By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
Recently we went over the role of the HIPAA Privacy Officer and what responsibilities that individual would oversee, as well as what qualifications an ideal candidate would bring to the position. Additionally, HIPAA Regulations require that you formally identify a Security Officer in addition to a Privacy Officer, but they can be the same person.
What’s the Difference?
The HIPAA Security Officer is often a person in the IT department or one with a professional background in that area. The Department of Health & Human Services (HHS) provides guidelines for determining who should be designated and if they should be the same person. Some sample questions that they suggest asking yourself and the business are:
- Would it serve the business’s needs to assign one person to both roles (for example, is it a small office?)
- Have the responsibilities been clearly identified, documented, and agreed upon within the organization?
- Are the roles & responsibilities of the Security Officer accurately reflecting the size, complexity, and technical capabilities of the business?
What Are Their Responsibilities?
Like the Privacy Officer in that, they will have knowledge of what protected health information (PHI) is, and they will be a point person in the event of a breach. The Security Officer will develop and implement the security policies and procedures for maintaining the electronic PHI (ePHI), as well as oversee the technical systems that they reside within. This is where the IT background is helpful. Any document changes regarding the safety protocols would be under their jurisdiction as well.
Additionally, the Security Officer would oversee the required security awareness training and that the organization is performing a security risk analysis. Every member of the team will be a part of this training program.
As mentioned in our previous post, this position can be confused with the job of HIPAA Privacy Officer, but it is important to note that these are separate responsibilities even if assigned to the same person.
This article was originally published on HIPAA Secure Now! and is republished here with permission.