HIPAA Security Officer

Note: This blog was written a few years ago. For up-to-date information regarding HIPAA security and privacy officers, please read our most recent blog on the subject.

The concept of a HIPAA Security Officer is relatively new. Starting in 2012,  we have seen IT Managers and CIOs deputized as the “HIPAA Security Officer” (most times it was not voluntary).   Much like how printer support, phone support, and PCI compliance were “inherited” by  IT in recent years, we find HIPAA Security is typically pigeon-holed into the IT Department. Ironically, only about 30% of the HIPAA Security Risk Analysis and Compliance Gap Assessment (SRA) is Technical.  The vast majority of the SRA covers Administrative (Training, Policies and Procedures, Response Planning), Physical Safeguards (Visitor Sign-in, computer screen & CPU security, etc.) and Organizational (Business Associate Agreements) as well.

I.     POSITION GOAL

The Information Security Officer implements and supports information security initiatives throughout [Enter Organization Name]. Acts as a focus and resource for the organization’s information security matters.  Works with those in corresponding roles at the organization group practices and at organization Health System sites. Takes direction from the HIPAA Sponsor and works closely with the Information Privacy Officer to achieve the goals of the organization. Investigates and recommends secure solutions that implement information security policy and standards. Coordinates Office of Information Security activities and manages staff. Oversees, implements and monitors the security requirements levied by Federal and State Rules and Regulations.

II.    POSITION REQUIREMENTS

A.  Education

• A four-year college degree in Computer Science or equivalent certification is required.
• Professional certification, e.g. CISSP, CISA.

B.  Experience

• Education and experience relative to the size and scope of the organization.
• At least 3 years of information security work experience is required, with both public and private sector experience preferred.
• The ability to work effectively in a health care setting, consensus-driven organization is required, as are demonstrated personnel and information security program management skills.
• A working knowledge of all aspects of information security is essential, as is the ability to apply this knowledge in an open network environment.

C.  Additional Requirements

1. Demonstrated effectiveness with consensus building, policy development, and verbal and written communication skill.
2. In-depth understanding of network and system security technology and practices across all major-computing areas (mainframe, client/server, PC/LAN, telephony) with a special emphasis on Internet-related technology.
3. A high level of integrity and trust
4. Knowledge of HIPAA, state and federal guidelines on privacy, transactions, and security.
   Working knowledge and understanding of all hardware and software applications applicable to this organization.
5. Specific experiences in the health care industry.
6. Extensive familiarity with health care relevant legislation and standards for the protection of health information and patient privacy.
7. Demonstrated successful project management expertise.

III.  POSITION RESPONSIBILITIES

A. Responsible for the management and oversight of the information security of individually protected health information

• Maintains current and appropriate body of knowledge necessary to perform the information security management function.
• Effectively applies information security management knowledge to enhance the security of the open network and associated systems and services.
• Maintains working knowledge of legislative and regulatory initiatives. Interprets and translates requirements for implementation.
• Develops appropriate information security policies, standards, guidelines and procedures.
• Works effectively with the Information Privacy Officer, other information security personnel and the committee process.
• Provides meaningful input, prepares effective presentations and communicates information security objectives.
• Participates in short and long term planning.
• Monitors Information Security Program compliance and effectiveness in coordination with the entity’s other compliance and operational assessment functions.
• Oversees, directs, delivers, or ensures delivery of initial security training and orientation to all employees, volunteers, medical and professional staff, contractors, alliances, business associates, and other appropriate third parties.
• Establishes with management and operations a mechanism to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity.
• Ensures compliance with security practices and consistent application of sanctions for failure to comply with security policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with Human Resources, the information privacy officer, administration, and legal counsel as applicable.
• Initiates, facilitates, and promotes activities to foster information security awareness within the organization and related entities.
• Serves as a member of, or liaison to, the organization’s Privacy Committee, should one exist. Also serves as the information security liaison for users of clinical and administrative systems.
• Reviews all system-related information security plans throughout the organization’s network to ensure alignment between security and privacy practices, and acts as a liaison to the information systems department.
• Conducts investigations of information security violations and computer crime. Works effectively with management and external law enforcement to resolve these instances.
• Reviews instances of noncompliance and works effectively and tactfully to correct deficiencies.
• Maintains current knowledge of applicable federal and state privacy laws and accreditation standards, and monitors advancements in information security technologies to ensure organizational adaptation and compliance.
• Serves as an information security consultant to the organization for all departments and appropriate entities.
• Cooperates with the Office of Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
• Works with organization administration, legal counsel, and other related parties to represent the organization’s information security interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
• Certifies that IT systems meet predetermined security requirements.
• Strives to maintain high system availability.

B.   Responsible for the management of information security personnel

• Determines positions and personnel necessary to accomplish information security goals. Requests positions, screens personnel and takes the lead in the interviewing and hiring process.
• Develops meaningful job descriptions. Communicates expectations and actively coaches personnel for success.
• Prioritizes and assigns tasks. Reviews work performed. Challenges staff to better themselves and advance the level of service provided.
• Provides meaningful feedback to staff on an on-going basis and formally appraises performance annually.

C.   Responsible for promoting open lines of communications within an organization

• Collaborates with other team members as needed or directed.
• Makes recommendations for the improvement of operational and procedural changes.

D.   Responsible for keeping abreast of local, state and federal rules and regulations

• Stays informed of latest web/internet tools and standards.
• Seeks out new ways of improving technical skills.

E.   Responsible for performing other duties assigned but not limited to the following

• Current duties as outlined in the current position job description.
• Special projects as assigned.