Some organizations, especially those on the smaller side, may not have unique roles for the Privacy Officer and the Security Officer, outlined by the HIPAA Privacy Rule and HIPAA Security rule, respectively.
Nonetheless, if you are a Covered Entity, someone must carry out the responsibilities of both roles within your organization. If those responsibilities fall on a single person, that person is the HIPAA Compliance Officer.
Role of the HIPAA Security Officer
A HIPAA Security Officer is responsible for maintaining the confidentiality, integrity, and availability of an organization’s information systems. They do this by developing, implementing, and carrying out policies, procedures and practices related to information security.
The focus of the Security Officer is to maintain compliance with the Administrative, Physical, and Technical safeguards that protect the information systems from attacks or unauthorized access, while the Privacy Officer is responsible for understanding HIPAA at a program management level and facilitating patients rights to their data.
Role of the HIPAA Privacy Officer
A HIPAA privacy officer is responsible for developing, implementing and maintaining privacy policies and procedures regarding the management of protected health information (PHI) in your company. They must act in accordance with federal and state privacy laws and HIPAA regulations, mandated by the HIPAA Privacy Rule.
This rule also mandates that any organization that handles or stores PHI or ePHI (electronic protected health information) must designate someone to be a HIPAA Privacy Officer no matter how large their organization is.
Business Associates vs. Covered Entities
The responsibilities of a Compliance Officer at a HIPAA compliant organization depends on whether the organization is a Business Associate or a Covered Entity.
Typically, Business Associate Agreements (BAAs) do not cover the Privacy rule, although this may be different for your business – so check your BAA for privacy requirements such as providing patients access to their records. Business Associates are not responsible for administering patient rights unless they are specifically hired to do so.
If you’re a Business Associate, you will need someone to handle Security Officer responsibilities, and anything else required by the Business Associate Agreement or other compliance responsibilities that you have as a service provider.
Responsibilities of the HIPAA Compliance Officer
Because the HIPAA Compliance Officer must maintain the role of both the HIPAA Security Officer and Privacy Officer, there are a lot of responsibilities that are required of them. This is why many larger organizations opt to have two officers rather than a single Compliance Officer.
From “HIPAA Security Officer Guide“, although the responsibilities of the Security Officer may vary by organization, they are usually responsible for the following:
- Establishing your organization’s security program.
- Ensuring compliance with federal and state security laws.
- Maintaining a list of all users of the information system, specifically those that access PHI.
- Reviewing technology purchases to ensure they are consistent with IT security policy and strategy.
- Investigating security incidents.
- Assessing risks related to security or use of PHI.
- Reviewing information system activity to identify policy violations, security incidents, or data breaches.
- Providing security training.
- Reviewing security provisions in Business Associate contracts.
- Auditing compliance with security policies.
- Monitoring any data collected by or posted on your websites for security concerns.
- Assigning sanctions to employees who violate security policies.
- Guarding against retaliation towards individuals who seek to enforce their own privacy and security rights, or those of others.
From “HIPAA Privacy Officer Guide”, a HIPAA Privacy Officer is typically responsible for the following:
- Developing policies and procedures for HIPAA privacy and compliance.
- Developing and conducting privacy training and orientation to all employees.
- Responding to questions from staff and patients concerning privacy policies and procedures.
- Maintaining an updated Notice of Privacy Practices to reflect changes in procedures at the firm.
- Maintaining appropriate privacy, confidentiality, consent, and authorization forms, and information notices and materials on behalf of your organization.
- Receiving complaints concerning the privacy practices described in the Notice of Privacy Practices.
- Auditing compliance with privacy policies and procedures.
- Ensuring that all employees are acting in total compliance with privacy policies and procedures.
- Investigating, tracking, and correcting violations of privacy policies and procedures.
- Keeping Business Associate Agreements (BAA) up-to-date and accurate.
- Implementing sanctions in the event of a breach.
- Responding to patients requests regarding access to PHI, amendment of PHI, limitation on disclosures, and accounting of disclosures.
- Continuously tracking who and what devices have access to PHI so this can be easily reviewed in an audit.
Takeaways
- A HIPAA Compliance Officer is the combination of the roles of HIPAA Privacy Officer and HIPAA Security Officer, especially in smaller organizations.
- This is a critical responsibility in an organization, no matter the size.
- The responsibilities of a Compliance Officer at a HIPAA compliant organization depends on whether the organization is a Business Associate or a Covered Entity.
- When choosing someone to fill this role within your own company, be sure to consider the importance of this position.
Is your HIPAA Compliance Officer up to the challenge? Do you want additional training to avoid fines by the OCR? Gazelle Consulting is here to help!
Contact us today at info@gazelleconsulting.org or 503-389-5666!
