In recognition of Data Privacy Month, ITS News presents this overview of Privacy Liaisons and an introduction to ITS’ two Privacy Liaisons.
Privacy Liaisons are appointed by the head of each UNC-Chapel Hill operating unit that has responsibility for management of Protected Health Information (PHI). Many of these operating units have been designated as “covered units” that must comply with HIPAA. Covered units provide health care to patients or support the provider units in some way. For example, ITS is a covered unit because ITS supports applications and systems that maintain PHI. A list of Privacy Liaisons can be found on the Institutional Privacy Office website.
What is the function of a Privacy Liaison?
Privacy Liaisons serve as a resource to their units for questions related to HIPAA and other privacy-related legal or regulatory requirements that apply to the University. Common activities include helping determine whether a vendor needs to sign a business associate agreement (BAA) if the vendor will access, use, store or disclose PHI, coordinating annual HIPAA training for the unit, helping determine if a vendor or process requires UCPPD approval, assisting the unit with understanding and following applicable policies, standards and procedures, and managing risks to sensitive information held by the unit. For many units, this also involves research involving PHI.
Why are Privacy Liaisons important?
Privacy Liaisons are an integral part of the University’s privacy compliance program, managed by the Chief Privacy Officer. The Institutional Privacy Office is a small team with University-wide responsibilities and relies heavily on the Privacy Liaisons to help promote privacy awareness across the University.
Meet ITS’ Privacy Liaisons
Roger Rice, an IT Manager for Enterprise Applications, has served as an ITS Privacy Liaison since November 2017. Because of his role as the EA Applications Security manager, he was recommended for the ITS Privacy Liaison position.
The Privacy Office has responsibility for Privacy – HIPAA, FERPA and otherwise – across the University. Serving as a Privacy Liaison, he said, aligns with the efforts of his team to facilitate application security management.
Q: Why is this function important?
A: The work of the Privacy Liaison is to move our University closer to compliance while the Privacy Office is handling breach determinations and notifications and day-to-day contracts such as data use agreements and BAAs. Thus, the work of a Privacy Liaison is critical to ITS becoming HIPAA compliant.
Q: What does a successful Privacy Liaison look like to you?
A: The Privacy Liaisons meet once a month. Privacy issues/concerns across UNC as well as outside of the University are shared and discussed. Attendance at this meeting with the other covered units across campus aids the liaison in understanding the critical nature of this position as well as determining the work that is required of the Privacy Liaison.
Kim Stahl, a Privacy Liaison for two years, works mainly on policies and related documents, both IT and Privacy policies. She also helps with business processes, working through obstacles to getting things done efficiently. Stahl was selected to serve as a Privacy Liaison, she said, because she’s worked with the Institutional Privacy Office in the past and “have some familiarity with the issues involved (though I am not an expert). Also, many of the things that need to happen to do privacy well involve getting processes into place, which is part of my job.”
Serving as a Privacy Liaison is important work, she said. “With this kind of thing, it’s easy to see red-tape rather than the reasons for it, and easy to create ‘check-the-box’ activities that don’t really achieve anything,” Stahl said. “It’s important to me to find ways to do the important work of protecting information we all know is under constant siege, while also making it possible to do our jobs and keep the University operating. If I can remove obstacles to both of those so that things happen more effectively, that’s worth my time.”
Q: Elaborate on why you think this function is important.
A: We toss around the term “sensitive information” so much that it feels almost meaningless sometimes. But with Privacy, we’re talking about health information, financial information, very personal data. As a person, I care about this. I want for the people who need my information to be able to get it efficiently, but I also want for anyone who can access it to take that as a position of trust. That’s how I view all of the “sensitive information” ITS is entrusted with. This position can help keep the gears moving, and help remind everyone to act as if every byte of “sensitive information” matters.
Q: What does being a successful liaison look like to you?
A: ITS staff knocking on my door (physically or virtually) for ways to do the right thing with, for help to work through obstacles, and any time a process just doesn’t make sense. I’m in ITS Manning 3008, and visitors are always welcomed (with candy).