Due to regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations are required to designate a privacy official dedicated to compliance with privacy laws.
In many organizations, that official is a Chief Privacy Officer (CPO), an executive position charged with developing and implementing the policies a company will adhere to in protecting customer and employee data.
With the General Data Protection Regulation (GDPR) going into effect in the European Union, there is no shortage of need for privacy professionals working in any business that comes into contact with European consumers, healthcare included. GDPR requires companies to have data protection professionals in place, just as HIPAA does.
Privacy is a hot topic in light of recent high-profile cases of data misusage and breaches. According to the International Association of Privacy Professionals (IAPP), this environment has created a heavy demand for privacy professionals.
Job Duties for a CPO
CPOs play an important role developing and managing budgets, prioritizing projects, planning strategies, execution, and procedures related to compliance with regulatory requirements regarding privacy. They also lead staff development and create a culture of serving business units effectively.
In addition to this, HIMSS North America also lists the following responsibilities under the CPO:
- Works with organization senior management, security and corporate compliance officer to establish governance for the privacy program
- Serves in a leadership role for privacy compliance
- Collaborates with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations
- Acts as a liaison to the information systems department
- Establishes, with the information security officer, an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information
- Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation
- Conducts related ongoing compliance monitoring activities in coordination with the organization’s other compliance and operational assessment functions
- Takes a lead role to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements
- Participates in the development, implementation, and ongoing compliance monitoring of all business associates and business associate agreements to ensure all privacy concerns, requirements, and responsibilities are addressed.
This is not an exhaustive list of the duties a CPO may have to execute, merely some of this position’s core functions. The CPO must also work with the organization’s human resources department to ensure compliance with privacy policies and apply punishments to employees and business associates who fail to do so.
Job Growth and Salary
The BLS does not list data specific to the position of chief privacy officer. However, marketplace trends and industry developments seem to indicate that these professionals will be in demand in the coming years.
A 2014 report from the IAPP found that 33% of Fortune 1000 companies planned to create positions focused on privacy in the coming years.
The IAPP also conducted its bi-annual salary review of privacy professionals, including CPOs, in 2017. It concluded that the average salary of CPOs had continued to grow from 2015 numbers, with the average CPO earning a base salary of $188,200 per year.
Education and Skills
Given the extent of knowledge and experience required regarding state and federal privacy laws, these professionals commonly come from legal or regulatory backgrounds. While a bachelor’s degree is all that is required, a master’s degree in fields related to health information management is preferred, according to HIMSS.
Required skills include effective communication through both written and verbal formats, the ability to exert influence over employees who are not direct reports, knowledge of international privacy laws, investigative and analytical skills as well as the ability to manage teams through conflict resolution, consensus building and meeting management.
Additional certifications that can prove useful include the IAPP’s CIPP, CIPM and CIPT certificates as well as the CHPS certification from the American Health Information Management Association (AHIMA).
*National long-term projections may not reflect local and/or short-term economic or job conditions, and do not guarantee actual job growth. Information provided is not intended to represent a complete list of hiring companies or job titles, and program options do not guarantee career or salary outcomes. Students should conduct independent research for specific employment information.
