Privacy Officer Evolution

By Kathy Downing, MA, RHIA, CHPS, PMP

Within my 20 years in the realm of privacy officer, we called work in privacy first “appropriate access,” then “information protection,” and now, thanks to the Health Insurance Portability and Accountability Act (HIPAA), have finally settled on the term “privacy.” HIPAA dictated that each organization designate someone with privacy responsibility. With good executive backing—and a federally mandated timeline—the healthcare industry has been successful with this change in culture. In fact, we are now seeing more and more organizations go to “centralized” privacy responsibility over several hospitals or a bundling of privacy responsibilities into compliance or security, which makes me wonder: what is the next evolution of the privacy officer role and how do we stay relevant?

I would assert that information governance (IG) offers the next career path for the privacy officer in healthcare. When you begin to apply the principles of protection and compliance outlined in AHIMA’s Information Governance Principles for Healthcare (IGPHC™), a road map emerges where the privacy officer travels from a HIPAA/clinical-oriented role to an enterprise role of protecting the privacy of ALL information. If you have been listening to the discussion of healthcare hackings in the news, you will often hear that the breach affected patient, organization, and employee records.

Privacy officers have not been adept at reaching beyond the clinical arena to an organization-wide framework to protect information throughout its life cycle and to support the organization’s strategy, regulatory, legal, risk, and environmental requirements (this should sound familiar—it fits with AHIMA’s definition of information governance!).

The transition from the role of a privacy officer to the role of a chief information governance officer isn’t going to happen overnight but I would argue the skill set is there if we are willing to take the risk and get out of our clinical comfort zone, we will work our way beyond HIPAA to projects like enterprise social media policy, mobile device management, protection of intellectual property, and IG workforce awareness.

Healthcare organizations are beginning to understand that information is one of our greatest assets—and that doesn’t just mean clinical information.


AHIMA thanks ARMA International for use of the following in adapting and creating materials for healthcare industry use in IG adoption: Generally Accepted Recordkeeping Principles® and the Information Governance Maturity Model. ARMA International 2013.


AHIMA. “Information Governance Principles for Healthcare (IGPHC)TM.” 2014.

Original source:
Downing, Kathy. "Privacy Officer Evolution" (Journal of AHIMA website), September 25, 2015.