Breaking Down the HIPAA Security Officer Requirement
Today I am breaking down the HIPAA Security Officer requirement, Assigned Security Responsibility 45 § 164.308(a)(2), into byte-size portions to help you understand how they are significant to your organization. Since 2005, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has required regulated entities to identify who will be operationally responsible for assuring that the regulated entity complies with the Security Rule. This is similar to the Privacy Rule standard, 45 §164.530(a)(1), which requires all regulated entities designate a Privacy Officer.
The HIPAA regulations state you must formally select a Privacy Officer and a Security Officer. In small organizations this can be the same person. The HIPAA Security Officer responsibilities are often assigned to an IT Manager due. This is due to the perception that integrity of ePHI is an IT issue.
The HIPAA Security Rule is made of of three safeguards, they are:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Only 30% of the safeguards require technical expertise. That means smaller regulated entities could reduce their information systems costs by splitting the HIPAA Security Officer responsibilities. Just be sure to document your selection by department not who the activities is assigned to. This will allow authorized representatives of the department to perform the activity.
HIPAA Security Officer Responsibilities
The HIPAA Security Officer’s job description needs to outline the Officer’s responsibilities with regard to establishing and maintaining HIPAA compliant mechanisms for ensuring the confidentiality, integrity and accessibility of the CE´s or BA’s healthcare information systems and any PHI.
These responsibilities will vary according to the nature and size of the organization, but should include:
- Performing an enterprise wide risk analysis of the company’s information systems.
- Developing and implementing policies and procedures to prevent, detect, contain and correct security violations.
- Regularly reviews audit logs, access reports, and security incident tracking reports.
- Developing and implementing policies and procedures to ensure only appropriate company workforce members have access to PHI.
- Implements a security awareness and training program for ALL workforce personnel, volunteers, management including doctors.
- Regularly monitor attempts by unauthorized persons to log on to the company’s information systems.
- Implements procedures to guard against and detect viruses, worms, and other malicious code.
- Develop and implement policies and procedures to respond to security incidents.
- Develops contingency plans to respond to emergencies.
- Performs periodic technical and nontechnical reviews of the company’s information security program.
- Evaluates reported incidents as potential breaches of unsecured ePHI.
Something to Ponder ...
When designating the HIPAA Security Officer regulated entities should consider some of the following sample questions:
- Does it serve the organization’s needs to designate the same individual as both the Privacy and Security Officer (for example, in a small provider’s office)?
- How are the roles and responsibilities of the Security Officer crafted to reflect the size, complexity and technical capabilities of the organization?