Is a HIPAA Security Officer necessary? Can we make do without having one?

The short answer is “No.”

This is a HIPAA mandate [45 CFR § 164.308 (a)(2)]. The law requires all Covered Entities and Business Associates to have a HIPAA Security Officer while they conduct their businesses and daily operations.

The mandate states to “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [Administrative safeguards] for the covered entity or business associate¹.”

What are the required credentials in order for an employee to be a HIPAA Security Officer?

The ideal candidate for a HIPAA Security Officer position must demonstrate familiarity with the legal requirements relating to privacy and health care operations, as well as the ability to communicate effectively with and coordinate the efforts of technology and non-technology personnel.

For more information on HIPAA Security requirements, see the EPICompliance HIPAA Security policy titled “Assigned Security Responsibility Job Description Policy.”

What are the responsibilities of the HIPAA Security Officer?

The HIPAA Security Officer performs the following essential tasks, but not limited to:

1. • Manage and supervise the execution and use of security measures to protect data or ePHI.

2. • Manage, supervise, and train personnel in relation to the protection of ePHI.

3. • Assess, implement, evaluate, and maintain administrative, physical, and technical safeguards.

4. • Develop and implement HIPAA security policies and procedures.

5. • Accomplish or manage annual risk analysis and internal security audits.

6. • Manage and address potential and actual violations of security policies.

What are Security Incidents?

Security incidents are defined by law (45 CFR § 164.304) as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system².”

What key points do I need to know about HIPAA Security Incidents?

The Human and Health Services (HHS) recommends taking into consideration the following questions as Security Incident Procedures standard:³

1. 1. What specific actions should be considered as security incidents?

2. 2. How will incidents be documented and reported?

3. 3. What information should be contained in the documentation of security incidents?

4. 4. How often and to whom should incidents be reported?

5. 5. What are the appropriate responses to security incidents?

6. 6. When are identifying patterns of attempted security incidents reasonable and appropriate?

Does our office need to have a Sanction Policy?

Yes, the law [45 CFR § 164.308 (a)(1)(ii)(C)] requires Covered Entities and Business Associates to “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate¹.”

Refer to EPICompliance HIPAA Security policy titled “Security Management Process: Sanction Policy” to know more.

Why is it important to have a Sanction Policy?

As with similar concepts of enforcing ethical standards, imposing Sanction Policy;⁴

1. 1. Issues clear and consistent stance of the organization to all employees in regards to sanctions for violations.

2. 2. Establishes organizational culture on proper ethics and conduct.

3. 3. Enforces consistent and standardized disciplinary actions applicable to a specific violation.

4. 4. Leads to better compliance by employees. When an organization has no sanction policy, staff may see this as a free pass for misconduct. Hence, when employees are aware that an organization has a sanction policy they are compelled to follow standards and restrictions.

5. 5. Promotes public trust and customers’ confidence in the organization or practice, and

6. 6. Results in timely intervention for each incident, and disciplinary actions for each violation.