The Privacy Officer Evolution

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.


By Kathy Downing, MA, RHIA, CHPS, PMP

Within my 20 years in the realm of privacy officer, we called work in privacy first “appropriate access,” then “information protection,” and now, thanks to the Health Insurance Portability and Accountability Act (HIPAA), have finally settled on the term “privacy.” HIPAA dictated that each organization designate someone with privacy responsibility. With good executive backing—and a federally mandated timeline—the healthcare industry has been successful with this change in culture. In fact, we are now seeing more and more organizations go to “centralized” privacy responsibility over several hospitals or a bundling of privacy responsibilities into compliance or security, which makes me wonder: what is the next evolution of the privacy officer role and how do we stay relevant?

I would assert that information governance (IG) offers the next career path for the privacy officer in healthcare. When you begin to apply the principles of protection and compliance outlined in AHIMA’s Information Governance Principles for Healthcare (IGPHC™), a road map emerges where the privacy officer travels from a HIPAA/clinical-oriented role to an enterprise role of protecting the privacy of ALL information. If you have been listening to the discussion of healthcare hackings in the news, you will often hear that the breach affected patient, organization, and employee records.

Privacy officers have not been adept at reaching beyond the clinical arena to an organization-wide framework to protect information throughout its life cycle and to support the organization’s strategy, regulatory, legal, risk, and environmental requirements (this should sound familiar—it fits with AHIMA’s definition of information governance!).

The transition from the role of a privacy officer to the role of a chief information governance officer isn’t going to happen overnight but I would argue the skill set is there if we are willing to take the risk and get out of our clinical comfort zone, we will work our way beyond HIPAA to projects like enterprise social media policy, mobile device management, protection of intellectual property, and IG workforce awareness.

Healthcare organizations are beginning to understand that information is one of our greatest assets—and that doesn’t just mean clinical information.


AHIMA thanks ARMA International for use of the following in adapting and creating materials for healthcare industry use in IG adoption: Generally Accepted Recordkeeping Principles® and the Information Governance Maturity Model. ARMA International 2013.


AHIMA. “Information Governance Principles for Healthcare (IGPHC)TM.” 2014.


Kathy Downing ( is senior director, information governance at AHIMA.


  1. Audits, Security and HIPAA Compliance | - […] that probably signals a role change for at least some on IT security teams.   Also in the Journal of…

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!