What are the Duties of a HIPAA Compliance Officer?
The Healthcare Insurance Portability and Accountability Act requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.
But, what are the duties of a HIPAA Compliance Officer? And how much work is involved? That will depend on the size of the Covered Entity or Business Associate, and the volume of Protected Health Information (PHI) it creates, uses, and maintains. In larger organizations it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer.
The Duties of a HIPAA Privacy Officer
A HIPAA Privacy Officer is responsible for developing a HIPAA-compliant privacy program if one does not already exist, or – if a privacy program is already in place – for ensuring privacy policies to protect the integrity of PHI are enforced. He or she will deliver or oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary.
A HIPAA Privacy Officer will have to monitor compliance with the privacy program, investigate incidents in which a breach of PHI may have occurred, report breaches as necessary, and ensure patients´ rights in accordance with state and federal laws. In order to fulfil the duties of a HIPAA Privacy Officer, the appointed person will have to keep up-to-date with relevant state and federal laws.
The Duties of a HIPAA Security Officer
The duties of a HIPAA Security Officer are not dissimilar to those of a Privacy Officer inasmuch as the appointed person will be responsible for the development of security polices, the implementation of procedures, training, risk assessments and monitoring compliance. However, the focus of a Security Officer is compliance with the Administrative, Physical and Technical Safeguards of the Security Rule.
In this respect, the duties of a HIPAA Security Officer can include such diverse topics as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and stored. Due to the similarity in duties, the roles of a HIPAA Privacy Officer and HIPAA Security Officer are performed by the same person in smaller organizations.
|7 Steps to Becoming HIPAA Compliant|
|1||Develop and enforce policies and procedures.|
|2||Appoint or designate a HIPAA Compliance Officer.|
|3||Conduct effective employee and management training.|
|4||Establish effective channels of communication.|
|5||Conduct internal monitoring and auditing.|
|6||Respond to breaches and undertake corrective action.|
|7||Assess policies and procedures and amend as necessary.|
Job Description for a HIPAA Compliance Officer
- The person appointed or designated the role of a HIPAA Compliance Officer must have a thorough knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program.
- Once a HIPAA compliance program has been developed, the Compliance Officer should document progress towards its implementation. In order to achieve this, a system should be created that enables the Officer to monitor the status of the organization´s HIPAA compliance.
- The system should allow the HIPAA Compliance Officer to prioritize efforts towards compliance and communicate priorities. It should also act as a conduit through which compliance concerns can be raised and organizational changes coordinated.
- The HIPAA Compliance Officer is responsible for developing training programs and executing training courses. These should be designed to help employees understand HIPAA compliance and how any changes implemented will affect their specific duties.
- The HIPAA Compliance Officer is responsible for monitoring HHS´ and the state´s regulatory requirements. When new regulations or guidelines are introduced, the Officer must adjust the organization´s HIPAA compliance program to reflect the changes.
Find Out More about the Duties of a HIPAA Compliance Officer
The HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are – instead leaving it to each Covered Entity or Business Associate to establish their own duties according to their specific requirements. Therefore, in order to effectively establish the duties of a HIPAA Compliance Officer, it is necessary to understand what those specific requirements are.
With this in mind, we have compiled a HIPAA Compliance Guide. Our guide is an overview of the key areas of HIPAA, HITECH and the Final Omnibus Rule, and how they apply to Covered Entities and Business Associates in certain circumstances. Naturally we are unable to cover every possible scenario, so we have also included links to further information and valuable resources that will help readers find answers to any questions about HIPAA compliance and the duties of a HIPAA Compliance Officer.