If you are a medical practice or “covered entity”, you need a HIPAA Security Officer. As required in 45 C.F.R. § 164.308(a)(2), the security rule states that every covered entity (healthcare provider) must identify a HIPAA Security Officer who is responsible for compliance. This is the person who leads the team and is held responsible for your HIPAA compliance. It’s important to note that the security officer doesn’t have to be a security expert, but needs to have some understanding of your computer systems, knows where your ePHI (electronic Protected Health Information) is stored, and figures out who all are the business associates that are going to access this ePHI. This includes PHI in all forms: verbal, written, or electronic. Some of the ways the officer can protect PHI are encrypted computer networks, password-protected computer programs, keycard-protected restricted clinic areas, and shred bins for proper disposal of any written forms of PHI.
HIPAA defines a set of security standards for information systems that manage health information. HIPAA security officers are responsible to make sure those standards are always met. The goal is to protect patient privacy in healthcare environments. The security officer develops policies and processes that can consistently meet that goal.
Below are some of the responsibilities of the HIPAA Security Officer:
- Understanding of the HIPAA Security Rule and keeping up-to-date with any and all changes to the law.
- Manage office morale regarding HIPAA compliancy, including developing an internal culture of compliancy.
- Develop and implement policies and procedures to safeguard PHI.
- Oversee the Security of ePHI within the company in all phases: Transit, Rest and Storage.
- Develop and implement action plans for addressing risks to PHI.
- Identify and evaluate threats to the confidentiality and integrity of ePHI.
- Consult with the Privacy Officer before contracting with any outside vendors.
- Perform or coordinate periodic Security audits of all computer systems and networks.
- Oversee internal office sanctions for failure to comply with HIPAA policies. Handle internal complaints for lack of compliancy.
- Be the contact person for questions regarding HIPAA compliance. Be an internal contact point in case of security incidents and PHI breaches.
- Be responsible for interacting with OCR auditors.
- Manage training and awareness programs for the workforce. Manage continuity of practice in the event of a disaster or a PHI breach.
- Regularly review and edit internal policies and procedures.
In short, this person will be the internal end point of responsibility for HIPAA compliance. Whether the officer physically does the work of ensuring compliance, or simply manages and oversees the compliance does not matter. As a medical practice or covered entity, always ensure that you are HIPAA compliant and one of the essential steps is that you name a HIPAA Security Officer for your entity.
By Rupal Talati.