Whether your business is a small online store or a medical practice that serves patients from beyond the immediate area, there’s a good chance that privacy and data protection are a top concern for you. After all, in a world where it seems that big data knows everything about us, many people want to be sure that their private information is protected. In addition, there’s increasing pressure from governments to protect consumer data. Because of regulations, many companies need a Data Protection Officer or Privacy Officer available to ensure compliance. Read on about the similarities and differences between these two important roles.
Since this is the more newly established position, let’s start by taking a look at the Data Protection Officer definition in detail. In brief, a Data Protection Officer is a role created by the GDPR or the General Data Protection Regulation in the EU. If your business works with EU residents, there’s a high chance you’ll need to comply with the GDPR and have a Data Protection Officer (DPO).
In brief, a DPO is a compliance official, who can be part of the company itself or an external party on retainer. The DPO monitors company operations to ensure that data use and processing are in accordance with the GDPR regulations. For instance, there are minimum requirements for storing data to protect it from breaches and improper use which the DPO would be responsible for ensuring the organization was complying with.
Another thing that the DPO must do is work with employees and serve as a liaison with them. In other words, if an employee has questions about data privacy or a processing requirement, they can go to the DPO for advice. This is an important safeguard, especially when working with management. While rank and file employees could talk to the DPO, especially in smaller companies, management is more likely to set company processes that can be affected by the GDPR.
Finally, the DPO must alert management when there’s a data breach or the company is out of compliance in any way. As part of this job requirement, the DPO must work with the company and the public to communicate about the breach and help fix the problem. In this way, the DPO is a watchdog who must ensure that problems are fixed. In addition, by working with the public, the DPO can help assess the impact of data breaches.
Now that we understand the role of a DPO under GDPR, let’s look at the definition and responsibilities of a HIPAA Privacy Officer. This position helps monitor companies to ensure that individuals’ health-related information is stored, processed, and released in accordance with HIPAA regulations.
Most of us think about HIPAA as a problem that only healthcare companies need to worry about. However, HIPAA can apply to many other companies, such as employers that provide health insurance coverage for their employees. In particular, if the company pays some or all of the employee’s healthcare bills, there’s a good chance they are a covered entity. On the other hand, a store that simply sells aspirin doesn’t count.
Another group of companies that needs a HIPAA Privacy Officer is business associates of the healthcare companies. Business Associates can be anything from a medical billing service or medical equipment services to a software company who has access to PHI in any capacity. There’s a lot of paperwork that goes with healthcare, and every step requires that the information be protected and only used for permitted purposes. Here’s a handy guide to HIPAA on our website.
So, what does the HIPAA Privacy Officer do, anyway? In brief, they are a compliance officer either for a single company or within many companies. A Privacy Officer keeps track of all the HIPAA-related regulations and current best practices. Then, they ensure that the companies they work for are in compliance with the government regulations. Sometimes, this means they will alert management of a breach or make them aware of a compliance issue that needs to be fixed. Then, a HIPAA officer communicates with HHS about data breaches or disclosure violations.
Finally, the Privacy Officer sometimes needs to make decisions about employee discipline based on compliance issues. In other words, hold employees accountable for noncompliance if it is found to be intentional. It is important to note that since employees are expected to be well trained on HIPAA, any accidental or unintentional compliance violations by an employee will be at the fault of the company itself.
With all this information in mind, let’s look at how these positions are similar, and how they are different.
No matter how you cut it, both of these positions are required by law for certain companies to be in compliance with the necessary regulations. However, this isn’t the only similarity between the two positions, many characteristics of the DPO and Privacy Officer are also shared.
As you’d expect with a compliance position, both types of privacy officials must know the applicable regulations like the back of their hand. That’s because if they don’t know something important, their company can easily become out of compliance. And in both cases, there are significant fines and penalties that can be levied by government actors so they must be on top of it.
If employees have a question about data protection or privacy, they can always go to the DPO or Privacy Officer for help. This is true whether the question is about proper disclosure of consumer/patient information or guidance for company policies and procedures. In other words, this person is the “any questions? Just ask” point of contact.
No matter what kind of data a company needs to handle, the DPO and Privacy Officer will tell their company how to do it properly. This can include the choice of different software programs to handle consumer or patient data securely, for example, or setting company policies for how the information can be used within the company.
Whether in-house or retained, both compliance officials help companies develop and implement policies and procedures. For instance, a DPO might prohibit the use of cell phones at employee desks or tell a company that they need to eliminate a security vulnerability surrounding personnel. Or, a HIPAA Privacy Officer might require that employees work from the office to prevent improper use of health information. Note: this last example is variable based on the mandates of local public health authorities during the COVID-19 pandemic.
For the GDPR, compliance is only required if the company meets the certain size and revenue thresholds. This protects the smallest businesses from excessive costs. And in addition, smaller companies tend not to have the amount of data that hackers prefer to go after. However, once a company meets the minimum size and revenue, there are significant fines for not having a Privacy Officer in place. In most cases, the fines are more expensive than hiring or contracting for this compliance position.
With HIPAA, the fines are assessed per data breach or improper disclosure. Covered entities are a wide variety of companies, from billing and patient call centers to doctors and hospitals. This means that the position is rather broad, and the fines for non-compliance add up very quickly. For that reason, HR departments need to be certain about what their risk is, and whether or not they should have a Privacy Officer.
As similar as the DPO and Privacy Officer positions might be, there are significant differences. For instance, the scope of each compliance position is different. So is the subset of companies to which each position applies.
HIPAA only covers companies that work with healthcare-related information for United States residents. This can include employers of any industry that provide health insurance, the insurance companies themselves, medical providers, and billing entities. However, if a company doesn’t provide healthcare-related services or give health insurance for their employees, they won’t need a Privacy Officer.
Likewise, the GDPR doesn’t cover all companies. However, it has a much larger scope because any company that handles a certain amount of data from EU residents is covered. That means a GDPR company can be anything from a retail store to an employer, and even a travel company. The GDPR in general is a very broad regulation, so if your company has more than a negligible presence to EU citizens, you’ll want to consider a DPO.
Under the GDPR, a DPO must be relatively independent from the company. For instance, they can’t be a lawyer that might represent the company in data privacy-related litigation. In addition, the DPO can’t be fired for doing their job properly. So, if they tell an employer to fix something or alert management to a significant data security issue, the company can’t terminate them for it.
On the other hand, a Privacy Officer is usually a member of HR or management. They are allowed to multitask, doing any other appropriate tasks in the company. So, for example, the Privacy Officer might also be the employee benefits administrator. That wouldn’t be allowed under the GDPR.
Finally, a GDPR DPO is responsible for all data handling in the company. For a HIPAA Privacy Officer, the only concern is healthcare-related information. For that reason, the DPO is a more comprehensive job than the Privacy Officer. And because of this, the DPO often has a wider scope of expertise in terms of business systems and processes.
Worried about compliance? At Accountable HQ, we have you covered. Our software helps companies easily comply with a wide range of privacy rules, from the GDPR and HIPAA all the way to CCPA and other rules. Request a demo today!
"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.
