HIPAA Security Officer Guide

A HIPAA security officer has a critical role in maintaining HIPAA compliance for your company. But what exactly are they responsible for?

What is a HIPAA Security Officer?

The need for a HIPAA Security Officer resulted from the demands of the HIPAA Security rule and the greater need for information security in modern health care practices.. In larger organizations, this may be the full-time role of a specialized employee. However, in smaller organizations, the Security  Officer role may be held by an administrative or IT employee. 

What does a HIPAA Security Officer do?

The highest calling of the Security Officer is to maintain the confidentiality, integrity, and availability of an organization’s information systems. They do this by developing, implementing, and carrying out  policies, procedures and practices related to information security.

The role of the HIPAA Security Officer differs from that of a HIPAA Privacy Officer (check out our HIPAA Privacy Officer Guide here!). The focus of the Security Officer is to maintain compliance with the Administrative, Physical, and Technical safeguards that protect the information systems from attacks or unauthorized access, while the Privacy Officer is responsible for understanding HIPAA at a program management level and facilitating patients rights to their data. 

A HIPAA Compliance Officer fills both the roles of the Privacy Officer and the Security Officer.

Although the responsibilities of the Security Officer may vary by organization, they may be responsible for the following:

  • Establishing your organization’s security program. 
  • Ensuring compliance with federal and state security laws.
  • Maintain a list of all users of the information system, specifically those that access PHI. 
  • Reviewing technology purchases to ensure they are consistent with IT security policy and strategy.
  • Investigating security incidents.
  • Assessing risks related to security or use of PHI. 
  • Reviewing information system activity to identify policy violations, security incidents, or data breaches.
  • Providing security training. 
  • Reviewing security provisions in Business Associate contracts.
  • Auditing compliance with security policies. 
  • Monitoring any data collected by or posted on your websites for security concerns.
  • Assigning sanctions to employees who violate security policies.
  • Guarding against retaliation towards individuals who seek to enforce their own privacy and security rights, or those of others.

The Security Officer may assign any of these responsibilities to other employees or contractors, but continues to be responsible for making sure the responsibilities are carried out.


  • A HIPAA Security Officer has critical responsibility in an organization, no matter the size. 
  • They are responsible for ensuring that their organization is up-to-date on every aspect of HIPAA security compliance, especially concerning electronic PHI. 
  • When choosing someone to fill this role within your own company, be sure to consider the importance of this position.

Are you feeling unsure about the role of the HIPAA Security Officer in your company?

Gazelle Consulting is here to help! We can develop materials, training, privacy practices and more to make sure your team has everything they need to succeed! 

Contact us now at (503) 389-5666 or info@gazelleconsulting.org!

Nav close