3 Things to Include in Your HIPAA Compliance Officer Job Description
Today, I am discussing what 3 things your HIPAA Compliance Officer job description should include. First, I need to share some background with you, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires Covered Entities and their third-party vendors to formally designate a Compliance Officer.
Your Compliance Officer will be responsible for managing the security of protected health information (PHI). That means their job description needs to outline responsibilities for establishing and maintaining HIPAA compliant mechanisms. This is necessary to ensure the confidentiality, integrity, and accessibility of the healthcare information systems and any electronic PHI they are entrusted with.
These responsibilities will vary according to the nature and size of your organization.
With that said let me take this opportunity to tell you it does not matter what size you are, what you do. Even if YOU are the only one who does everything you are still required to implement each of the HIPAA requirements.
Who Can It Be Now?
Identify who in your organization has a passion for technology and desire to Keep PHI Secure – this individual makes the best data security champion!! Remember: this does NOT have to be someone with an Information Technology degree!!
You could outsource your HIPAA Compliance activities and designate a consultant as your HIPAA Security Officer.
And as always …
Remember to document your choice, an auditor may ask for it!!
Did you know?
Your HIPAA Compliance Officer is responsible for implementing the following activities:
- Analyzing risks, threats, and vulnerabilities to PHI from internal and external factors;
- Developing and implementing policies and procedures to ensure the confidentiality, integrity, and availability of the electronic PHI in your organization.
- Adopting security policies and procedures and responsible for training workforce how to keep PHI secure.
Third-party vendor due diligence is another element your HIPAA Compliance Officer should address for any organization that creates, receives, maintains, or transmits PHI. Every third-party vendor is required to have a current and signed Business Associate Agreement (BAA) or subcontractor agreement on file before exchanging ANY PHI.
Remember ANYONE who has access to PHI and you pay with via 1099 is a third-party vendor!!
Covered Entities and third-party vendors should understand that patients are entrusting them with their private and intimate details, and they expect them to remain secure.