HIPAA Privacy Officer Guide

A HIPAA privacy officer, sometimes known as a Chief Privacy Officer (CPO), has a critical role in maintaining HIPAA compliance for your company.

What is a HIPAA Privacy Officer?

A HIPAA privacy officer is responsible for developing, implementing and maintaining privacy policies and procedures regarding the management of protected health information (PHI) in your company. They must act in accordance with federal and state HIPAA regulations, mandated by the HIPAA Privacy Rule. The HIPAA Privacy Rule sets the standards for who is allowed access to PHI.

This rule also mandates that any organization that handles or stores PHI or ePHI (electronic protected health information) must designate someone to be a HIPAA Privacy Officer no matter how large their organization is. 

In larger organizations, this may be the full-time role of an employee. However, in smaller organizations, this privacy officer responsibility may be held by an administrative or IT employee. 

What does a HIPAA Privacy Officer do?

First and foremost, it is the HIPAA Privacy Officer’s responsibility to ensure that all aspects of PHI management are active and up-to-date. The HIPAA Privacy Officer is an organization’s key line of defense against fines for lack of compliance

A HIPAA Privacy Officer is typically responsible for the following:

  • Developing policies and procedures for HIPAA privacy and compliance.
  • Developing and conducting privacy training and orientation to all employees.
  • Responding to questions from staff and patients concerning privacy policies and procedures.
  • Maintaining an updated Notice of Privacy Practices to reflect changes in procedures at the firm. 
  • Maintaining appropriate privacy, confidentiality, consent, and authorization forms, and information notices and materials on behalf of your organization
  • Receiving complaints concerning the privacy practices described in the Notice of Privacy Practices
  • Auditing compliance with privacy policies and procedures.
  • Ensuring that all employees are acting in total compliance with privacy policies and procedures 
  • Investigating, tracking,  and correcting violations of privacy policies and procedures.
  • Keeping Business Associate Agreements (BAA) up-to-date and accurate.
  • Implementing sanctions in the event of a breach.
  • Responding to patients requests regarding access to PHI, amendment of PHI, limitation on disclosures, and accounting of disclosures.
  • Continuously tracking who and what devices have access to PHI so this can be easily reviewed in an audit.

Responsibilities of a HIPAA Privacy Officer can also include:

  • Cooperating with HHS and its Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
  • Working with appropriate technical personnel to protect confidential information from unauthorized use or disclosure. 
  • Reviewing all contracts under which access to confidential data (PHI) is given to outside entities, bringing those contracts into compliance with the Privacy Rule, and ensuring that confidential data is protected when such access is granted. 
  • Remaining up-to-date on laws, rules and regulations regarding data privacy and update the Practice’s policies and procedures as necessary. 
  • Serving as liaison to government agencies, industry groups and privacy activists in all matters relating to our privacy practices.


A HIPAA Privacy Officer has critical responsibility in an organization, no matter the size. They are responsible for ensuring that their organization is up-to-date on every aspect of HIPAA compliance. When choosing someone to fill this role within your own company, be sure to consider the importance of this position.

Are you feeling unsure about the role of the HIPAA Privacy Officer in your company? Gazelle Consulting is here to help! We can develop materials, training, privacy practices and more to make sure your team has everything they need to succeed! We make HIPAA compliance feel like a walk through a grassy savanna. 

Contact us now at (503) 389-5666 or info@gazelleconsulting.org!

Nav close