Under the Health Insurance Portability and Accountability Act, more widely known as HIPAA, organizations are required to appoint or designate someone to the position of HIPAA compliance officer, but what does a HIPAA compliance officer actually do?
Both HIPAA covered Entities and their Business Associates are required to have a HIPAA compliance officer. They have a number of options as to how they appoint someone to this position: they can opt to either train and promote an existing employee, they can hire someone new specifically for the role, or they can outsource the compliance officer’s duties and responsibilities to an external specialist firm.
What are a Compliance Officer’s Responsibilities?
The duties and workload of the HIPAA compliance officer depend to a degree on the size of the organization and the amount of Protected Health Information (PHI) that they create, transmit, use, or maintain. In groups or entities where there is a substantial amount of PHI or activity that must be overseen, the responsibilities of a compliance officer may be split into two separate roles: a privacy officer and a security officer. Otherwise, the compliance officer is responsible for the duties of both, as described below.
The HIPAA Privacy Officer
If a privacy officer is appointed, it is their responsibility to develop and implement an appropriate program to uphold privacy standards in line with HIPAA requirements. If the privacy officer takes over or arrives in an entity where a privacy program has already been established, they must ensure that the necessary policies and procedures are being followed to keep PHI safe and secure. Practical aspects of the role could include managing employee training and workshops, analyzing risk and reviewing assessments, and introducing procedures to ensure HIPAA compliance.
The privacy officer should track and review different aspects of the privacy program to check that it is meeting its goals. They will also be involved with investigating breaches of PHI, as well as with the process of reporting breaches. One of their principle duties is to act in the interest of patients’ federal and state rights and make sure they are being respected. This means that the person in the role is required to closely monitor changes to laws at both a local and national level.
The HIPAA Security Officer
The role of the security officer mirrors that of the privacy officer in many ways. The security officer has the responsibility of developing and implementing appropriate security policies and procedures. They are also in charge of ensuring that the necessary training is available and has been carried out by staff members. Reviewing compliance with procedures and taking part in risk assessments is also part of their remit.
The goal of the security officer is to ensure that the entity respects the Administrative, Physical and Technical Safeguards of the Security Rule. In doing so, they will touch upon many aspects of an organization’s activities. These include, for example, elaborating and formulating a Disaster Recovery Plan; devising, implementing, or otherwise guaranteeing that sufficient measures are in place to prevent unauthorized access of PHI; and verifying that PHI is stored and transmitted in line with HIPAA standards.