The Healthcare Insurance Portability and Accountability Act states that a person (or persons) within a Covered Entity or Business Associate must be given the duties of a HIPAA Compliance Officer. This may be a current employee or a new position can be introduced to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a part time or permanent basis.
But, what are the specific duties of a HIPAA Compliance Officer? And how much work doe it involve? That will depend on the size of the Covered Entity or Business Associate, and the amount of Protected Health Information (PHI) it creates, uses, and maintains. In larger grouops it is often the case that the duties of a HIPAA Compliance Officer are split between a Privacy Officer and a Security Officer.
The Duties of a HIPAA Privacy Officer
A HIPAA Privacy Officer is charged with creating a HIPAA-compliant privacy program if one does not already exist, or – if a privacy program is already in place – for ensuring privacy policies to safeguard the integrity of PHI are enforced. He or she will deliver or oversee ongoing staff privacy training, complete risk assessments and develop HIPAA-compliant procedures where required.
A HIPAA Privacy Officer will have to police compliance with the privacy program, investigate incidents in which a breach of PHI may have happened, report breaches as necessary, and ensure patients´ rights in accordance with state and federal laws. In order to fulfil the duties of a HIPAA Privacy Officer, the appointed person will have to keep up-to-date with relevant state and federal legislation.
The Duties of a HIPAA Security Officer
The duties of a HIPAA Security Officer are not so different to those of a Privacy Officer inasmuch as the appointed person will be charged with the development of security polices, the implementation of procedures, training, risk assessments and monitoring compliance. However, the focus of a Security Officer is compliance with the Administrative, Physical and Technical Safeguards of the Security Rule.
In this respect, the duties of a HIPAA Security Officer can include such different topics as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and saved. Due to the similarity in duties, the roles of a HIPAA Privacy Officer and HIPAA Security Officer are performed by the same individual in smaller organizations.
| 7 Steps to Becoming HIPAA Compliant | |
|---|---|
| 1 | Develop and enforce policies and procedures. |
| 2 | Appoint or designate a HIPAA Compliance Officer. |
| 3 | Conduct effective employee and management training. |
| 4 | Establish effective channels of communication. |
| 5 | Conduct internal monitoring and auditing. |
| 6 | Respond to breaches and undertake corrective action. |
| 7 | Assess policies and procedures and amend as necessary. |
Job Description for a HIPAA Compliance Officer
- The person appointed or designated the role of a HIPAA Compliance Officer must have a second-to-none knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to create a HIPAA compliance program.
- Once a HIPAA compliance program has been established, the Compliance Officer should document progress towards its implementation. In order to achieve this, a system should be set p that enables the Officer to monitor the status of the groups´s HIPAA compliance.
- The system should allow the HIPAA Compliance Officer to rank efforts towards compliance and communicate priorities. It should also behave as a conduit through which compliance concerns can be raised and organizational changes coordinated.
- The HIPAA Compliance Officer is responsible for formulating training programs and executing training courses. These should be designed to help employees learn HIPAA compliance and how any changes implemented will affect their specific responsibilities.
- The HIPAA Compliance Officer is charged with monitoring HHS´ and the state´s regulatory requirements. When new regulations or guidelines are introduced, the Officer must adjust the organization´s HIPAA compliance program to reflect the changes.
Discover More about the Duties of a HIPAA Compliance Officer
The HIPAA regulations do not outright define what the duties of a HIPAA Compliance Officer are – instead leaving it to each Covered Entity or Business Associate to establish their own duties according to their specific requirements. Therefore, in order to properly set out the duties of a HIPAA Compliance Officer, it is necessary to understand what those specific requirements are.
Remembering this, we have compiled a HIPAA Compliance Guide. Our guide is an overview of the key areas of HIPAA, HITECH and the Final Omnibus Rule, and how they apply to Covered Entities and Business Associates in certain instances. Naturally we are unable to cover every possible example, so we have also included links to further information and valuable resources that will help readers find answers to any questions regading HIPAA compliance and the duties of a HIPAA Compliance Officer.