The HIPAA Security Officer’s Responsibilities

Under Federal Regulations, specifically 45 CFR 164.308 – the HIPAA Security Rule’s Administrative Safeguards – HIPAA covered entities must appoint a HIPAA Security Officer. The Security Officer must develop and introduce internal policies and processes to safeguard the integrity of electronic protected health information (ePHI). IT managers are commonly put in this role as ePHI is widely seen as an IT concern. This is not strictly true.

While the HIPAA Security Rule includes aspects of access control and safeguards around sharing ePHI, estimates say that roughly two thirds of a Security Officer’s duties are unrelated to IT. Most of the obligations revolve around training, auditing, managing incidents, and ensuring business associates are compliant. Other aspects include preparing disaster plans and overseeing the security of the facility.

The HIPAA Security Officer’s Responsibilities

As noted above, under the HIPAA Security Rule the Security Officer is required to develop and introduce polices and processes to prevent, detect, contain, and correct breaches of ePHI. A vital first step before developing these procedures is to run risk assessments on the administrative, physical, and technical safeguards noted in the Security Rule.

On finishing the assessment and recording the results, it is the Security Officer’s role to introduce steps “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Training of staff on the new policies and penalties related to breaking those policies should take place. Audits and periodic system reviews must also be introduced to catch any violations.

Identifying the Ideal Security Officer

Given the various facets of the role, IT managers are not always best equipped to take it on. More suitable candidates would be highly organized individuals who have a deep understanding of HIPAA and a sufficiently high position in the organization to implement the needed changes. As IT will be affected by many of these changes, familiarity with the IT systems would also be desirable.

Of paramount importance is that the Security Officer works in harmony with the covered entity’s Privacy Officer or Privacy Team. As there is a fair degree of crossover between these roles, it may be worth joining forces to carry out training, risk assessments, and other activities. SOs and Privacy Officers performing in tandem are better positioned to effectively monitor their business associates as well.

Outsourcing HIPAA Security and Compliance Software

Some organizations may not have anyone with sufficient free time to take on the Security Officer role. The responsibilities of the Security Officer can be outsourced to an external party, either in the short or the long term. For example, an outside expert could be hired just to conduct the risk assessments and write the policies. Once this is done, an internal person can be nominated to implement and oversee compliance, or the external party can continue in the role.

Another solution may be the use of compliance software, which can be customized for each covered entity and can facilitate training, risk assessments, and policy development. For covered entities that are low on the resources needed to take on extra staff or outside help, compliance software may be an efficient way to meet their administrative requirements under the Security Rule.

Be cautious of Security Officer Certification

Some consultancy companies have begun to offer Security Officer certification courses. These are neither recognized nor endorsed by the Department of Health and Human Services’ Office for Civil Rights (OCR). They have stated that no single standardized program could appropriately train employees of entities of different types and sizes. Covered entities are advised to report misleading claims in this regard.

The OCR’s website includes guidance for Security Officers. It also asks covered entities to sign up for Privacy and Security Listserv Services, which is a free service that gives updates on privacy and security issues, as well as HIPAA developments.