We have a Compliance Officer, that’s all we need, right?

By now most organizations are aware that they need a compliance program and a person who is designated as the Compliance Officer, but HIPAA requires every organization to also designate a Privacy Officer and a Security Officer. In many organizations the Compliance Officer tends to wear all the hats but it is important to consider if that is truly the best option for the organization.

The Compliance Officer is responsible for the administration of the organization’s compliance program, which may include the HIPAA program; the role of the Privacy Officer is more focused on the development and implementation of privacy policies, investigation of incidents and potential breaches, and serving as the point person for individuals seeking copies of records, restrictions on release of records, and any other aspect related to the privacy of protected health information. In the event of a breach, the Privacy Officer serves as the point person for the organization.

The Security Officer is responsible for ensuring policies, procedures and systems are in place to ensure the security of PHI when it is held electronically. Typically, a Security Officer is someone with a technology background who is familiar with the organization’s computer networks and systems. Should there be an issue with ePHI, it is the Security Officer who will lead the charge in terms of investigation, determination of the scope of the incident and potential methods for mitigation.

Both the Privacy Rule and the Security Rule under HIPAA provide flexibility to allow organizations to determine the best way to address risks based on the size and resources of the organization. Having said that, HIPAA requires each organization to formally designate someone to serve as the Privacy Officer and the Security Officer. That person can be the same person and can even be the same person as the Compliance Officer but it is important that the governing board officially designate someone to serve in each role in order to satisfy the requirements of HIPAA. Failure to do so could actually lead to a larger fine or penalty in the event of a breach or security incident so every organization is encouraged to take the easy step of having the governing board take action to make it official and reflect that action in the minutes of the meeting. Once that has been accomplished it is wise to make sure both the Privacy Officer and the Security Officer receive relevant training on what it means to hold their respective positions.