Assigned Security Responsibility

Episode 51: Know The Rules! Assigned Security Responsibility

In this week’s “Know The Rules!,” I am diving a little deeper into the second standard in the Administrative Safeguards section: Assigned Security Responsibility. There are no separate implementation specifications for this standard § 164.308(a)(2).

The standard requires that Covered Entities (CEs) or Business Associates (BAs):

“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

The purpose of this standard is to identify who will be operationally responsible for assuring that the CE complies with the Security Rule. CEs should be aware of the following when assigning their security responsibility:

• This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel Designations, which requires all CEs to designate a Privacy Official.

• The Security Official and Privacy Official can be the same person, but are not required to be.

• While one individual must be designated as having overall responsibility, other individuals in the CE  may be assigned specific security responsibilities (e.g., facility security or network security).

When making this decision CEs should consider some of the following sample questions:

  1. Does it serve the organization’s needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider’s office)?
  2. Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?
  3. How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?

Assigned Security Responsibility


For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

Leave a Reply