Choosing a HIPAA Security and Privacy Officer for your compliance program

What is the purpose of a HIPAA Privacy and Security Officer?

First and foremost, appointing a HIPAA security and a HIPAA privacy officer is a requirement, per 164.308(a)(2). In the past, healthcare providers were not protecting patient information as they should, so the federal government stepped in and implemented the HIPAA Security and Privacy Rules. These rules require an organization to appoint one or more security and privacy officer(s) to oversee organizational compliance. There must be a formal policy in place to designate and recognize the individual as such an official. Since executives are ultimately responsible for the overall well-being of the company and the compliance of an organization, they are also the ones responsible for appointing HIPAA security and privacy officers.

Who should I appoint as our HIPAA Privacy and Security Officer(s)?

Often the “IT guy” would be made the HIPAA officer by default, but that is changing as organizations begin to fully understand the importance of a compliance official. Overseeing the security and privacy of an organization is a big job and requires consistent time and attention. Many organizations have shifted the role to someone with security and privacy as their only focus and responsibility. The person appointed to be an organization’s compliance officer should be the go-to person to address any security and or privacy concerns that may arise. Protecting and safeguarding ePHI and PHI is an increasingly complex job. With the current healthcare IT landscape and updates to the HIPAA law itself, prioritizing compliance and appointing compliance officers will continue to be vital to becoming and/or remaining HIPAA compliant.

Of course, an IT background helps the compliance official understand and better perform their job duties, but many of the responsibilities of a compliance officer will likely be new regardless. Therefore, proper training is necessary. Most organizations neglect training or simply do not have the knowledge or experience to train in-house. There are many options when seeking quality HIPAA officer training, such as HIPAA One®’s Knowledge Center.

What are the primary responsibilities of a HIPAA Privacy and Security Officer?

There are three main responsibilities of compliance officials. First, they must familiarize themselves with HIPAA Privacy and Security rules to better implement policies, procedures, and controls within their organization to maintain proper compliance. Second, they should look at furthering their continuing education by pursuing certifications, such as CISA. In addition to providing training for themselves, they are also responsible for providing role-specific yearly HIPAA training for the entire organization, be it online or in-person.

The Duties of the HIPAA Officers

The HIPAA regulations do not define exactly what duties of a HIPAA compliance officer has, but they allow the covered entity or business associates to establish their own duties according to their organizational requirements. Outlined below are the common duties of a HIPAA privacy and security compliance officer.

HIPAA Privacy Officer Duties:

  • Responsible for creating, implementing, and enforcing an organization’s privacy program
  • Ensure that the privacy policies sufficiently protect the organization’s PHI and develop policies and procedures where gaps arise
  • Conduct and monitor the annual HIPAA workforce training for the organization
  • Up to date with the relevant state and federal laws
  • Conduct HIPAA privacy and breach risk assessments to monitor compliance and address any risks or vulnerabilities the organization may need to remediate
  • Investigate privacy incidents where ePHI or PHI may have been breached

HIPAA Security Officer Duties:

  • Responsible for creating, implementing, and enforcing an organization’s security program that focuses on the administrative, physical, and technical, and organization safeguards per the security rule
  • Ensure that the security policies and procedures sufficiently protect the organization’s PHI and develop policies and procedures where gaps arise
  • Conduct and monitor the annual HIPAA workforce training for the organization
  • Conduct HIPAA security risk assessments to monitor administrative, physical, technical, and organizational safeguards
  • Investigate security incidents where ePHI or PHI may have been breached

How Can I Get Help Finding My HIPAA Privacy and Security Officer(s)?

Being a HIPAA Privacy and or Security Officer is complex. Luckily, there are tools available to help simplify and automate the process. Intraprise Health’s Security and Privacy Risk Assessments (link) are available to organization of all sizes to help successfully identify what safeguards they have in place and where their organization may be at risk.

The HIPAA One® software was designed with a reflexive question engine, automated reminders, risk assignment, and remediation planning. When using the HIPAA One® software, you will be able to address the physical, administrative, technical, and organizational and privacy safeguards to help your organization be compliant. We try to make the process as easy as possible, and we can guarantee when you use HIPAA One® that you will pass an audit. By utilizing the software, you will be able to identify gaps in your organization’s compliance which will then be planned for remediation. Our goal is to help reduce the administrative burden of HIPAA requirements through our innovative compliance and security solutions.

For more questions about HIPAA Officers or HIPAA in general, contact us here.