Human Resources Privacy Policies: Privacy Officer

Pursuant to the HIPAA Privacy Rules, the Western Michigan University Group Health Plan (“Plan”) creates the position of Privacy Officer. The position’s reporting obligations, essential functions and qualifications are as set forth the following job description.

The designation of the Privacy Officer shall be documented (Form A attached). The Plan shall retain documentation for six years from the date on which the person served in the capacity of Privacy Officer.

Privacy Officer Job Description

Position Summary: The position of Privacy Officer is required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Officer is responsible for coordinating Western Michigan University's policies and procedures under the HIPAA Privacy Rules and for monitoring and deciding any issues that occur under the rules.

The Privacy Officer also serves as the Contact Person, a position required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Contact Person is responsible for receiving complaints under the Privacy Rules and providing information to individuals regarding the Plan’s privacy practices.

Reports to: The Privacy Officer reports to the Director of Human Resource Services.

Essential Functions: The Privacy Officer is responsible for developing and implementing the HIPAA Privacy Rules as applicable to Western Michigan University, developing employee training programs, publishing and distributing the privacy notice and serving as the designated decisionmaker for issues and questions involving interpretation of the privacy rules, in coordination with legal counsel.  The Privacy Officer is responsible for the following tasks:

  • inventorying the uses and disclosures of all protected health information (PHI);
  • maintaining and distributing, as necessary, information about the Plan’s privacy practices;
  • responding to suggestions and complaints regarding the Plan’s privacy practices;
  • providing clarifications regarding the Plan’s privacy practices;
  • responding to requests for access to Protected Health Information;
  • responding to requests to amend Protected Health Information;
  • responding to requests for accountings of disclosures;
  • ensuring that legal issues in drafting compliance documents are addressed, including amendments to plan documents, negotiating business associate contracts and developing authorizations;
  • coordinating with other Western Michigan University functions such as FMLA leave, drug testing and fitness-for-duty exams;
  • developing and implementing appropriate firewalls between human resources personnel and the group health plan;
  • establishing structures to ensure individual rights guaranteed by HIPAA;
  • setting up a complaint process and sanctions;
  • developing overall privacy policies and procedures for the plan as well as a notice of information practices;
  • developing a training program;
  • establishing programs to audit and monitor business associates and internal privacy compliance; and
  • keeping up to date on the latest privacy and security developments and federal and state laws and regulations.
  • coordinating with the Director of Human Resources Information Systems in evaluating and monitoring operations and systems development for security and privacy requirements.
  • serving as resource to the Plan’s designated liaisons to regulatory and accrediting bodies for matters relating to privacy and security.
  • coordinating of any audits of the Secretary of the Department of Health and Human Services or any other governmental or accrediting organization concerning the Plan's compliance with state or federal privacy laws or regulations.
  • notifying individuals when health information has been used or disclosed in violation of the Plan's privacy practices.
  • accepting and forwarding any legal complaints served upon the Privacy Officer to the University Privacy Officer. 
  • performing any other functions assigned to the Privacy Officer by the Plan's policies and procedures regarding privacy; and 
  • documenting, in writing, the actions taken in compliance with the Privacy Rules.

Qualifications:  Requires the following minimum qualifications:

  • masters degree in management information systems, human resources, health administration or other relevant field, or J.D;
  • minimum five years experience in industry;
  • familiarity with all federal and state laws and regulations concerning information security and privacy;
  • familiarity with federal and state laws governing Western Michigan University’s operations, including the ADA, FMLA, OSHA or other relevant statutes;
  • familiarity with Western Michigan University's business functions and operational structure;
  • knowledge of and ability to work with complex information systems and technologies;
  • ability to manage large projects;
  • ability to make presentations to decision makers and large groups, and to organize and conduct employee training;
  • ability to communicate both orally and in writing;
  • strong interpersonal skills;
  • ability to effectively communicate technical and legal information to nontechnical and nonlegal staff in employee training and advisory context;
  • strong organizational and problem-solving skills;
  • ability to work in a team-oriented environment; and
  • ability to effectively report on the status and implementation of projects to senior management.

Designation of Privacy Officer and Contact Person

Designation

The following individual shall be designated as the Western Michigan University Group Health Plan (Plan)'s Privacy Officer, who shall also serve as the Contact Person:

Robert Kakuk, Benefits Supervisor
Human Resources–Benefits Office
1300 Seibert Administration Building
Western Michigan University
1903 West Michigan Avenue
Kalamazoo MI 49008-5217
Phone:(269) 387-3630
Fax:(269) 387-3441
robert.kakuk@wmich.edu 

Duties

  • inventorying the uses and disclosures of all protected health information (PHI);
  • maintaining and distributing, as necessary, information about the Plan’s privacy practices;
  • responding to suggestions and complaints regarding the Plan’s privacy practices;
  • providing clarifications regarding the Plan’s privacy practices;
  • responding to requests for access to Protected Health Information;
  • responding to requests to amend Protected Health Information;
  • responding to requests for accountings of disclosures
  • ensuring that legal issues in drafting compliance documents are addressed, including amendments to plan documents, negotiating business associate contracts and developing authorizations;
  • coordinating with other Western Michigan University functions such as FMLA leave, drug testing and fitness-for-duty exams;
  • developing and implementing appropriate firewalls between human resources personnel and the group health plan;
  • establishing structures to ensure individual rights guaranteed by HIPAA;
  • setting up a complaint process and sanctions;
  • developing overall privacy policies and procedures for the plan as well as a notice of information practices;
  • developing a training program;
  • establishing programs to audit and monitor business associates and internal privacy compliance; and
  • keeping up to date on the latest privacy and security developments and federal and state laws and regulations.
  • coordinating with the Director of Human Resources Information Systems in evaluating and monitoring operations and systems development for security and privacy requirements.
  • serving as resource to the Plan’s designated liaisons to regulatory and accrediting bodies for matters relating to privacy and security.
  • coordinating of any audits of the Secretary of the Department of Health and Human Services or any other governmental or accrediting organization concerning the Plan's compliance with state or federal privacy laws or regulations.
  • notifying individuals when health information has been used or disclosed in violation of the Plan's privacy practices.
  • accepting and forwarding any legal complaints served upon the Privacy Officer to the University Privacy Officer.
  • performing any other functions assigned to the Privacy Officer by the Plan's policies and procedures regarding privacy; and
  • documenting, in writing, the actions taken in compliance with the Privacy Rules.

Term

The Privacy Officer shall serve until removed by the Director of Human Resource Services or until he or she resigns the position. 

Effective as of April 14, 2003.
Laureen A. Summerville
Director, Human Resources Services

Download this policy as a PDF