The Duties of a HIPAA Compliance Officer

Under the Healthcare Insurance Portability and Accountability Act (HIPAA), covered entities and business associates must assign a person (or persons) to carry out the duties of a HIPAA Compliance Officer – usually a HIPAA Privacy Officer with responsibilities for privacy and security, or in larger organizations, separate Privacy and Security Officers. An existing employee may take on the position to satisfy this HIPAA requirement. It is not necessary to hire a new employee to take on the role.

But, what does a HIPAA Compliance Officer do and what does the job entail? The volume of work a HIPAA Compliance Officer does is based on size of the covered entity or business associate, and the quantity of protected health information (PHI) it generates, utilizes, and retains. If the organization is very large, the duties of a HIPAA compliance officer may be more than a full time job for one person, so it maybe necessary to split the role between two or more employees: A Privacy Officer and a Security Officer.

The Duties of a HIPAA Privacy Officer

A HIPAA Privacy Officer is in charge of creating a HIPAA-compliant privacy program if the organization doesn’t have one yet. If there’s a privacy program already, the HPO is responsible for making sure that privacy policies are enforced to safeguard the privacy of patients and the integrity of PHI. It is the HPO’s job to deliver or supervise employee privacy training, perform risk analyses and create HIPAA-compliant processes where required.

A HIPAA Privacy Officer should keep an eye on the organization’s compliance with the privacy program, investigate security incidents to see if a breach of PHI occurred, submit breach reports as required, and protect the patients´ rights as per state and federal regulations. In order to be able to carry out the responsibilities of a HIPAA Privacy Officer, the assigned individual must be familiar with state and federal regulations.

The Duties of a HIPAA Security Officer

A HIPAA Security Officer’s duties are similar to those of a Privacy Officer, inasmuch as having a responsibility to develop security polices, implement procedures and training, conduct risk assessments and monitor compliance. But the main focus of a Security Officer is compliance with the HIPAA Security Rule and ensuring administrative, technical, and physical safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI.

To that end, the role of a HIPAA Security Officer could include the following:


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • The creation of a disaster recovery plan
  • The implementation of systems that stop unauthorized PHI access
  • Ensuring processes of transmitting and storing electronic PHI (ePHI) meet HIPAA Security Rule requirements

Because of the overlap between the duties of the HIPAA Privacy Officer and HIPAA Security Officer, the two roles are usually performed by just one person in smaller companies.

What are the 7 Steps to Becoming HIPAA Compliant?

1. Create and implement policies and procedures.
2. Appoint a HIPAA Compliance Officer.
3. Provide employees with HIPAA compliance and security awareness training.
4. Set up efficient channels of communication.
5. Carry out monitoring of systems and ePHI access and conducting internal audits.
6. Take action on breaches and carry out corrective action plans.
7. Evaluate policies and procedures and revise as needed.

Job Description of a HIPAA Compliance Officer

The individual selected to perform the role of a HIPAA Compliance Officer should have a comprehensive understanding of the HIPAA Privacy, Security and Breach Notification Rules and the options available to help develop a HIPAA compliance program.

After developing a HIPAA compliance program, the Compliance Officer needs to document how well the implementation is progressing. To do this, there must be a system of monitoring the status of HIPAA compliance.

The system should give the HIPAA Compliance Officer the ability to prioritize and communicate the initiatives that would help achieve compliance. It must also serve as a channel where compliance issues can be brought up and organizational adjustments coordinated.

The HIPAA Compliance Officer is in charge of developing and implementing training programs. The training will help employees to fully understand HIPAA compliance and how changing any part of the system will affect their particular responsibilities.

The HIPAA Compliance Officer is in charge of keeping track of HHS and the state’s regulatory requirements. If new regulations or guidelines are issued, the Officer needs to modify the organization’s HIPAA compliance processes to comply with the changes.

There’s no exact of definition available in the HIPAA regulations regarding the duties of a HIPAA Compliance Officer. Therefore, each covered entity or business associate must build their own definitions based on HIPAA compliance requirements. To effectively create the duties of a HIPAA Compliance Officer, the specific requirements must be clearly understood.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: