HIPAA Security Officer
All Covered Entities and Business Associates are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often designated to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily the case.
Although the Technical Safeguards of the HIPAA Security Rule relate to restricting access to systems on which ePHI is maintained and transmission security, only about 30% of a HIPAA Security Offer´s responsibilities are IT-related. The remainder of his or her responsibilities relate to training, auditing, incident management and overseeing Business Associate compliance. A HIPAA Security Officer is also responsible for facility security and the preparation of a Disaster Recovery Plan.
The Responsibilities of a HIPAA Security Officer
The HIPAA Security Rule stipulates the person designated the role of HIPAA Security Officer must implement policies and procedures to prevent, detect, contain, and correct breaches of ePHI. Before developing the policies and procedures, the HIPAA Security Officer has to conduct and chronicle risk assessments to cover every element of the Security Rule´s Technical, Physical and Administrative Safeguards – details of which can be found in our HIPAA Compliance Guide.
Once the risks to the integrity of ePHI have been identified, a HIPAA Security Officer must implement measures “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Employees have to be trained on any new work practices that are introduced and be informed of the sanctions for failing to comply with the new policies and procedures. In order to enforce the sanctions policy, a system of reviewing information system activity also has to be implemented.
HIPAA Security Officer Job Description
A HIPAA Security Office job description needs to outline the Officer´s responsibilities with regard to establishing and maintaining HIPAA-compliant mechanisms for ensuring the confidentiality, integrity and accessibility of the Covered Entity´s healthcare information systems. These responsibilities will vary according to the nature and size of the organization, but should include:
- Responsibilities for establishing, managing and enforcing the Security Rule safeguards and any subsequent rules issued by OCR.
- Responsibilities for integrating IT security and HIPAA compliance with the organization´s business strategies and requirements.
- Responsibilities for addressing issues related to access controls, business continuity, disaster recovery, and incident response.
- Responsibilities for organizational security awareness, including staff training in collaboration with the HIPAA Privacy Officer.
- Responsibilities for conducting risk assessments and audits – especially with regard to Business Associates and other third parties.
- Responsibilities for investigating data breaches and implementing measures for their future prevention and/or containment.
Finding an Ideal Candidate for the Role
Because the responsibilities of a HIPAA Security Manager are so varied, it is not always ideal to designate the role to an IT Manager. In many cases, the ideal candidate for the role is a person in a position of authority with strong organizational skills and a thorough understanding of HIPAA. Undoubtedly many policies and procedures will affect the operation of the IT department, so it is important a HIPAA Security Officer has an understanding of the Covered Entity´s computer systems.
However, it is more important a HIPAA Security Officer liaises with the Covered Entity´s Privacy Officer – or, in larger organizations, the HIPAA Compliance Team. There are many areas of the Security and Privacy Rules that overlap, and resources can be pooled to conduct risk assessments, manage employee training and accelerate HIPAA compliance. A partnership between a Covered Entity´s Security and Privacy Officers can also better oversee Business Associate compliance.
The HIPAA Privacy Officer Requirement
HIPAA Privacy Officers have been mentioned periodically throughout this article as it is required that, in addition to a HIPAA Security Officer, Covered Entities appoint a HIPAA Privacy Officer. The HIPAA Privacy Officer requirement is mandated by HIPAA and, depending on the nature and size of the organization, it is possible for the two roles to be combined into one.
The role of a HIPAA Privacy Officer is similar in some respects of that to a Security Officer as it involves conducting risk assessments, staff training and managing Business Associate Agreements. However, a Privacy Officer will also be responsible for establishing, managing and enforcing HIPAA-compliant policies and procedures to protect PHI in whatever format it is maintained.
Outsourcing HIPAA Security and Compliance Software
In many organizations, it is not possible to designate the role of HIPAA Security Officer to an IT Manager or other employee because of their existing workload. In this case, it is possible to outsource the role to third-party compliance experts, either on an interim basis until risk assessments are conducted and policies implemented, or on a permanent basis – although it will still be necessary for the Covered Entity to identify somebody responsible for security compliance if the interim solution is chosen.
An alternative option is to take advantage of compliance software. Compliance software can be tailored to suit each individual Covered Entity´s requirements and help fulfil the tasks of risk assessments, policy development and employee training. This is an ideal solution for Covered Entities lacking the resources to engage additional personnel or outsource compliance experts and is one of the most cost-effective ways to fulfil the Administrative Safeguards of the HIPAA Security Rule.
Beware HIPAA Security Officer Certification
In recent years there has been an increase in consultancy companies offering courses that result in HIPAA Security Officer Certification. Due to the flexibility and scalability of the HIPAA Rules, the HHS´ Office for Civil Rights (OCR) does not endorse any type of HIPAA Security Office Certification. The OCR says no single standardized program could appropriately train employees of entities of different types and sizes, and Covered Entities have been asked to report any program making misleading representations.
The OCR offers plenty of guidance for HIPAA Security Officers on its website, and provides the opportunity for all Covered Entities to sign up for its Privacy and Security Listserv Services. This service includes announcements relating to health information privacy, guidance for security-related issues and materials to provide technical assistance when needed. It is a free service that enables HIPAA Security Officers to stay informed with the latest HIPAA developments.