Duties of a HIPAA Compliance Officer

The Healthcare Insurance Portability and Accountability Act requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.

But, what are the duties of a HIPAA Compliance Officer? And how much work is involved? That will depend on the size of the Covered Entity or Business Associate, and the volume of Protected Health Information (PHI) it creates, uses, and maintains. In larger organizations it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer.

The Duties of a HIPAA Privacy Officer

A HIPAA Privacy Officer is responsible for developing a HIPAA-compliant privacy program if one does not already exist, or – if a privacy program is already in place – for ensuring privacy policies to protect the integrity of PHI are enforced. He or she will deliver or oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary.

A HIPAA Privacy Officer will have to monitor compliance with the privacy program, investigate incidents in which a breach of PHI may have occurred, report breaches as necessary, and ensure patients´ rights in accordance with state and federal laws. In order to fulfil the duties of a HIPAA Privacy Officer, the appointed person will have to keep up-to-date with relevant state and federal laws.

The Duties of a HIPAA Security Officer

The duties of a HIPAA Security Officer are not dissimilar to those of a Privacy Officer inasmuch as the appointed person will be responsible for the development of security polices, the implementation of procedures, training, risk assessments and monitoring compliance. However, the focus of a Security Officer is compliance with the Administrative, Physical and Technical Safeguards of the Security Rule.

In this respect, the duties of a HIPAA Security Officer can include such diverse topics as the development of a Disaster Recovery Plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI (ePHI) is transmitted and stored. Due to the similarity in duties, the roles of a HIPAA Privacy Officer and HIPAA Security Officer are performed by the same person in smaller organizations.

Job Description for a HIPAA Compliance Officer

  • The person appointed or designated the role of a HIPAA Compliance Officer must have a thorough knowledge of the HIPAA Privacy and Security Rules and the solutions available that will allow him or her to develop a HIPAA compliance program.
  • Once a HIPAA compliance program has been developed, the Compliance Officer should document progress towards its implementation. In order to achieve this, a system should be created that enables the Officer to monitor the status of the organization´s HIPAA compliance.
  • The system should allow the HIPAA Compliance Officer to prioritize efforts towards compliance and communicate priorities. It should also act as a conduit through which compliance concerns can be raised and organizational changes coordinated.
  • The HIPAA Compliance Officer is responsible for developing training programs and executing training courses. These should be designed to help employees understand HIPAA compliance and how any changes implemented will affect their specific duties.
  • The HIPAA Compliance Officer is responsible for monitoring HHS´ and the state´s regulatory requirements. When new regulations or guidelines are introduced, the Officer must adjust the organization´s HIPAA compliance program to reflect the changes.

Find Out More about the Duties of a HIPAA Compliance Officer

The HIPAA regulations do not define exactly what the duties of a HIPAA Compliance Officer are – instead leaving it to each Covered Entity or Business Associate to establish their own duties according to their specific requirements. Therefore, in order to effectively establish the duties of a HIPAA Compliance Officer, it is necessary to understand what those specific requirements are.

With this in mind, Compliance Junction has compiled a HIPAA Compliance Guide. Their guide is an overview of the key areas of HIPAA, HITECH and the Final Omnibus Rule, and how they apply to Covered Entities and Business Associates in certain circumstances. Naturally they are unable to cover every possible scenario, so they have also included links to further information and valuable resources that will help readers find answers to any questions about HIPAA compliance and the duties of a HIPAA Compliance Officer.

HIPAA Compliance Officer FAQ

What qualifications are required to become a HIPAA Compliance Officer?

No specific qualifications are required, although most employers will expect prospective candidates to be educated to Masters Degree level. Certain education providers offer HIPAA Compliance Officer Training, but you will need to check the content of the course is relevant to the role you are applying for. Some courses focus too much on the Security Rule and leave gaps in other areas.

Does a Covered Entity have to appoint a HIPAA Compliance Officer for each state it operates in?

HIPAA does not require Covered Entities to appoint a HIPAA Compliance Officer in every state, but Compliance Officers representing multi-state organizations will need to have a thorough knowledge of each state´s privacy and security laws. In states where privacy and security laws are more stringent than HIPAA, the state laws take precedence.

Does a Covered Entity have to appoint a HIPAA Compliance Officer for each subsidiary?

Covered Entities with subsidiaries that meet the definition of a Covered Entity in their own right do not have to appoint a HIPAA Compliance Officer for each subsidiary provided all compliance requirements are met for each subsidiary – i.e. policies are developed for each subsidiary, training is provided for each subsidiary, internal monitoring and auditing is conducted for each subsidiary, etc.

Can our legal team assume the responsibilities of a HIPAA Compliance Officer?

It can, but an individual within the team has to be given the title of HIPAA Privacy Officer and HIPAA Security Officer for accountability purposes and to ensure there is a single point of contact for the public, employees, and the Department of Health and Human Services. If personnel within the team changes, it may be necessary to reassign the roles.

What if a HIPAA Compliance Officer fails in their duties?

Whether or not the HIPAA Compliance Officer is a designated employee or an outsourced consultant, HIPAA compliance is ultimately the responsibility of senior management. Therefore, senior managers should be in regular communication with the HIPAA Compliance Officer in order to be fully informed of the efforts being made to maintain compliance with HIPAA.