This month HTA is focusing on the HIPAA Security Officer role within independent healthcare practices. The HIPAA Security Officer is defined in section 164.308 of the Electronic Code of Federal Regulations as the security official who is responsible for the development and implementation of the polices and procedures required by this section for the covered entity or business associate. Their duties include conducting risk assessments to cover every aspect of the Security Rule’s Safeguards, and using that data to develop remediation plans, employee training programs, and incident management procedures, as well as overseeing all Business Associate Agreements.
The HIPAA Security Officer is generally the one person in a small organization who is tasked with maintaining the practice’s HIPAA compliance through tracking audits, training, and procedures. Though every person is responsible for following the proper procedures, the security officer makes sure nothing falls through the cracks, and in the case of a breach, they are the ones who implement the incident management and remediation procedures. Even in a small practice, it is important to have one person singled out as the ‘lead’ in this department, who can take on that responsibility and not have it be forgotten under a pile of more pressing issues.
What is the danger of NOT having a HIPAA Security Officer? To begin with, not having one is itself a HIPAA violation. This role is required under the law. However, the bigger danger is the inherent oversight risk of not having a person dedicating some amount of time and attention to compliance. Without performing security risk assessments, without tracking employee training on compliance procedures, without having remediation plans in place, any breach that occurs will have drastically increased ramifications in data loss and the risk of fines. When deciding on a fine settlement, the Office of Civil Rights greatly weighs whether an institution took steps to be compliant before and after a breach was discovered. Having a person in charge of shepherding your practice’s compliance can not only help prevent breaches, but greatly reduce liability if one occurs.
Healthcare Technology Advisors recommends having a dedicated employee in the role of HIPAA Security Officer. In most independent practices, that person also has other duties, be they a managing physician, a nurse practitioner, or the practice administrator. In this case it is important that they are given the necessary support to carry out their compliance duties. Many third parties offer support through software or consulting to assist with the internal auditing, and of course HTA offers comprehensive compliance services including security risk assessments. These solutions can streamline the Security Officer’s role and make it feasible to remain compliant while also running your practice profitably.