What have others in the non-healthcare arena been doing as far as designating a Privacy Officer for your firm? Has it been a head of HR, head of Benefits, Legal or otherwise?

This is more than just a simple answer and depends on your organization's situation. I am assuming your company has no other covered function and only the health plans are the covered entity. With that said, you then need to look at if your covered plans are fully-insured or self-insured. If you are hands on or hands off. If it is self-insured or hands on, I would highly suggest it be the Benefits director. What you really need to be careful of is that the person(s) that may come into contact with PHI or deal with complaints has very little decision making in the event of an employee action (firing). This is where the whole pandoras box is going to open. It would also be wise to consult an attorney or consultant that specializes in the HIPAA Privacy as it relates to employers and their health plans. Trying to tackle this comliance without some outside guidance is very risky.