All Covered Entities and Business Associates are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often designated to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily the case
Although the Technical Safeguards of the HIPAA Security Rule relate to restricting access to systems on which ePHI is maintained and transmission security, only about 30% of a HIPAA Security Offer´s responsibilities are IT-related. The remainder of his or her responsibilities relate to training, auditing, incident management and overseeing Business Associate compliance. A HIPAA Security Officer is also responsible for facility security and the preparation of a Disaster Recovery Plan.
The Responsibilities of a HIPAA Security Office
The HIPAA Security Rule stipulates the person designated the role of HIPAA Security Officer must implement policies and procedures to prevent, detect, contain, and correct breaches of ePHI. Before developing the policies and procedures, the HIPAA Security Officer has to conduct and chronicle risk assessments to cover every element of the Security Rule´s Technical, Physical and Administrative Safeguards
Once the risks to the integrity of ePHI have been identified, a HIPAA Security Officer must implement measures “to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 CFR 164.306(a)”. Employees have to be trained on any new work practices that are introduced and be informed of the sanctions for failing to comply with the new policies and procedures. In order to enforce the sanctions policy, a system of reviewing information system activity also has to be implemented
HIPAA Security Officer Job Description
A HIPAA Security Officer job description needs to outline the Officer´s responsibilities with regard to establishing and maintaining HIPAA-compliant mechanisms for ensuring the confidentiality, integrity and accessibility of healthcare information systems. These responsibilities will vary according to the nature and size of the organization, but should include:
Responsibilities for establishing, managing and enforcing the Security Rule safeguards and any subsequent rules issued by OCR.
Responsibilities for integrating IT security and HIPAA compliance with the organization´s business strategies and requirements.
Responsibilities for addressing issues related to access controls, business continuity, disaster recovery, and incident response.
Responsibilities for organizational security awareness, including staff training in collaboration with the HIPAA Privacy Officer.
Responsibilities for conducting risk assessments and audits – especially with regard to Business Associates and other third parties.
Responsibilities for investigating data breaches and implementing measures for their future prevention and/or containment.
in larger organizations, the HIPAA Compliance Team. There are many areas of the Security and Privacy Rules that overlap, and resources can be pooled to conduct risk assessments, manage employee training, and accelerate HIPAA compliance. A partnership between Security and Privacy Officers can also better oversee Business Associate compliance.
The HIPAA Privacy Officer Requirement
HIPAA Privacy Officers have been mentioned periodically throughout this article as it is required that, in addition to a HIPAA Security Officer, Covered Entities appoint a HIPAA Privacy Officer. The HIPAA Privacy Officer requirement is mandated by HIPAA and, depending on the nature and size of the organization, it is possible for the two roles to be combined into one.
The role of a HIPAA Privacy Officer is similar in some respects of that to a Security Officer as it involves conducting risk assessments, staff training, and managing Business Associate Agreements. However, a Privacy Officer will also be responsible for establishing, managing, and enforcing HIPAA-compliant policies and procedures to protect PHI in whatever format it is maintained.
No comments:
Post a Comment