Under the Healthcare Insurance Portability and Accountability Act (HIPAA), all HIPAA-covered entities and business associates must appoint a person (or persons) to the role of HIPAA Compliance Officer. A current employee can be appointed or a new role can be created. The Compliance Officer position can even be filled by outsourcing the duties temporarily or permanently.
What is the role of a HIPAA Compliance Officer? What is the workload involved? The answers to these questions depend on the scale of the business associate or covered entity involved, as well as the amount of protected health information (PHI) created, dealt with, or maintained. Larger organizations commonly split the Compliance Officer’s duties between a Security Officer and a Privacy Officer.
The Duties of a HIPAA Privacy Officer
If the organization does not currently have a HIPAA-compliant privacy program, it is up to the HIPAA Privacy Officer to create and introduce one. If the organization does have such a program, then it is the duty of the Privacy Officer to make sure appropriate privacy policies safeguarding PHI are being followed. The Privacy Officer will lead or validate privacy training for staff, carry out risk assessments, and create HIPAA-compliant processes if required.
HIPAA Privacy Officers must ensure that the privacy program is being adhered to and investigate any PHI data breaches which may take place. They also notify necessary bodies should breaches occur and protect patients’ state and federal rights. To effectively carry out the role, a HIPAA Privacy Officer must closely follow developments in federal and local laws related to patient privacy.
The Duties of a Security Officer
HIPAA Security Officers have similar responsibilities to Privacy Officers. Where Privacy Officers develop privacy programs and ensure related tasks are completed, the Security Officer must create and implement the policies, procedures, training and assessments related to security. They must also make sure that theses processes are being followed. A key difference is that Security Officers focus on compliance with the Security Rule’s Administrative, Technical, and Physical Safeguards.
As such, a HIPAA Security Officer’s role may touch on aspects from Disaster Recovery Plans, to PHI access controls, to methods for sharing or saving electronic PHI (ePHI). As the roles of each of these Officers are similar, smaller entities may have one person taking on the duties of both positions.
More Information on a HIPAA Compliance Officer’s Duties
The exact roles and responsibilities of a HIPAA Compliance Officer are not specified in HIPAA regulations. Individual organizations are therefore free to tailor the position to their specific needs. For a HIPAA Compliance Officer to act effectively, those specific needs must be identified and understood.
To facilitate this, a HIPAA Compliance Guide has been created. It includes sections for Covered Entities and Business Associates on crucial HIPAA and HITECH topics, as well as on the Final Omnibus Rule. While all possible scenarios cannot be detailed in a single guide, there are links to further resources and information that should answer almost any question related to HIPAA compliance and Compliance Officers’ duties.