A good HIPAA compliance program has several layers of people working together, each aware of the others. Today’s post covers the HIPAA Compliance Officer – what do they do and how do they fit in the program? Future blogs will cover the Board and Senior Management, and the Workforce.
The HIPAA Compliance Officer speaks for HIPAA as a Core Company Value
Every healthcare organization needs at least one person thinking about privacy and security as their top priority. It can be a full-time job in a large organization, but in some smaller organizations the compliance officer may wear more than one hat. For both types, the key is knowing what you need to do. If you know the steps you can be a champion.
The HIPAA Compliance Officer leads a team
Although one person is central, HIPAA compliance is a team sport. The compliance officer is the team captain. The rulebook is HIPAA law, and victory is maintaining patient privacy and security.
As team captain the compliance officer maintains the rules (HIPAA policies and forms); they communicate with management (HIPAA training, breach notification) and across the team to other employees (HIPAA training, supporting the culture of compliance) and externally to the public (helping patients).
HIPAA rules require there be both a Privacy Official and a Security Official, but it’s okay to have one person do both roles. If there are two, it’s critical that they work together, as co-captains of HIPAA compliance. Both are equally important.
Responsibility and Authority of the HIPAA Compliance Officer comes from the top
The Board of Directors and Senior Management are always responsible for HIPAA compliance, but they may delegate the authority to develop and implement HIPAA compliance to a HIPAA Compliance Officer. The Compliance Officer is the first line of defense against breaches, fines, lawsuits, or a failed audit. Senior management should support the Compliance Officer with the resources needed for full compliance.
The HIPAA Compliance Officer’s three Steps to victory
Check to see if these are complete:
1. Establish HIPAA policies for Privacy, Security and Breach Notification Rules
2. Do a Risk Analysis and Risk Management
3. Train the workforce
HIPAA training is required for everyone in the organization, including senior management. It should become part of every new employee’s orientation, should be reinforced with periodic security reminders, and repeated as needed.
The HIPAA Compliance Officer should document everything. From policies, and Risk Analysis, to breach notification, training and assessments.
All documentation should be kept for a minimum of six years.
A HIPAA Compliance Officer’s job is ongoing
It’s not a one-step process. Once policies are in place, Risk Analysis is put to bed and training is complete, the HIPAA Compliance Officer continues to lead the team, keeping policies up-to-date, answering employee questions and helping patients.
HIPAA requires healthcare organizations to periodically:
- Review and modify security measures to protect patient information
- Change policies and procedures as necessary to comply with changes in HIPAA law
- Do Risk Analysis once a year, and keep Risk Management going year-round.
Help for the HIPAA Compliance Officer from The HIPAA E-Tool®
Being a HIPAA Compliance Officer is a big job, but it doesn’t have to be a lonely one with The HIPAA E-Tool® to help.
This turn-key solution has:
- Every Policy, Procedure and Form needed, customized to your organization
- Risk Analysis – Risk Management, step-by-step
- Updates every time the law changes
- Customer service with answers to all your HIPAA questions