The Administrative Safeguards of the HIPAA Security Rule (45 CFR 164.308) require all Covered Entities to appoint a HIPAA Security Officer who is placed in charge of the creation and execution of policies and procedures that ensure the security of electronic Protected Health Information (ePHI). A HIPAA Security Officer’s role is frequently assigned to an IT Manager because of the notion that the security of ePHI is an IT concern, even though only part of the responsibilities of the Security Officer are related to IT.
The Technical Safeguards of the HIPAA Security Rule refer to limiting access to systems where ePHI is kept and cover security of electronically transmitted PHI, but only around 30% of a HIPAA Security Offer´s duties are related to IT. The rest of his or her duties are related to training, auditing, managing security incidents and overseeing the compliance of Business Associates. A HIPAA Security Officer is additionally in charge of facility safety and Disaster Recovery Plan preparations.
The Duties of a HIPAA Security Officer
The HIPAA Security Rule specifies that the individual given the role of HIPAA Security Officer should implement policies and procedures to avoid, identify, contain, and resolve breaches of ePHI. Prior to creating the policies and procedures, the HIPAA Security Officer must perform a risk assessment that includes all elements of the Security Rule´s physical, technical and administrative safeguards.
After identifying the risks to ePHI confidentiality, integrity, and availability, a HIPAA Security Officer needs to enforce procedures that reduce threats and vulnerabilities to a reasonable level to conform to 45 CFR 164.306(a). Employees must receive training on any new work practices that introduced and must be made aware of the sanctions for not complying with the new policies and procedures. In order to determine when sanctions are appropriate, a way of reviewing system activity related to ePHI must be implemented.
Job Description of a HIPAA Security Officer
The job description of a HIPAA Security Officer should describe the Officer´s duties regarding the establishment and maintenance of HIPAA-compliant mechanisms for guaranteeing the integrity, confidentiality and availability of the Covered Entity´s medical data systems. These responsibilities will differ based on the size and nature of the organization, yet must consist of the following elements:
- Setting up, managing and implementing the Security Rule safety measures and any HIPAA Rule changes.
- Incorporating IT security and HIPAA compliance with the business strategies and requirements of the organization.
- Addressing concerns associated with access controls, business continuity, incident response and disaster recovery.
- Company security awareness, which include employee training in conjunction with the HIPAA Privacy Officer.
- Performing risk analyses and audits – particularly on Business Associates.
- Looking into data breaches and enforcing actions to prevent future occurrences.
Searching for the Perfect Candidate for HIPAA Security Officer
Since the duties of a HIPAA Security Manager are quite diverse, it isn’t always best to assign the position to an IT Manager. In a lot of cases, the best candidate for the position is an individual with authority, strong organizational expertise and a comprehensive knowledge of HIPAA. Unquestionably, a lot of policies and procedures will have an effect on the function of the IT department, thus it is necessary fora HIPAA Security Officer to be able to understand the computer systems of the covered entity.
It is crucial that a HIPAA Security Officer liaises with the Privacy Officer of the Covered Entity or, in large companies, the HIPAA Compliance Team. There are a lot of overlapping aspects of the Security and Privacy Rules, and resources may be combined in order to complete risk assessments, conduct employee training, and ensure HIPAA compliance. A Covered Entity´s Security and Privacy Officers can partner to better supervise Business Associate compliance.
The Requirement of a HIPAA Privacy Officer
Besides appointing a HIPAA Security Officer, covered entities also need to appoint a HIPAA Privacy Officer. It is a mandate of HIPAA to have both, but they can be the same person. Larger healthcare organizations may have to appoint two individuals due to the higher workload.
A HIPAA Privacy Officer’s role is identical in some aspects to a Security Officer since it requires performing risk assessments, employee training and dealing with Business Associate Agreements. A Privacy Officer will also be in charge of setting up, managing and implementing HIPAA-compliant policies and procedures to secure PHI in all formats, not just digital copies of data.
Outsourcing HIPAA Security and Use of Compliance Software
In a lot of organizations, an IT Manager or another employee cannot be assigned the job of HIPAA Security Officer due to an already heavy workload. In such cases, outsourcing the job to third-party compliance experts is an option. This can be on a temporary basis until risk assessments are done and policies are enforced or it can be on a permanent basis.
An alternate option is to make use of compliance software. Compliance software could be customized to match each Covered Entity´s prerequisites and could help with risk assessments, policy creation and staff training. This is a great solution for Covered Entities with inadequate resources to employ more employees or pay for third party compliance professionals. It can be a cost-effective way to meet the Administrative Security measures of the HIPAA Security Rule.
Be Wary of HIPAA Security Officer Certification
Recently, consultancy firms offering courses that give HIPAA Security Officer Certification have increased. However, the HHS´ Office for Civil Rights (OCR) doesn’t recommend any HIPAA Security Office Certification. There is no standardized course that could properly train employees of different entities.
The OCR provides guidance for HIPAA Security Officers on its official website. All Covered Entities have the opportunity to register for its Privacy and Security Listserv Services. These services consists of notices associated with health data privacy, guidance on issues related to security, and new materials offering technical assistance on HIPAA compliance. This services are free and allow HIPAA Security Officers to stay informed about the newest HIPAA developments.