An often overlooked aspect of HIPAA compliance is the selection of a HIPAA compliance officer or HIPAA privacy officer. These roles are often filled by default and given to the person with the closest proximity to tasks these roles typically focus on.
The security officer role tends to be passed to the IT manager, while the privacy officer role typically goes to the individual in charge managing medical records. However, HIPAA security officer and HIPAA privacy officer roles are critical to ensuring data is protected throughout the entire organization, and compliance is maintained. Therefore, the selection of individuals to these roles should be determined by thorough analysis.
Here are a few traits you may want your privacy and security officers to possess:
- Broad understanding of organizational processes: In order to be effective in either role, an individual must have a global understanding of how the organization operates, how PHI flows into and out of the organization, how PHI is utilized, and where it is within the organization.
- Attention to detail: You want people in these roles that can spot policy violations or needs for procedural changes simply by walking around the organization. You will also want someone who can think creatively about best practices. The individuals in these roles will not only need to spot and stop potential violations, but will need to identify better ways of operating that balance staff needs with adequate protections.
- Strong leader: The security officer and the privacy officer will be your data protection champions. They will set the tone for the entire organization when it comes to implementing privacy and security safeguards. Their job is to create a culture of compliance throughout the organization.
There are other considerations to keep in mind beyond just selecting the right individual to fill the roles. Will these roles be filled by someone on staff or will they be outsourced? The best practice is to fill the roles with someone on staff. There is no preclusion from outsourcing these roles, but it is advantageous to have someone who is consistently onsite and has an intimate understanding of the organization serving in these capacities. It is often best to have the security and privacy officers on staff and backed up by an outsourced experts who can provide them guidance as needed.
Another aspect to consider is whether to have one person fill both the security officer and privacy officer roles. The rule of thumb is that it can be one person if that one person has sufficient time to adequately complete both roles. Most often this is not appropriate for larger and more complex organizations, but it does tend to work well in smaller organizations.
Regardless of who serves in the roles of security and privacy officer, it is imperative they understand and embrace the importance of the role. Good security and privacy officers can lead positive changes that permeate through the entire organization.