In this week’s “Know The Rules!,” I am diving a little deeper into the second standard in the Administrative Safeguards section: Assigned Security Responsibility. There are no separate implementation specifications for this standard § 164.308(a)(2).
The purpose of this standard is to identify who will be operationally responsible for assuring that the CE complies with the Security Rule. CEs should be aware of the following when assigning their security responsibility:
• This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel Designations, which requires all CEs to designate a Privacy Official.
• The Security Official and Privacy Official can be the same person, but are not required to be.
• While one individual must be designated as having overall responsibility, other individuals in the CE may be assigned specific security responsibilities (e.g., facility security or network security).
When making this decision CEs should consider some of the following sample questions:
- Does it serve the organization’s needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider’s office)?
- Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?
- How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?
Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.
Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.