Choosing a HIPAA Security and Privacy Officer for Your Compliance Program

What is the purpose of a HIPAA Privacy and Security Officer?

First and foremost, appointing a HIPAA Security and a HIPAA Privacy Officer is a requirement, per 164.308(a)(2). In the past, healthcare providers were not protecting patient information as they should, so the federal government stepped in and implemented the HIPAA Security and Privacy Rules.

These rules require an organization to appoint one or more security and privacy officer(s) to oversee organizational compliance. There must be a formal policy in place to designate and recognize the individual as such an official.

Since executives are ultimately responsible for the overall well-being of the company and the compliance of an organization, they are also the ones responsible for appointing HIPAA Security and Privacy Officers.

Health Systems: Who should I appoint as our HIPAA Privacy and Security Officer(s)?

Often the “IT guy” would be made the HIPAA officer by default, but that is changing as organizations begin to fully understand the importance of a compliance official.

Overseeing the security and privacy of an organization is a big job and requires consistent time and attention. Many organizations have shifted the role to someone with security and privacy as their only focus and responsibility. The person appointed to be an organization’s compliance officer should be the go-to person to address any security and or privacy concerns that may arise.

Protecting and safeguarding (electronic) protected health information (ePHI and PHI) is an increasingly complex job. With the current healthcare IT landscape and updates to the HIPAA law itself, prioritizing compliance and appointing compliance officers will continue to be vital to becoming and/or remaining HIPAA compliant.

Because of the continuous evolution of compliance and IT best practices, training is essential for all employees, not just the Compliance Officer. 53% of all healthcare data breaches were found to have originated from inside the organization, so equipping staff with knowledge of HIPAA and its best practices can help mitigate risk.

Many organizations neglect training or simply do not have the knowledge or experience to train in-house, but there are many external options for those seeking quality HIPAA officer and staff training, such as HIPAA One®’s Knowledge Center.

Small Practices: Who should I appoint as our HIPAA Privacy and Security Officer?

When you’re a smaller healthcare organization and not a hospital or part of a larger health system, it may be difficult to determine who to appoint as your acting HIPAA Privacy Officer. It’s best to avoid hiring a 3rd-party “IT Guy” to keep the practice running. While the IT Guy may be skilled, they have all types of customers. In other words, they don’t understand that there is a different level of scrutiny around protecting PHI. Plus, although they may be “technical”, they aren’t part of the day-to-day operations that understand the administrative or physical safeguards required to protect PHI. 

So, who’s the best person to be the HIPAA Security and Privacy Officer? Typically, the Practice Manager (PM) is the best person. The PM knows how the Practice runs and is in the best position to understand what needs to change organizationally to protect PHI. Additionally, because of their leadership role, they can drive necessary changes. As the first step, the PM should perform the Practice’s security risk assessment (SRA). This baseline SRA provides the PM with a holistic view of the risks to PHI at the organizational level. 


What are the primary responsibilities of a HIPAA Privacy and Security Officer?

There are three main responsibilities of compliance officials:

  • They must familiarize themselves with HIPAA Privacy and Security rules to better implement policies, procedures, and controls within their organization to maintain proper compliance.
  • They should look at furthering their continuing education by pursuing certifications, such as CISA.
  • In addition to providing training for themselves, they are also responsible for providing role-specific yearly HIPAA training for the entire organization, whether it online or in-person.

The Duties of the HIPAA Officers

The HIPAA regulations do not define exactly what duties a HIPAA compliance officer has, but they allow the covered entity or business associates to establish their own duties according to their organizational requirements. Outlined below are the common duties of a HIPAA privacy and security compliance officer.

HIPAA Privacy Officer Duties:

  • Responsible for creating, implementing, and enforcing an organization’s privacy program
  • Ensure that the privacy policies sufficiently protect the organization’s PHI and develop policies and procedures where gaps arise
  • Conduct and monitor the annual HIPAA workforce training for the organization
  • Up to date with the relevant state and federal laws
  • Conduct HIPAA privacy and breach risk assessments to monitor compliance and address any risks or vulnerabilities the organization may need to remediate
  • Investigate privacy incidents where ePHI or PHI may have been breached


HIPAA Security Officer Duties:

  • Responsible for creating, implementing, and enforcing an organization’s security program that focuses on the administrative, physical, and technical, and organization safeguards per the security rule
  • Ensure that the security policies and procedures sufficiently protect the organization’s PHI and develop policies and procedures where gaps arise
  • Conduct and monitor the annual HIPAA workforce training for the organization
  • Conduct HIPAA security risk assessments to monitor administrative, physical, technical, and organizational safeguards
  • Investigate security incidents where ePHI or PHI may have been breached

How Can I Get Help Finding My HIPAA Privacy and Security Officer(s)?

Being a HIPAA Privacy and or Security Officer is complex. Luckily, there are tools available to help simplify and automate the process. Intraprise Health’s Security and Privacy Risk Assessments (link) are available to organizations of all sizes to help successfully identify what safeguards they have in place and where their organization may be at risk.

The HIPAA One® software was designed with a reflexive question engine, automated reminders, risk assignment, and remediation planning.

When using the HIPAA One® software, you will be able to address the physical, administrative, technical, and organizational and privacy safeguards to help your organization be compliant.

We try to make the process as easy as possible, and we can guarantee when you use HIPAA One® that you will pass an audit. By utilizing the software, you will be able to identify gaps in your organization’s compliance which will then be planned for remediation.

Our goal is to help reduce the administrative burden of HIPAA requirements through our innovative compliance and security solutions.

For more questions about HIPAA Officers or HIPAA in general, contact us here.