All Covered Entities are obligated by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to designate a HIPAA Security Officer who is charged with the development and implementation of policies and processes to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often given to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily so.
Although the Technical Safeguards of the HIPAA Security Rule relate to restricting access to systems on which ePHI is maintained and transmission security, only about 30% of a HIPAA Security Offer´s responsibilities are IT-related. The remainder of his or her responsibilities relate to training, auditing, incident management and overseeing Business Associate compliance. A HIPAA Security Officer is also responsible for facility security and the preparation of a Disaster Recovery Plan.
The Responsibilities of a HIPAA Security Officer
The HIPAA Security Rule stipulates the person designated the role of HIPAA Security Officer must put in place policies and procedures to prevent, detect, contain, and correct breaches of ePHI. Before developing the policies and processes, the HIPAA Security Officer has to conduct and chronicle risk assessments to incorporate every element of the Security Rule´s Technical, Physical and Administrative Safeguards.
Once the dangers to the integrity of ePHI have been identified, a HIPAA Security Officer must create measures “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Employees have to be educated on any new work practices that are introduced and be informed of the sanctions for failing to adhere with the new policies and procedures. In order to enforce the sanctions policy, a system of reviewing information system activity also has to be developed.
Job Description for HIPAA Security Officer
A HIPAA Security Office job description needs to describe the Officer´s responsibilities in relation to establishing and maintaining HIPAA-compliant mechanisms for ensuring the confidentiality, integrity and accessibility of the Covered Entity´s healthcare information systems. These duties will vary according to the nature and size of the organization, but should incorporate:
- Duties for establishing, managing and enforcing the Security Rule safeguards and any subsequent rules issued by OCR.
- Duties for integrating IT security and HIPAA compliance with the organization´s business strategies and requirements.
- Duties for addressing issues related to access controls, business continuity, disaster recovery, and incident response.
- Duties for organizational security awareness, including staff training in collaboration with the HIPAA Privacy Officer.
- Duties for conducting risk assessments and audits – especially with regard to Business Associates and other third parties.
- Duties for investigating data breaches and implementing measures for their future prevention and/or containment.
Identifying an Ideal Candidate for the Role
Because the duties of a HIPAA Security Manager are so varied, it is not always ideal to give the role to an IT Manager. In many cases, the perfect candidate for the role is a person in a position of authority with strong organizational skills and a thorough comprehension of HIPAA. Undoubtedly many policies and procedures will impact the operation of the IT department, so it is important a HIPAA Security Officer has an understanding of the Covered Entity’s computer systems.
However, it is more pertinent a HIPAA Security Officer liaises with the Covered Entity´s Privacy Officer – or, in larger groups the HIPAA Compliance Team. There are many areas of the Security and Privacy Rules that overlap, and resources can be joined together to conduct risk assessments, manage employee training and speed up HIPAA compliance. A partnership between a Covered Entity´s Security and Privacy Officers can also better manage Business Associate compliance.
HIPAA Privacy Officer Requirement
HIPAA Privacy Officers have been referred to periodically throughout this article as it is required that, along with a HIPAA Security Officer, Covered Entities hire a HIPAA Privacy Officer. The HIPAA Privacy Officer requirement is mandated by HIPAA and, depending on the nature and size of the group, it is possible for the two roles to be joined into one.
The role of a HIPAA Privacy Officer is similar in some regards to that to a Security Officer as it involves conducting risk assessments, staff training and managing Business Associate Agreements. However, a Privacy Officer will also be charged with establishing, managing and enforcing HIPAA-compliant policies and procedures to protect PHI in whatever format it is maintained.
HIPAA Security & Compliance Software Outsourcing
In many groups, it is not possible to give the role of HIPAA Security Officer to an IT Manager or other employee because of their current workload. In this instance, it is possible to outsource the role to third-party compliance workers, either on an interim basis until risk assessments are conducted and policies adapted, or on a permanent basis – although it will still be necessary for the Covered Entity to identify somebody responsible for security compliance if the interim solution is opted for.
Another option is to take advantage of compliance software. Compliance software can be set up to suit each individual Covered Entity´s requirements and help fulfil the tasks of risk assessments, policy development and employee training. This is a perfect solution for Covered Entities lacking the resources to engage additional personnel or outsource compliance experts and is one of the most cost-effective ways to fulfil the Administrative Safeguards of the HIPAA Security Rule.