According to five chief privacy officers (CPOs), their peers need to learn patience, particularly as they attempt to educate their workforces about the need for privacy diligence in a world where it seems like everything is posted online publicly. 
Speaking recently at the 2023 National HIPAA Summit, they also stressed that the ability to talk about privacy to the entire workforce—from the lowest to highest levels—marks the most effective CPOs.
“The three things in my toolbox [are]: teach, tell and influence,” explained Faith Myers, CPO and vice president for global privacy at McKesson. “You’ve got to be able to be a really good educator of both your C-suite level, your board members, your leaders, as well as your front-line workers.”
It’s key to explain the gray areas in privacy, Myers said, and to point to the right thing to do, along with how it blends into the company’s culture. “But there’s some black and white in privacy as well,” she said. “And sometimes you just have to say yes or no, this is what you can do, and this is what you can’t do, and this is what the law says.”
Speaking to all levels of the organization, from the front-line staff to board members, also takes a special skill set, chimed in Steven Sugrue, chief compliance officer at DocGo. “The message has to be calibrated and discussed in a way so that all levels can understand it,” he said.
“I wear the privacy hat, I wear the compliance hat, and I wear the security hat, and I have a bunch of certifications,” said Greg Ewing, senior vice president for compliance, privacy, technology and regulatory affairs at Trillium Health, Inc. “What do we do on a day-to-day basis? We put out fires.”
“A successful CPO will be collaborative, flexible and patient, but still capable of saying ‘no’ when necessary,” added Iliana Peters, shareholder at the law firm Polsinelli and former acting deputy director for health information privacy at the HHS Office for Civil Rights.
Ethics, Instability Mark Privacy Environment
One of the most important qualities for CPOs is their philosophy on privacy and their approach to privacy, explained Wendi Wright, global privacy officer for medical device company Intuitive. “Can we treat privacy as something that’s hermetically sealed, which is not going to support our business and not really going to help us innovate and develop or help the business to grow?” she asked.
“We’ve seen the world move really towards privacy as a human right and as a fundamental right,” Wright said. “And so, there’s a big ethical component to it. You have to be constantly ready to learn because the laws are not totally stable right now, and they’re shifting underneath us. We have new regs, new laws in every jurisdiction every other month. So, someone needs to be really excited to work in an unstable and yet interesting environment.”
A privacy officer also needs to be patient, Sugrue said. “The privacy officer has to make sure that everyone knows how to care for patients’ protected health information [PHI]—especially the younger kids who like social media; they have to be constantly reminded that there’s a lot of inadvertent ways to break the law.”
Peters agreed that patience is crucial. “From my experience, it’s always difficult to persuade people who are putting their own data on social media that what we do every day is for their benefit. And, having those discussions is sometimes really difficult—both internally and externally,” she said.