The Healthcare Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to have a HIPAA compliance officer. This position may be filled in by an existing employee or a new employee can be recruited to take on the role. It is also permitted for the position to be outsourced temporarily or permanently. This may be the best option for some healthcare organizations who do not have staff members who can take on the extra responsibility and in areas where recruitment of sufficiently skilled staff is a problem.
What do HIPAA Compliance Officers do?
The volume of work of a HIPAA compliance officer depends on two things: The size of the covered entity or business associate and the number of patients/amount of protected health information (PHI) that is created, used and maintained. The duties of a HIPAA compliance officer in large healthcare organizations are often divided between two individuals – A HIPAA security officer and a HIPAA privacy officer.
The responsibilities of a HIPAA privacy officer include:
- Developing and maintaining a HIPAA-compliant privacy program
- Ensuring the enforcement of privacy policies
- Overseeing the HIPAA training of employees
- Conducting a risk analysis and creating HIPAA-compliant procedures where needed
- Monitoring compliance with the privacy program
- Investigating and reporting incidences of data breaches
- Ensuring the protection of patients’ rights in accordance with federal and state laws
- Keeping up-to-date with pertinent state and federal laws
The responsibilities of a HIPAA Security Officer are similar to those of a Privacy Officer. That individual is also responsible for developing security policies, implementing procedures, conducting training, and performing risk analyses and monitoring compliance. Where the role of a HIPAA security officer differs from a HIPAA privacy officer is the security officer’s focus is more about compliance with the administrative, physical and technical safeguards of the HIPAA Security Rule and general Security Rule compliance.
Specific duties of HIPAA security officer can include developing a disaster recovery plan, implementing mechanisms for preventing unauthorized PHI access and mechanisms for secure electronic PHI transmission and storage. In small healthcare organizations, the HIPAA compliance officer can take on both roles.
HIPAA regulations do not give an exact definition of the duties and responsibilities of a HIPAA compliance officer. It is up to the covered entity or business associate to determine what duties are required according to the organization’s specific requirements.
In order to be effective, it is essential for HIPAA compliance officers, security officers, and privacy officers to have a thorough working knowledge of HIPAA regulations and the HITECH Act, and to be families with state laws concerning the privacy and security of personal and health information.