from Art GrossPresident and Chief Executive Officer, HIPAA Protect now!
Twitter: @HIPAASecureNow
Read other articles by this author
We recently looked at the role of HIPAA Privacy Officer and what responsibilities this person would oversee, as well as what qualifications the ideal candidate for the position would bring. In addition, HIPAA regulations require you to formally identify a security officer in addition to a security officer, but they may be the same person.
What is the difference?
The HIPAA Security Officer is often a person in the IT department or a person with professional experience in this field. The Ministry of Health and Human Services (HHS) provides guidelines for determining who should be identified and whether they should be the same person. some sample questions which they offer to ask yourself and the business are:
- Will it be necessary for the needs of the business to assign one person to both roles (for example, is it a small office?)
- Are responsibilities clearly defined, documented and agreed within the organization?
- Do the roles and responsibilities of the security officer accurately reflect the size, complexity and technical capabilities of the business?
What are their responsibilities?
Like the privacy officer in this, they will have knowledge of what is protected health information (PHI) and will be a point person in case of a breach. The Security Officer will develop and implement security policies and procedures to maintain electronic PHI (ePHI), as well as monitor the technical systems in which they are located. This is where the IT background is useful. Any changes to the security protocol documents will also be under their jurisdiction.
In addition, the security officer will monitor the necessary security awareness training and that the organization is conducting a security risk analysis. Each member of the team will be part of this training program.
As mentioned in our previous postthis position may be confused with the work of a HIPAA Privacy Officer, but it is important to note that these are individual responsibilities even if appointed to the same person.
This article was originally published on HIPAA Protect now! and is republished here with permission.
