The Healthcare Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to have a HIPAA Compliance Officer. This position may be filled in by an existing employee or a new one. The position may also be outsourced temporarily or permanently.
What do HIPAA Compliance Officers do? The volume of work of a HIPAA compliance officer depends on two things: the size of the covered entity of business associate and the number of Protected Health Information (PHI) that is created, used and maintained. The duties of a HIPAA Compliance officer in big organizations are often divided between a Security Officer and a Privacy Officer.
The responsibilities of a HIPAA Privacy Officer include:
- Developing a HIPAA-compliant privacy program if one is not yet available
- Ensuring the enforcement of privacy policies to protect PHI integrity
- Overseeing the privacy training of employees
- Conducting risk analysis and creating HIPAA-compliant procedures where needed
- Monitoring compliance with the privacy program
- Investigating and reporting incidents of data breach
- Ensuring the protection of patients’ rights in accordance with federal and state laws
- Keeping up-to-date with pertinent state and federal laws
The responsibilities of a HIPAA Security Officer are similar to those of a Privacy Officer. He is also responsible for developing security policies, implementing procedures, conducting training and risk analysis and monitoring compliance. But a Security Officer’s focus is compliance with the Administrative, Physical and Technical Safeguards of the HIPAA Security Rule. Specific duties of HIPAA Security Officer can include developing a Disaster Recovery Plan, mechanisms for preventing unauthorized PHI access and mechanisms for secure electronic PHI transmission and storage. In small healthcare organizations, the HIPAA Privacy Officer and HIPAA Security Officer is just one person considering the similarity of their duties.
The fact is the HIPAA regulations do not give an exact definition of the duties and responsibilities of a HIPAA Compliance Officer. It is up to the covered entity or business associate to determine the duties of it HIPAA Compliance Officer according to the organization’s specific requirements. To know the specific requirements, a good understanding of the HIPAA, HITECT Act and Final Omnibus Rule and their requirements on covered entities and business associates is necessary.