The Administrative Safeguards of the HIPAA Security Rule (45 CFR 164.308) require all Covered Entities to appoint a HIPAA Security Officer who is placed in charge of the creation and execution of policies and procedures that ensure the security of electronic Protected Health Information (ePHI). A HIPAA Security Officer’s role is frequently assigned to an IT Manager because of the notion that the security of ePHI is an IT concern, even though only part of the responsibilities of the Security Officer are related to IT.
The Technical Safeguards of the HIPAA Security Rule refer to limiting access to systems where ePHI is kept and cover security of electronically transmitted PHI, but only around 30% of a HIPAA Security Offer´s duties are related to IT. The rest of his or her duties are related to training, auditing, managing security incidents and overseeing the compliance of Business Associates. A HIPAA Security Officer is additionally in charge of facility safety and Disaster Recovery Plan preparations.
The Duties of a HIPAA Security Officer
The HIPAA Security Rule specifies that the individual given the role of HIPAA Security Officer should implement policies and procedures to avoid, identify, contain, and resolve breaches of ePHI. Prior to creating the policies and procedures, the HIPAA Security Officer must perform a risk assessment that includes all elements of the Security Rule´s physical, technical and administrative safeguards.
After identifying the risks to ePHI confidentiality, integrity, and availability, a HIPAA Security Officer needs to enforce procedures that reduce threats and vulnerabilities to a reasonable level to conform to 45 CFR 164.306(a). Employees must receive training on any new work practices that introduced and must be made aware of the sanctions for not complying with the new policies and procedures. In order to determine when sanctions are appropriate, a way of reviewing system activity related to ePHI must be implemented.
Job Description of a HIPAA Security Officer
The job description of a HIPAA Security Officer should describe the Officer´s duties regarding the establishment and maintenance of HIPAA-compliant mechanisms for guaranteeing the integrity, confidentiality and availability of the Covered Entity´s medical data systems. These responsibilities will differ based on the size and nature of the organization, yet must consist of the following elements:
- Setting up, managing and implementing the Security Rule safety measures and any HIPAA Rule changes.
- Incorporating IT security and HIPAA compliance with the business strategies and requirements of the organization.
- Addressing concerns associated with access controls, business continuity, incident response and disaster recovery.
- Company security awareness, which include employee training in conjunction with the HIPAA Privacy Officer.
- Performing risk analyses and audits – particularly on Business Associates.
- Looking into data breaches and enforcing actions to prevent future occurrences.
Searching for the Perfect Candidate for HIPAA Security Officer
Since the duties of a HIPAA Security Manager are quite diverse, it isn’t always best to assign the position to an IT Manager. In a lot of cases, the best candidate for the position is an individual with authority, strong organizational expertise and a comprehensive knowledge of HIPAA. Unquestionably, a lot of policies and procedures will have an effect on the function of the IT department, thus it is necessary fora HIPAA Security Officer to be able to understand the computer systems of the covered entity.
It is crucial that a HIPAA Security Officer liaises with the Privacy Officer of the Covered Entity or, in large companies, the HIPAA Compliance Team. There are a lot of overlapping aspects of the Security and Privacy Rules, and resources may be combined in order to complete risk assessments, conduct employee training, and ensure HIPAA compliance. A Covered Entity´s Security and Privacy Officers can partner to better supervise Business Associate compliance.
The Requirement of a HIPAA Privacy Officer
Besides appointing a HIPAA Security Officer, covered entities also need to appoint a HIPAA Privacy Officer. It is a mandate of HIPAA to have both, but they can be the same person. Larger healthcare organizations may have to appoint two individuals due to the higher workload.
A HIPAA Privacy Officer’s role is identical in some aspects to a Security Officer since it requires performing risk assessments, employee training and dealing with Business Associate Agreements. A Privacy Officer will also be in charge of setting up, managing and implementing HIPAA-compliant policies and procedures to secure PHI in all formats, not just digital copies of data.
Outsourcing HIPAA Security and Use of Compliance Software
In a lot of organizations, an IT Manager or another employee cannot be assigned the job of HIPAA Security Officer due to an already heavy workload. In such cases, outsourcing the job to third-party compliance experts is an option. This can be on a temporary basis until risk assessments are done and policies are enforced or it can be on a permanent basis.
An alternate option is to make use of compliance software. Compliance software could be customized to match each Covered Entity´s prerequisites and could help with risk assessments, policy creation and staff training. This is a great solution for Covered Entities with inadequate resources to employ more employees or pay for third party compliance professionals. It can be a cost-effective way to meet the Administrative Security measures of the HIPAA Security Rule.
Be Wary of HIPAA Security Officer Certification
Recently, consultancy firms offering courses that give HIPAA Security Officer Certification have increased. However, the HHS´ Office for Civil Rights (OCR) doesn’t recommend any HIPAA Security Office Certification. There is no standardized course that could properly train employees of different entities.
The OCR provides guidance for HIPAA Security Officers on its official website. All Covered Entities have the opportunity to register for its Privacy and Security Listserv Services. These services consists of notices associated with health data privacy, guidance on issues related to security, and new materials offering technical assistance on HIPAA compliance. This services are free and allow HIPAA Security Officers to stay informed about the newest HIPAA developments.
HIPAA Security Officers: FAQ
Do organizations need a separate HIPAA Security Officer and HIPAA Privacy Officer?
Organizations do not necessarily need to split the duties of a HIPAA Compliance Officer between a Security Officer and a Privacy Officer, so long as the Compliance Officer carries out the duties of both roles. However, given the varied nature of the two positions, and how important they are in ensuring HIPAA compliance, it may be worthwhile to split the HIPAA compliance duties. This may allow the individual in the role to have greater oversight over compliance with the HIPAA Security Rule. This is particularly true in larger organizations.
Do Business Associates need to have a Security Officer?
Yes, Business Associates must have a Security Officer. This individual will be responsible for ensuring HIPAA compliance within the association and can assist in ensuring that all the conditions stipulated in the Business Associate Agreement are met.
What qualifications should a person have to become a HIPAA Security Officer?
There is no formal training required to become a HIPAA Security Officer, though many organizations will require an individual to have obtained at least a bachelor’s degree. Any individual who hopes to become a Security Officer should have extensive training in all HIPAA Rules, but most importantly the Security Rule. Ideally, they will also have some experience in developing and implementing training schemes, and be versed in the technical requirements needed to meet the minimum HIPAA security requirements.
Why can’t the in-house legal team oversee HIPAA compliance?
Yes, they can, but HIPAA states that someone in the organization must be given the title of “HIPAA Security Officer” and “HIPAA Privacy Officer”. This person can then act as a point of communication for any customers or employees with questions about HIPAA, and also allows for a degree of accountability.
What happens if a HIPAA Security Officer is negligent in their duties?
Though they oversee the implementation of the Security Rule and staff training, a company’s senior management is ultimately responsible for HIPAA compliance. Even so, if a Security Officer is particularly negligent (for example, failing to ever train employees), they may lose their position or even their job. This will be decided by the company.
What kind of training should a HIPAA Security Officer provide?
Before creating any training scheme, the HIPAA Security Officer should carry out a risk assessment that identifies the main risks threatening the security of PHI. They should also train employees on how to use any technologies (email, cloud storage services, etc.) in a HIPAA-compliant manner. The Security Officer should keep up-to-date with the latest advancements in data protection and any updates to HIPAA.