A HIPAA Compliance Officer is a role in an organization that is responsible for developing, implementing and communicating a HIPAA-compliant privacy program. HIPAA requires every Covered Entity or Business Associate have at least one person assigned duties of a HIPAA Compliance Officer.
A HIPAA Compliance Officer must monitor the organization’s compliance with both State and Federal HIPAA rules and regulations. In order to be successful in their position, the officer must keep up-to-date on changes and updates to these rules and regulations and communicate appropriately to the organization.
Depending on the size of the organization, this role can be one individual or divided between a Privacy Officer and Security Officer.
Read More: Understanding and implementing HIPAA rules
Privacy Officer vs. Security Officer
The role of a Privacy Officer vs. Security Officer are quite similar, but both are important and necessary in their own ways. These two roles can either be taken on by one or more people in an organization. It all depends on how large the organization is and the volume of PHI they handle.
Duties of a Privacy Officer:
- Develop HIPAA-compliant privacy program if one does not already exist
- Implement program and ensure policies to protect PHI are enforced like ensuring HIPAA compliant email policies
- Stay up-to-date on law and regulation changes
- Communicate with organization on policy updates and changes
- Oversee privacy training for employees
- Conduct risk assessments
- Investigate privacy breaches of PHI
- Ensure patient’s rights in accordance with State and Federal laws
Read More: What is the HIPAA Privacy Rule?
Duties of a Security Officer:
- Develop security policies compliant with administrative, physical and technical safeguards of the Security Rule
- Implement policies and ensure policies to protect PHI are enforced
- Stay up-to-date on law and regulation changes
- Develop Disaster Recovery Plan
- Implement process for how electronic PHI is transmitted and stored
- Prevent unauthorized access to PHI
- Investigate security breaches of PHI
Read More: What is the HIPAA Security Rule?
Duties of a HIPAA Compliance Officer
HIPAA does not define the specific duties of a Compliance Officer. Instead, they allow the Covered Entity or Business Associate to establish what their role will entail.
Again, the role of a HIPAA Compliance Officer depends on how large the organization is. The organization can decide to either:
- Assign a current employee to the role
- Hire for a new position
- Outsource their Compliance Officer duties
Any of these options are suitable as long as they formally have the title and stay in compliance.
Duties of a HIPAA Compliance Officer include:
- Knowledge of HIPAA Privacy and Security Rules in order to develop a compliance program.
- Develop and implement a complete HIPAA compliance program. The program must be able to monitor compliance and document progress.
- Monitor State and Federal regulations for changes or updates to policies. Make modifications when appropriate.
- Communicate changes in program to the organization.
- Allow departments to analyze impacts of changes to program.
- Provide training for new employees and ongoing training for all employees.
What qualifications are required to become a HIPAA Compliance Officer?
According to HIPAA Journal, no specific qualifications are required, but most employers expect you to have a bachelor’s or master’s degree in the related field. You also must have knowledge of HIPAA rules and regulations and be up-to-date on current policy changes. Some education programs offer HIPAA Compiance Officer Training as well.
Can a current employee have HIPAA Compliance Officer duties?
As mentioned previously, the role of a Compliance Officer can be between either one or two people depending on the size of the organization. Normally, you would assume someone in the IT department would take on such a role, but many organizations now see the value of having at least one individual dedicated to the role.
While a current employee can take on the role, they must have a formal title. There must be a single point of contact in the company for any questions or issues that may arise. And although they handle the daily duties of the role, senior management is responsible for communicating with the Officer and ensuring that the organization stays compliant.
