Privacy Advisor

IAPP Board Members Speak Out on the Future of the Privacy Officer

September 1, 2006

IAPP Board Members Kimberly Gray, CIPP, and Kirk Nahra, CIPP, were recently interviewed by the Report on Patient Privacy for a September article titled, "As Focus Shifts to Electronic Records, Will Privacy Officers Be the 'Odd Man Out' ?"

With the landscape changing since the emergence of HIPAA compliance, so have roles and responsibilities across organizations and within the privacy arena. Gray, who is Highmark Inc.'s chief privacy officer, explained that her responsibilities continue to change and grow. Her department of seven provides "strategic direction" to business plans and long-range planning. Her department also is "highly involved in reviewing pending legislation at the state and federal level." Gray, who once held responsibility as both the security and privacy officer, has a collegial relationship with Highmark's chief information security officer and noted she needs "to be pretty well-versed in the technological advances."

"I think security is definitely the hot new thing, but I think privacy still is as well," Gray said. "I think as long as you have security issues you are going to have privacy issues."

Nahra, partner with Wiley Rein and Fielding LLP, feels it may now be seen as a mistake to keep privacy and security functions entirely separate. "You need people who are good with policies and procedures and can [perform] a cheerleading function, not someone who is sitting in front of a computer," Nahra told Report on Patient Privacy. "The other thing about it is the IT person doesn't have any idea about paper records and doesn't know anything about physical controls. The privacy official is in the best position to coordinate and oversee the whole package." His advice to clients is to "mesh" privacy and security functions. "The people who have done the best [security] have highly skilled technical people who know how to work with privacy officials," Nahra said.

Gray also cited the need for broadening ones area of expertise and receiving advanced privacy training. She and her team hold the credential of Certified Information Privacy Professional (CIPP). Nahra also is CIPP-certified, as well as the entire IAPP Board, along with almost a 1,000 privacy professionals around the world. The IAPP continues to broaden its certification offerings, with its recent expansion to a Canadian credential.