HIPAA Compliance Officer surrounded by team

The Role of a HIPAA Compliance Officer

A good HIPAA compliance program has several layers of people working together, each aware of the others. Today’s post covers the HIPAA Compliance Officer – what do they do and how do they fit in the program? Future blogs will cover the Board and Senior Management, and the Workforce.

The HIPAA Compliance Officer speaks for HIPAA as a Core Company Value

Every healthcare organization needs at least one person thinking about privacy and security as their top priority. It can be a full-time job in a large organization, but in some smaller organizations the compliance officer may wear more than one hat. For both types, the key is knowing what you need to do. If you know the steps you can be a champion.

The HIPAA Compliance Officer leads a team

Although one person is central, HIPAA compliance is a team sport. The compliance officer is the team captain. The rulebook is HIPAA law, and victory is maintaining patient privacy and security. 

As team captain the compliance officer maintains the rules (HIPAA policies and forms); they communicate with management (HIPAA training, breach notification) and across the team to other employees (HIPAA training, supporting the culture of compliance) and externally to the public (helping patients).

HIPAA rules require there be both a Privacy Official and a Security Official, but it’s okay to have one person do both roles. If there are two, it’s critical that they work together, as co-captains of HIPAA compliance. Both are equally important.

Responsibility and Authority of the HIPAA Compliance Officer comes from the top

The Board of Directors and Senior Management are always responsible for HIPAA compliance, but they may delegate the authority to develop and implement HIPAA compliance to a HIPAA Compliance Officer. The Compliance Officer is the first line of defense against breaches, fines, lawsuits, or a failed audit. Senior management should support the Compliance Officer with the resources needed for full compliance.

chart that displays the role of the HIPAA compliance officer
Three Steps to Compliance Officer Victory

The HIPAA Compliance Officer’s three Steps to victory

Check to see if these are complete:

1.     Establish HIPAA policies for Privacy, Security and Breach Notification Rules
2.     Do a Risk Analysis and Risk Management
3.     Train the workforce

HIPAA training is required for everyone in the organization, including senior management. It should become part of every new employee’s orientation, should be reinforced with periodic security reminders, and repeated as needed.

The HIPAA Compliance Officer should document everything. From policies, and Risk Analysis, to breach notification, training and assessments.

All documentation should be kept for a minimum of six years.

A HIPAA Compliance Officer’s job is ongoing

It’s not a one-step process. Once policies are in place, Risk Analysis is put to bed and training is complete, the HIPAA Compliance Officer continues to lead the team, keeping policies up-to-date, answering employee questions and helping patients.

 HIPAA requires healthcare organizations to periodically:

Help for the HIPAA Compliance Officer from The HIPAA E-Tool®

Being a HIPAA Compliance Officer is a big job, but it doesn’t have to be a lonely one with The HIPAA E-Tool® to help.

This turn-key solution has:

  • Every Policy, Procedure and Form needed, customized to your organization
  • Risk Analysis – Risk Management, step-by-step
  • Training
  • Documentation
  • Updates every time the law changes
  • Customer service with answers to all your HIPAA questions

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU