HIPAA Security Officer
All Covered Entities and Business Associates are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often designated to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily the case.
Although the Technical Safeguards of the HIPAA Security Rule relate to restricting access to systems on which ePHI is maintained and transmission security, only about 30% of a HIPAA Security Offer´s responsibilities are IT-related. The remainder of his or her responsibilities relate to training, auditing, incident management and overseeing Business Associate compliance. A HIPAA Security Officer is also responsible for facility security and the preparation of a Disaster Recovery Plan.
The Responsibilities of a HIPAA Security Officer
The HIPAA Security Rule stipulates the person designated the role of HIPAA Security Officer must implement policies and procedures to prevent, detect, contain, and correct breaches of ePHI. Before developing the policies and procedures, the HIPAA Security Officer has to conduct and chronicle risk assessments to cover every element of the Security Rule´s Technical, Physical and Administrative Safeguards – details of which can be found in our HIPAA Compliance Guide.
Once the risks to the integrity of ePHI have been identified, a HIPAA Security Officer must implement measures “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Employees have to be trained on any new work practices that are introduced and be informed of the sanctions for failing to comply with the new policies and procedures. In order to enforce the sanctions policy, a system of reviewing information system activity also has to be implemented.
HIPAA Security Officer Job Description
A HIPAA Security Officer job description needs to outline the Officer´s responsibilities with regard to establishing and maintaining HIPAA-compliant mechanisms for ensuring the confidentiality, integrity and accessibility of healthcare information systems. These responsibilities will vary according to the nature and size of the organization, but should include:
- Responsibilities for establishing, managing and enforcing the Security Rule safeguards and any subsequent rules issued by OCR.
- Responsibilities for integrating IT security and HIPAA compliance with the organization´s business strategies and requirements.
- Responsibilities for addressing issues related to access controls, business continuity, disaster recovery, and incident response.
- Responsibilities for organizational security awareness, including staff training in collaboration with the HIPAA Privacy Officer.
- Responsibilities for conducting risk assessments and audits – especially with regard to Business Associates and other third parties.
- Responsibilities for investigating data breaches and implementing measures for their future prevention and/or containment.
Finding an Ideal Candidate for the Role
Because the responsibilities of a HIPAA Security Manager are so varied, it is not always ideal to designate the role to an IT Manager. In many cases, the ideal candidate for the role is a person in a position of authority with strong organizational skills and a thorough understanding of HIPAA. Undoubtedly many policies and procedures will affect the operation of the IT department, so it is important a HIPAA Security Officer has an understanding of the organization´s computer systems.
However, it is more important a HIPAA Security Officer liaises with the designated Privacy Officer – or, in larger organizations, the HIPAA Compliance Team. There are many areas of the Security and Privacy Rules that overlap, and resources can be pooled to conduct risk assessments, manage employee training, and accelerate HIPAA compliance. A partnership between Security and Privacy Officers can also better oversee Business Associate compliance.
The HIPAA Privacy Officer Requirement
HIPAA Privacy Officers have been mentioned periodically throughout this article as it is required that, in addition to a HIPAA Security Officer, Covered Entities appoint a HIPAA Privacy Officer. The HIPAA Privacy Officer requirement is mandated by HIPAA and, depending on the nature and size of the organization, it is possible for the two roles to be combined into one.
The role of a HIPAA Privacy Officer is similar in some respects of that to a Security Officer as it involves conducting risk assessments, staff training, and managing Business Associate Agreements. However, a Privacy Officer will also be responsible for establishing, managing, and enforcing HIPAA-compliant policies and procedures to protect PHI in whatever format it is maintained.
Outsourcing HIPAA Security and Compliance Software
In many organizations, it is not possible to designate the role of HIPAA Security Officer to an IT Manager or other employee because of their existing workload. In this case, it is possible to outsource the role to third-party compliance experts, either on an interim basis until risk assessments are conducted and policies implemented, or on a permanent basis – although it will still be necessary for the Covered Entity to identify somebody responsible for security compliance if the interim solution is chosen.
An alternative option is to take advantage of compliance software. Compliance software can be tailored to suit each individual organization´s requirements and help fulfil the tasks of risk assessments, policy development, and employee training. This is an ideal solution for Covered Entities and Business Associates lacking the resources to engage additional personnel or outsource compliance experts and is one of the most cost-effective ways to fulfil the Administrative Safeguards of the HIPAA Security Rule.
Beware HIPAA Security Officer Certification
In recent years there has been an increase in consultancy companies offering courses that result in HIPAA Security Officer Certification. Due to the flexibility and scalability of the HIPAA Rules, the HHS´ Office for Civil Rights (OCR) does not endorse any type of HIPAA Security Office Certification. The OCR says no single standardized program could appropriately train employees of entities of different types and sizes, and Covered Entities have been asked to report any program making misleading representations.
The OCR offers plenty of guidance for HIPAA Security Officers on its website, and provides the opportunity for all Covered Entities and Business Associates to sign up for its Privacy and Security Listserv Services. This service includes announcements relating to health information privacy, guidance for security-related issues, and materials to provide technical assistance when needed. It is a free service that enables HIPAA Security Officers to stay informed with the latest HIPAA developments.
HIPAA Security Officer FAQs
What training is a HIPAA Security Officer responsible for?
The HIPAA Security Officer is responsible for implementing the security and awareness training program required by 45 CFR § 164.308. The content of the program should be guided by a risk analysis and should involve every member of the workforce. Also, if there is a material change to policies and procedures in respect of PHI that impacts the protocols required to safeguard electronic PHI the Security Officer should also be involved in the provision of Privacy Rule training.
If an organization does not have a Privacy Officer, is HIPAA compliance solely the responsibility of the Security Officer?
Covered Entities are required by 45 CFR § 164.530 to designate the role of a privacy Officer, but this provision of the Privacy Rule does not apply to Business Associates. Therefore, although it is recommended Business Associates designate the role of Privacy Officer to a senior employee, there are circumstances in which organizations do not have a Privacy Officer. In these circumstances, HIPAA compliance is the sole responsibility of the Security Officer.
If an organization takes advantage of compliance software, is it still necessary to designate the role of Security Officer?
Yes. Although compliance software can help with the development of policies and procedures, the Administrative Safeguards of the Security Rule require Covered Entities and Business Associates to “identify the security official who is responsible for the development and implementation of the policies and procedures”. Furthermore, in addition to implementing policies and procedures, the Security Officer will be responsible for monitoring compliance with the policies and procedures.
Can the roles of Privacy Officer and Security Officer be assigned to the same person?
Some smaller organizations have no option other than to assign the two roles to the same person due to a lack of resources – and there is nothing in HIPAA to prevent this. However, because of the complexity of HIPAA, it may be worthwhile to outsource certain areas of compliance activity or take advantage of compliance software to prevent oversights that may result in unintentional violations of HIPAA and avoidable data breaches.
What happens if an organization fails to appoint a HIPAA Security Officer?
The failure to appoint a HIPAA Security Officer is a violation of HIPAA for which a Covered Entity or Business Associate can be penalized by HHS´ Office for Civil Rights. Possibly more importantly, the failure to appoint a HIPAA Security Officer could result in Security Rule standards not being applied, which will increase the likelihood of avoidable data breaches, reputational damage, and further penalties being imposed by HHS´ Office for Civil Rights.