Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
You are required by law to have a privacy and a security officer for your practice or business. These roles can be combined to one individual but are recommended to be seperate to ensure proper checks and balances. So what are the duties of a HIPAA privacy officer? A HIPAA privacy officer is responsible for developing a HIPAA-compliant privacy program if one does not already exist. They must ensure that there are privacy policies to protect the integrity of PHI and that they are all enforced. He or she will deliver or oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary. A HIPAA privacy officer will have to monitor compliance with the privacy program, investigate incidents in which a breach of PHI may have occurred, report breaches as necessary, and ensure patients’ rights in accordance with state and federal laws. In order to fulfill the duties of a HIPAA privacy officer, the appointed person will have to keep up-to-date with relevant state and federal laws. So now you may ask yourself, what’s the contrast between the security officer and the privacy officer? The duties of a HIPAA security officer are not dissimilar of those to a privacy officer, inasmuch as the appointed person will be responsible for the development of security polices, the implementation of procedures, training, risk assessments and monitoring compliance. However, the focus of a security officer is to ensure compliance with the administrative, physical and technical safeguards of the security rule. In this respect, the duties of a HIPAA security officer can include such topics as the development of a disaster recovery plan, the mechanisms in place to prevent unauthorized access to PHI, and how electronic PHI is transmitted and stored. Due to the similarity in duties, the roles of a HIPAA privacy officer and a HIPAA security officer can be performed by the same person in smaller organizations. You can complete all required actions to be HIPAA and HITECH compliant yourself. Since the HIPAA and HITECH laws are pliable they have to be customized to your exact need. If you feel that the technical, policies and procedures are overwhelming we recommend you use a HIPAA compliance guide, like ourselves, to guide you through your HIPAA journey.
In this lesson, we'll be going into some detail regarding the duties of both HIPAA Privacy Officers and HIPAA Security Officers and where and how those duties sometimes intersect. At the end of the lesson, we'll provide you with a Word about HIPAA violation classifications.
One important thing to remember is that you are required by law to have someone appointed as a privacy officer and a security officer at your business or practice. However, it's equally important to point out that these roles can be combined in certain situations and given to just one individual.
Pro Tip #1: While you can appoint one person as privacy officer and security officer, it's not something that we would recommend. Separating these duties adds a second pair of eyes or ensures a certain amount of checks and balances.
In order to fulfill the duties of a HIPAA Privacy Officer, you would be responsible for the following:
At this point in your lesson, you may be asking yourself, what is the contrast between a security officer and a privacy officer. (Or you may just be contemplating lunch.)
The duties of a HIPAA Security Officer are in fact similar to those of a HIPAA Privacy Officer, in as much as the appointed person will be responsible for the development of all security policies, the implementation of all procedures, training, risk assessments, and monitoring compliance.
Pro Tip #2: Having said all that, the focus of a security officer is to ensure compliance with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
The duties of a HIPAA Security Officer can include, but aren't limited to, the following:
As previously mentioned, while it isn't ideal or recommended, due to the similarity in duties, the roles of a HIPAA Privacy Officer and a HIPAA Security Officer can be performed by the same person. The one caveat: It works best in smaller businesses, practices, or organizations.
You can complete all the required actions to be HIPAA and HITECH compliant yourself, since all HIPAA and HITECH laws are applicable and must be customized to your exact needs.
If you feel that the technical policies and procedures are too overwhelming, however, we would recommend you use a HIPAA compliance guide (like ourselves at ProHIPAA) who can guide you through your HIPAA journey.
Are you curious about what happens if you violate HIPAA? Well, that depends on the severity of the violation. The Office for Civil Rights prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance.
However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
There are four categories that are used for the penalty structure. They are as follows:
In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for covered entities to be issued with a fine. The Office for Civil Rights understands this and has the discretion to waive a financial penalty. The penalty cannot be waived, however, if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.