The Healthcare Insurance Portability and Accountability Act requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.
But, what are the duties of a HIPAA Compliance Officer? And how much work is involved? That will depend on the size of the Covered Entity or Business Associate, and the volume of Protected Health Information (PHI) it creates, uses, and maintains. In larger organizations it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer.
A HIPAA Privacy Officer is responsible for developing a HIPAA-compliant privacy program if one does not already exist, or – if a privacy program is already in place – for ensuring privacy policies to protect the integrity of PHI are enforced. He or she will deliver or oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary.
A HIPAA Privacy Officer will have to monitor compliance with the privacy program, investigate incidents in which a breach of PHI may have occurred, report breaches as necessary, and ensure patients´ rights in accordance with state and federal laws. In order to fulfil the duties of a HIPAA Privacy Officer, the appointed person will have to keep up-to-date with relevant state and federal laws.
The duties of a HIPAA Security Officer are not dissimilar to those of a Privacy Officer inasmuch as the appointed person will be responsible for the development of security polices, the implementation of procedures, training, risk assessments and monitoring compliance. However, the focus of a Security Officer is compliance with the Administrative, Physical and Technical Safeguards of the Security Rule.
In this respect, the duties of a HIPAA Security Officer can include such diverse topics as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and stored. Due to the similarity in duties, the roles of a HIPAA Privacy Officer and HIPAA Security Officer are performed by the same person in smaller organizations.
The HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are – instead leaving it to each Covered Entity or Business Associate to establish their own duties according to their specific requirements. Therefore, in order to effectively establish the duties of a HIPAA Compliance Officer, it is necessary to understand what those specific requirements are.
With this in mind, Compliance Junction has compiled a HIPAA Compliance Guide. Their guide is an overview of the key areas of HIPAA, HITECH and the Final Omnibus Rule, and how they apply to Covered Entities and Business Associates in certain circumstances. Naturally they are unable to cover every possible scenario, so they have also included links to further information and valuable resources that will help readers find answers to any questions about HIPAA compliance and the duties of a HIPAA Compliance Officer.
No specific qualifications are required, although most employers will expect prospective candidates to be educated to Masters Degree level. Certain education providers offer HIPAA Compliance Officer Training, but you will need to check the content of the course is relevant to the role you are applying for. Some courses focus too much on the Security Rule and leave gaps in other areas.
HIPAA does not require Covered Entities to appoint a HIPAA Compliance Officer in every state, but Compliance Officers representing multi-state organizations will need to have a thorough knowledge of each state´s privacy and security laws. In states where privacy and security laws are more stringent than HIPAA, the state laws take precedence.
Covered Entities with subsidiaries that meet the definition of a Covered Entity in their own right do not have to appoint a HIPAA Compliance Officer for each subsidiary provided all compliance requirements are met for each subsidiary – i.e. policies are developed for each subsidiary, training is provided for each subsidiary, internal monitoring and auditing is conducted for each subsidiary, etc.
It can, but an individual within the team has to be given the title of HIPAA Privacy Officer and HIPAA Security Officer for accountability purposes and to ensure there is a single point of contact for the public, employees, and the Department of Health and Human Services. If personnel within the team changes, it may be necessary to reassign the roles.
Whether or not the HIPAA Compliance Officer is a designated employee or an outsourced consultant, HIPAA compliance is ultimately the responsibility of senior management. Therefore, senior managers should be in regular communication with the HIPAA Compliance Officer in order to be fully informed of the efforts being made to maintain compliance with HIPAA.