Do I need a Privacy Officer or Security Officer?

Video 24 of 27
2 min 35 sec

In this lesson, we'll be going into some detail regarding the duties of both HIPAA Privacy Officers and HIPAA Security Officers and where and how those duties sometimes intersect. At the end of the lesson, we'll provide you with a Word about HIPAA violation classifications.

One important thing to remember is that you are required by law to have someone appointed as a privacy officer and a security officer at your business or practice. However, it's equally important to point out that these roles can be combined in certain situations and given to just one individual.

Pro Tip #1: While you can appoint one person as privacy officer and security officer, it's not something that we would recommend. Separating these duties adds a second pair of eyes or ensures a certain amount of checks and balances.

What are the Duties of a HIPAA Privacy Officer?

In order to fulfill the duties of a HIPAA Privacy Officer, you would be responsible for the following:

  • Developing a HIPAA compliant privacy program if one does not already exist
  • Ensuring that all privacy policies are in place and capable of protecting the integrity of all PHI and ePHI
  • Enforcing all the privacy policies that are in place
  • Delivering or overseeing ongoing employee privacy training
  • Conducting regularly scheduled risk assessments
  • Developing HIPAA compliant procedures where necessary
  • Monitoring compliance with the privacy program
  • Investigating any and all incidents in which a breach of PHI or ePHI may have occurred
  • Reporting breaches as they occur
  • Ensuring all patient rights in accordance with all state and federal laws
  • Keeping up to date with all relevant state and federal laws

At this point in your lesson, you may be asking yourself, what is the contrast between a security officer and a privacy officer. (Or you may just be contemplating lunch.)

The duties of a HIPAA Security Officer are in fact similar to those of a HIPAA Privacy Officer, in as much as the appointed person will be responsible for the development of all security policies, the implementation of all procedures, training, risk assessments, and monitoring compliance.

Pro Tip #2: Having said all that, the focus of a security officer is to ensure compliance with the administrative, physical, and technical safeguards of the HIPAA Security Rule.

What are the Duties of a HIPAA Security Officer?

The duties of a HIPAA Security Officer can include, but aren't limited to, the following:

  • Developing a disaster recovery plan
  • Putting into place the mechanisms to prevent unauthorized access to PHI and ePHI
  • Deciding how all electronic PHI (ePHI) is transmitted and stored

As previously mentioned, while it isn't ideal or recommended, due to the similarity in duties, the roles of a HIPAA Privacy Officer and a HIPAA Security Officer can be performed by the same person. The one caveat: It works best in smaller businesses, practices, or organizations.

Customized for Your Business

You can complete all the required actions to be HIPAA and HITECH compliant yourself, since all HIPAA and HITECH laws are applicable and must be customized to your exact needs.

If you feel that the technical policies and procedures are too overwhelming, however, we would recommend you use a HIPAA compliance guide (like ourselves at ProHIPAA) who can guide you through your HIPAA journey.

A Word About HIPAA Violation Classifications

Are you curious about what happens if you violate HIPAA? Well, that depends on the severity of the violation. The Office for Civil Rights prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance.

However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.

There are four categories that are used for the penalty structure. They are as follows:

  1. Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
  2. Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but still falling short of willful neglect of HIPAA Rules.
  3. Tier 3: A violation suffered as a direct result of willful neglect of HIPAA Rules, in cases where an attempt has been made to correct the violation.
  4. Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for covered entities to be issued with a fine. The Office for Civil Rights understands this and has the discretion to waive a financial penalty. The penalty cannot be waived, however, if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.