What are the Duties of a HIPAA Compliance Officer?

A HIPAA Compliance Officer is an individual who has been designated the role of HIPAA Privacy Officer and/or assigned responsibility for compliance with the HIPAA Security Rule. The individual may be an existing employee, a new member of the workforce, or an outsourced partner assigned the role of HIPAA Compliance Officer on a temporary or permanent basis.

The duties of the HIPAA Compliance Officer depend on multiple factors. These factors include whether the HIPAA Compliance Officer has been designated the HIPAA Privacy Officer, the HIPAA Security Officer, or both. The duties also depend on the size of the organization, the nature of its operations, other roles performed by the individual, and whether duties are delegated to members of a Compliance Team.

The following sections outline the duties of each role and provide a consolidated job description suitable for covered entities, business associates, and compliance leaders. It is recommended to implement HIPAA compliance software at smaller organizations where responsibility for HIPAA normally falls to an administrator or practice manager. HIPAA compliance software can reduce compliance workloads by automating administrative tasks and risk management processes.

The Duties of a HIPAA Privacy Officer

The HIPAA Privacy Officer responsibilities include overseeing compliance with the HIPAA Privacy Rule, ensuring that protected health information (PHI) is used and disclosed appropriately, and that the organization fulfills its HIPAA rights obligations to individuals.

1. Developing and maintaining privacy policies and procedures

The HIPAA Privacy Officer is responsible for creating, updating, and implementing HIPAA privacy policies. When regulatory changes or internal workflow adjustments require amendments to policies, the Privacy Officer conducts risk assessments, revises policies, and ensures the organization adopts the updated requirements.

2. Overseeing privacy training and workforce readiness

The HIPAA Privacy Officer ensures that all workforce members receive HIPAA training on privacy policies and procedures. This includes onboarding, periodic refreshers, and targeted training for departments with elevated privacy risks. The HIPAA Privacy Officer may also be involved in sanctioning workforce members for HIPAA violations.

3. Managing patients’ rights and external inquiries

While it is not necessary for the HIPAA Privacy Officer to personally respond to patient access requests and inquiries about the organization’s privacy program, they must develop and oversee processes for access, amendments, accounting of disclosures, restrictions, and confidential communications.

4. Investigating privacy incidents and coordinating breach response

Not all HIPAA violations result in privacy incidents and data breaches. One of the HIPAA Privacy Officer’s responsibilities is investigating which violations qualify as privacy incidents and then coordinating a breach response when necessary, if this duty is not delegated to the HIPAA Security Officer.

5. Managing Business Associate Agreements (BAAs)

Under HIPAA, the covered entity is responsible for executing BAAs and taking reasonable steps to ensure business associate compliance, not a named officer. The HIPAA Privacy Officer is commonly responsible for drafting and approving BAAs and responding to reports of downstream violations and data breaches.

6. Responding to compliance assessments and regulatory updates

The HIPAA Privacy Officer coordinates responses to compliance assessments or investigations initiated by HHS’ Office for Civil Rights or State Attorneys General and monitors regulatory updates to ensure organizational policies remain aligned to federal privacy laws and any state regulations that overlay HIPAA.

7. Delegation and accountability

While tasks may be delegated, the HIPAA Privacy Officer remains accountable for organizational compliance with applicable requirements, standards, and implementation specifications of the HIPAA Administrative Simplification Regulations.

The Duties of a HIPAA Security Officer

The HIPAA Security Officer oversees compliance with the HIPAA Security Rule, focusing on the confidentiality, integrity, and availability of electronic protected health information (ePHI).

1. Conducting Security Risk Analyses

The HIPAA Security Officer leads the organization’s risk assessments and analyses, identifying threats and vulnerabilities to ePHI and documenting the likelihood and impact of each risk. The HIPAA Officer must then develop a risk management process to reduce threats and vulnerabilities to a reasonable and appropriate level.

2. Implementing administrative, physical, and technical safeguards

The HIPAA Security Officer establishes policies that define the measures implemented to protect ePHI and the requirements for using the measures effectively. This includes access controls, audit logging, device and media controls, facility security, and data backup. The safeguards must be evaluated regularly and revised as necessary.

3. Security awareness training and workforce HIPAA training

All members of the workforce, including management, must participate in a security awareness and HIPAA training program to identify and prevent unauthorized uses or disclosures of ePHI. The provisioning of the security awareness and training program is a HIPAA Security Officer responsibility.

4. Monitoring compliance and enforcing security policies

The HIPAA Security Officer monitors workforce compliance with the security policies and may apply sanctions for violations, including inadvertent ones, to reinforce the importance of safeguarding ePHI. In such cases, the application of sanctions must be fair, yet considerate of the pressure of working in a healthcare environment.

5. Emergency preparedness and contingency planning

Testing, evaluating, and revising emergency preparedness and contingency plans is a defined responsibility for a HIPAA Security Officer because, in the event of a cyberattack, it is essential for healthcare providers to be able to access ePHI and information systems to continue the delivery of healthcare.

6. Incident response and breach coordination

Depending on the organizational structure, the HIPAA Security Officer may investigate security incidents and coordinate with the HIPAA Privacy Officer to establish which security incidents qualify as notifiable data breaches and which require additional safeguards and/or workforce training to prevent a recurrence of the events.

7. Vendor and technology oversight

Again, depending on the organizational structure, the HIPAA Security Officer may participate in evaluating business associates, reviewing BAAs, and responding to compliance assessments. They may also participate in vendors’ risk assessments to monitor the suitability of a vendor as a business associate.

Job Description: HIPAA Compliance Officer

A HIPAA Compliance Officer, whether a standalone role or a senior leader overseeing privacy and security teams, typically has the following responsibilities:

• Oversee the organization’s HIPAA compliance program across Privacy, Security, and Breach Notification Rules
• Lead organization‑wide risk assessments and compliance reviews
• Develop and maintain HIPAA training programs
• Monitor regulatory changes and update policies accordingly
• Oversee security incident and breach response activities
• Coordinate internal and external compliance audits
• Ensure Business Associate Agreements executed and maintained
• Oversee compliance with HIPAA Part 162 transaction requirements
• Support workforce adherence to HIPAA compliance requirements

Communication and Coordination Among HIPAA Compliance Leaders

Effective HIPAA compliance requires structured communication between the Privacy Officer, Security Officer, and broader organizational leadership. These roles must collaborate to ensure that privacy and security policies are aligned, that risk assessments inform operational decisions, and that compliance activities are coordinated across departments.

Compliance leaders should maintain open communication channels with operational managers, IT teams, legal counsel, and executive leadership. This ensures that privacy and security considerations are integrated into organizational planning, technology adoption, vendor management, and incident response. Transparent communication also supports early identification of compliance risks, enabling timely mitigation and reducing the likelihood of regulatory exposure.

Rather than being viewed solely as enforcement roles, Privacy and Security Officers should be recognized as strategic partners who help the organization implement compliant, efficient, and secure workflows. Their involvement in decision‑making processes strengthens the organization’s overall compliance posture and reduces operational risk.

HIPAA Compliance Officer FAQ

What qualifications are required to become a Compliance Officer?

No specific qualifications are required to become a Compliance Officer, although many employers will expect prospective candidates to be educated to Masters Degree level.

The Accredited HIPAA Training from The HIPAA Journal qualifies for 5.0 continuing education units (CEUs) from the Compliance Certification Board of The Health Care Compliance Association, which is widely recognized as a leader in certification of healthcare compliance professionals.

Does a covered entity have to appoint a HIPAA Compliance Officer for each state it operates in?

A covered entity does not have to appoint a HIPAA Compliance Officer for each state it operates in, but Compliance Officers representing multi-state organizations will need to have a thorough knowledge of each state’s privacy, security, and breach notification laws. In states where privacy, security, and breach notification laws are more stringent than HIPAA, the state laws take precedence.

Does a covered entity have to appoint a HIPAA Compliance Officer for each subsidiary?

A covered entity does not have to appoint a HIPAA Compliance Officer for each subsidiary provided all compliance requirements are met for each subsidiary – i.e., policies are developed for each subsidiary, training is provided for each subsidiary, internal monitoring and auditing is conducted for each subsidiary, etc.

Can a legal team assume the responsibilities of a HIPAA Compliance Officer?

A legal team can assume the responsibilities of a HIPAA Compliance Officer but an individual within the team has to be given the title of HIPAA Privacy Officer and HIPAA Security Officer for accountability purposes and to ensure there is a single point of contact for the public, employees, and the Department of Health and Human Services. If personnel within the team change, it may be necessary to reassign the roles.

What if a HIPAA Compliance Officer fails in their duties?

If a HIPAA Compliance Officer fails in their duties, what happens depends on how the Compliance Officer fails in their duties. For example, if the Compliance Officer fails to provide adequate HIPAA training, and a breach of unsecured PHI occurs as a result, the healthcare organization will likely be sanctioned by HHS’ Office for Civil Rights and State Attorneys General.

Therefore, whether or not the HIPAA Compliance Officer is a designated employee or an outsourced consultant, HIPAA compliance is ultimately the responsibility of senior management. Consequently, senior managers should be in regular communication with the designated individual in order to be fully informed of the efforts being made to maintain compliance with HIPAA.

Who is required to appoint a HIPAA Compliance Officer?

HIPAA Compliance Officers must be appointed by HIPAA covered entities and business associates of covered entities. In the case of covered entities, organizations are required to designate a HIPAA Privacy Officer and a HIPAA Security Officer, although smaller organizations can assign the two roles to the same employee or outsourced compliance consultant.

What factors influence the workload of a HIPAA Compliance Officer?

The factors that influence the workload of a HIPAA Compliance Officer include the size of the organization, the volume of PHI it creates, maintains, and transmits, and the organization’s current compliance status. If the organization has an existing compliance framework which works well, the Compliance Officer’s workload is less. If a culture of non-compliance exists in the organization, the Compliance Officer’s workload will be much harder to complete.

How do the duties of a HIPAA Security Officer differ from those of a HIPAA Privacy Officer?

The duties of a HIPAA Security Officer differ from those of a HIPAA Privacy Officer inasmuch as a HIPAA Security Officer focuses on compliance with the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, while a HIPAA Privacy Officer is more focused on the privacy of individually identifiable health information in any format and ensuring that patients’ HIPAA rights are upheld.

What is the role of the HIPAA Compliance Officer in terms of training?

The role of a HIPAA Compliance Officer in terms of training depends on whether the individual is a HIPAA Privacy Officer, a HIPAA Security Officer, or both. A HIPAA Privacy Officer is generally responsible for training members of the workforce on HIPAA policies and procedures, while a HIPAA Security Officer is responsible for the provision of a security and awareness training program.

How is the role of a HIPAA Compliance Officer typically structured in smaller organizations?

The role of a HIPAA Compliance Officer in smaller organizations is typically structured so that the same individual is assigned the roles of both HIPAA Privacy Officer and HIPAA Security Officer. It is sometimes the case in smaller organizations that the role is temporarily outsourced until the organization is operating compliantly, when an employee takes over the role on a permanent basis.