Before we dive into designating a HIPAA compliance officer for privacy and security, we want to start with the basics.
First and foremost, what is HIPAA?
According to the CDC,
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.”
Okay, so now we understand exactly what HIPAA is, let’s discuss HIPAA Privacy and Security.
HIPAA Privacy Rule.
The HIPAA Privacy Rule strikes an equilibrium that permits actual uses of information while protecting the privacy of individuals that seek care and recovery.
HIPAA Security Rule.
The HIPAA Security Rule safeguards electronic health information called “e-PHI”.
According to federal law, organizations must designate a HIPAA Privacy and HIPAA Security Officer. This requirement stemmed from the need to enforce better security practices to protect patients’ health information as healthcare providers failed to do so in the past. Hence, the HIPAA Privacy and Security Rules were designed.
And, according to these rules, organizations must appoint one or more privacy and security officer(s). These officers are responsible for managing an organization’s compliance program. A formal policy to designate and recognize such individuals must also be in place.
Primary responsibilities of HIPAA Privacy and Security Officers
HIPAA Privacy and Security Officers can be responsible for a number of important tasks. But, as a baseline, compliance officers should do the following:
- The officials must have a sound knowledge of the HIPAA Privacy and Security Rules to effectively manage company policies, procedures, and controls within the organization.
- The officials can obtain certifications like CISA to grow their knowledge and accountability.
- The officers must provide role-based training to the members of their organization, whether in-person or online.
The provisions under HIPAA do not precisely specify the responsibilities of HIPAA Privacy and Security officers. Covered entities and business associates have the flexibility to establish their own policies and procedures according to their unique organizational needs.
HIPAA Privacy Officers: What do they do?
Below are some of the typical responsibilities of a HIPAA Privacy Officer:
- Identifying and reviewing threats to the confidentiality of PHI (Protected Health Information).
- Developing and implementing privacy policies and procedures for an organization.
- Develop and implement training for all new and existing employees.
- Perform security audits of networks and all technology periodically to ensure that all safety practices are being followed and effective.
- Contact the Department of Health and Human Services (HHS) and all the relevant parties in the event of a breach and investigate the breach. Understand when it happened, why, how, who, and what to do next.
HIPAA Security Officers: What do they do?
Here are some everyday responsibilities of a HIPAA Security Officer:
- Finding, identifying, and reviewing threats to the confidentiality of electronically protected health information (ePHI).
- Creating, implementing, and enforcing policies and procedures that focus on administrative, physical, and technical safeguard requirements.
- Ensure that the policies and procedures implemented are sufficient to protect ePHI and develop policies to address gaps.
- Develop and conduct security training for the employees.
- Conduct annual HIPAA risk assessments to keep a check on the administrative, physical, and technical safeguards.
- Investigate incidents where ePHI may have been breached. Understand the why, how, and next steps.
So, now you understand what HIPAA privacy and security officers do. The next step will be to appoint an officer or hire someone to perform these specific tasks. Unsure where to begin? Check out the next section!
Who to appoint as a HIPAA Compliance Officer for Privacy and Security?
The HIPAA compliance officer position can be delegated to a new full-time hire or an existing employee who knows the ins and outs of the organization. And, depending on the size of the organization, it can be difficult to predict the time it will take to manage the compliance program.
Sometimes, an individual can assume both the privacy and security officer’s role depending on the organization’s size. Sometimes, the “IT Guy” would be designated as the HIPAA officer, but that is changing as organizations begin to understand the importance of a compliance officer.
The duties and expectations of a HIPAA Compliance Officer (Privacy Officer and Security Officer) can significantly vary depending on the available size of the organization and the amount of PHI it maintains, creates, or uses.
Your HIPAA Privacy and Security officer(s) should be the go-to person to address privacy or security concerns that may arise within your organization.
Get a Head Start with Your Compliance Program With HIPAA Ready!
HIPAA Ready simplifies the Privacy and Security Officer’s job. HIPAA Ready is a robust compliance management app that automates and simplifies all your implementation requirements. With HIPAA Ready, compliance officers can also conduct and monitor employee training and certification.