate professor & program director, Department of Health Management and Informatics, College of Community Innovation and Education, University of Central Florida.
All authors qualify for authorship by substantial contributions to the research and production of the manuscript.
Conflict of Interest Statement
All authors certify that they have no conflict of interest in the subject matter or materials discussed in this manuscript. Authors are all employees of the University of Central Florida in researcher, professor, and instructor positions.
References 1. “Health Information Management: Concepts, Principles, and Practice, 5th Edition.” Chicago, IL: American Health Information Management Association. 2017.
2. Collins, Joshua DW. “Toothless HIPAA: Searching for a private right of action to remedy privacy rule violations.” Vand. L. Rev. 60 (2007): 199.
3. LaTour, K. & Eichenwald-Maki, S. Health Information Management Concepts, Principles, and Practice: Fourth Edition. Chicago, IL: American Health Information Management Association. 2013.
4. United States. Department of Health and Human Services. Office for Civil Rights. Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2009 and 2010. 2011; Retrieved 9 November 2013 from the Department of Health and Human Services website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf
5. Warner, D. When to Send a Breach Notification: New HIPAA Rules Revise “Harm” Standard. Journal of AHIMA. 2013; 84(4): 42-43.
6. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Health and Human Services, 78 Fed Reg. (January 25, 2013) (to be codified at 45 C.F.R pts 160 & 164).
7. United States. Department of Health and Human Services. Office for Civil Rights. FACT SHEET: Ransomware and HIPAA. 2016; Retrieved 19 March 2017 from the Department of Health and Human Services website at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
8. United States. Government Accountability Office. Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight. 2016; Retrieved 10 August 2017 from https://www.gao.gov/products/GAO-16-771
9. Gabriel, M., Noblin, A., Rutherford, A., Walden, A., & Cortelyou-Ward, K. Data Breach Locations, Types, and Associated Characteristics Among US Hospitals. American Journal of Managed Care. 2018; 24(2): 78-84.
10. AHIMA Privacy and Security Council. Sample (Chief) Privacy Officer Job Description. AHIMA Body of Knowledge. 2015; Retrieved on September 23, 2018 from http://bok.ahima.org/doc?oid=107672#.W6fZmGhKgdU
11. Caviart Group. A Worforce Study of the Future Direction and Skill Set for HIM Professionals. AHIMA Body of Knowledge. 2015; Retrieved on September 1, 2018 from http://library.ahima.org/PdfView?oid=300801
12. Toossi, M., & Bureau of Labor Statistics. Labor force projections to 2024: The labor force is growing, but slowly. Monthly Labor Review. 2015; Retrieved from https://www.bls.gov/opub/mlr/2015/article/labor-forceprojections-to-2024.htm
13. Drew, D. More older Americans are working, and working more than they used to (Fact Tank on Numbers in the News). 2016; Retrieved from http://www.pewresearch.org/fact-tank/2016/06/20/more-olderamericans-are-working-and-working-more-than-they-used-to/
14. White, M. S., Burns, C., & Conlon, H. A. The impact of an aging population in the workplace. Workplace health & safety. 2018; 66(10): 493-498.
Centers for Disease Control and Prevention, National Center for Chronic Disease Prevention and Health Promotion. Older employees in the workplace. 2012; Retrieved from https://www.cdc.gov/ workplacehealthpromotion/tools-resources/pdfs/issue_brief_no_1_ older_employees_in_the_workplace_7-12-2,012_final508.pdf
15. Stonehenge International. Older Workers: Enhanced Communication among Federal Agencies Could Improve Strategies for Hiring and Retaining Experienced Workers. General Accounting Office Reports & Testimony. 2009; Retrieved from https://search-ebscohost-com.ezproxy.net.ucf.edu/login.aspx?direct=true&db=edsggo&AN=edsgcl.194872110&site=eds-live&scope=site
16. United States. Government Accountability Office. Labor can help employers and employees plan better for the future : report to congressional committees. 2005; Retrieved from https://search-ebscohost- com.ezproxy.net.ucf.edu/login.aspx?direct=true&db=cat00846a&AN=ucfl.021482998&site=eds-live&scope=site
17. Sandefer, R., Marc, D., Mancilla, D., Hamada, D. Survey predicts future HIM workforce shifts: HIM industry estimates the job roles, skills needed in the near future. Journal of AHIMA. 2015. 86(7): 32-35.
18. DeLong, D. W. Confronting the threat of an aging health care workforce. In T. P. Miles & A. Furino (Eds.), Annual review of gerontology and geriatrics, 2005: Aging healthcare workforce issues. New York, NY: Springer Publishing Company. 2006; 25: 1–4.
19. Majumder, M. A., Guerrini, C. J., Bollinger, J. M., McGuire, A. L., & Cook-Deegan, R. Sharing data under the 21st Century Cures Act. Genetics in Medicine. 2017; 19(12): 1289-1294.
Hudson, K. L., & Collins, F. S. The 21st Century Cures Act – A View from the NIH. New England Journal of Medicine. 2017; 376(2): 111.
20. Buffone, P. N. (). The ‘Cure’-All for 21st Century Data Sharing. Pharmaceutical Executive. 2016; 36(8): 39.
21. Erlich, Y., Shor, T., Carmi, S., & Pe’er I. Re-identification of genomic data using long range familiar searches. bioRxiv. 2018. doi: https://doi.org/10.1101/350231
22. DeLong, D. Is the Aging Workforce Really Creating Your Skill Shortages? Harvard Business Review Digital Articles, 2014; 2–4. Retrieved from https://search-ebscohost-com.ezproxy.net.ucf.edu/login.aspx?direct=true&db=22h&AN=118563998&site=eds-live&scope=site
23. Babbie, E. R. (2001). The practice of social research. Belmont, CA: Wadsworth Cengage Learning.