HIPAA Security Officer
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that Covered Entities (CEs) and Business Associates (BAs) designate a specific individual who’s responsible for managing the security of the electronic protected health information (PHI); Administrative Safeguards 45 C.F.R. § 164.308(a)(2).
This person will analyze risks, threats and vulnerabilities to PHI from internal and external factors; adopt security policies, be responsible for training office workforce in how to protect PHI; make sure any third parties dealing with PHI have a Business Associate Agreement (BAA) or subcontractor agreement; along with the development and implementation of policies and procedures to ensure the confidentiality, integrity, and availability of the PHI.
Who should be the Security Officer?
HIPAA regulations state you must formally designate a Privacy Officer and a Security Officer. These can be the same person.
The role of HIPAA Security Officer is often designated to an IT Manager due to the perception the integrity of ePHI is an IT issue. However, this is not necessarily the case. If you outsource management of your information systems, you can designate your consultant. Be sure to document your choice for Security Officer.
- Expertise in the principles of security management relating to information systems.
- Familiarity with the structure and operation of the Company’s information systems.
- Knowledge of the HIPAA Security Rule, Breach Notification Rule and relevant aspects of the Privacy Rule.
The Responsibilities of a HIPAA Security Officer
A HIPAA Security Officer’s job description needs to outline the Officer’s responsibilities with regard to establishing and maintaining HIPAA compliant mechanisms for ensuring the confidentiality, integrity and accessibility of the CE´s or BA’s healthcare information systems and any PHI.
These responsibilities will vary according to the nature and size of the organization, but should include:
- Performing an enterprise wide risk analysis of the company’s information systems.
- Developing and implementing policies and procedures to prevent, detect, contain and correct security violations.
- Regularly reviews audit logs, access reports, and security incident tracking reports.
- Developing and implementing policies and procedures to ensure only appropriate company workforce members have access to PHI.
- Implements a security awareness and training program for ALL workforce personnel, volunteers, management including doctors.
- Regularly monitor attempts by unauthorized persons to log on to the company’s information systems.
- Implements procedures to guard against and detect viruses, worms, and other malicious code.
- Develop and implement policies and procedures to respond to security incidents.
- Develops contingency plans to respond to emergencies.
- Performs periodic technical and nontechnical reviews of the company’s information security program.
- Evaluates reported incidents as potential breaches of unsecured ePHI.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
Register HIPAA alli for our webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.