The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers, insurers, and other so-called “covered entities” assign someone in their organization to the role of HIPAA compliance officer. This extends to business associates as well, - that is, the organizations with whom covered entities routinely share protected health information (PHI). Business associates include companies that provide e-mail or other IT services, billing agencies, or anyone else who comes into contact with PHI.
But what exactly does a HIPAA Compliance Officer do? Here is a list of the primary responsibilities that a person must perform:
- Develop a HIPAA-compliant privacy program to ensure that PHI is safeguarded at all times, and ensure that it is enforced.
- Stay abreast of changes to HIPAA rules and regulations, updating policies as needed to ensure full compliance.
- Develop training for employees to ensure that they understand the organization’s policies with regard to PHI or ePHI, why they are important, and how to comply.
- Conduct periodic HIPAA risk assessments to determine potential gaps that could result in HIPAA violations. The compliance officer may conduct such assessments themselves, or outsource it to an outside consultant.
- Provide patients with materials explaining their rights under HIPAA. The US Department of Health and Human Services (DHHS) provides model notices for various types of covered entities.
- Investigate and respond to any and all complaints of potential HIPAA violations.
- Serve as a go-to resource for staff and business associates with regard to HIPAA rules and regulations.
- Stay abreast of state and federal laws concerning patients’ rights. Whenever laws or regulations are changed, or when new ones are introduced, the Compliance Officer must make the appropriate modifications to the organization’s policies, procedures, and training.
Many organizations select an existing employee to serve as the HIPAA Compliance Officer. However, HIPAA rules allow companies to outsource the position to a third party consultant, either temporarily or permanently. In organizations where existing staff has limited time, that kind of arrangement can ensure that HIPAA compliance gets the focused attention that it deserves.
In larger organizations, the role of HIPAA Compliance Officer may be subdivided into two separate roles, - Privacy Officer and Security Officer. This ensures that the totality of the job can be adequately addressed when an organization must deal with a higher level of complexity.
In this case, a HIPAA Privacy Officer focuses on the following areas:
- Developing and implementing HIPAA-compliant programs to protect the privacy of PHI
- Conducting staff training to ensure that HIPAA privacy policies are clearly understood and followed by all employees
- Conducting risk assessments to guard against violations of the HIPAA Privacy Rule
- Investigating complaints and potential breaches and reporting them to the authorities when required
- Staying up to date on all laws pertaining to patient privacy
A HIPAA Security Officer, in contrast, typically has the following responsibilities:
- Determining how ePHI can be stored securely
- Implementing the appropriate technology measures to ensure that PHI remains protected
- Establishing the procedures for transmitting electronic PHI securely
- Developing and implementing a company-wide disaster recovery plan to protect data
- Taking any other measures deemed necessary to prevent unauthorized access to PHI
The roles of HIPAA Privacy Officer and Security Officer often overlap. The primary difference is in focus. The Security Officer tends to cover technology and electronic PHI (although it certainly can includes physical security measures as well); whereas the Privacy Officer tends to be more focused on policies, procedures, and “the human element”, including the handling of complaints and investigations.
In both of those roles, - as well as in the combined role of HIPAA Compliance Officer, - it’s important to identify someone who clearly understands the importance of safeguarding PHI, is detail-oriented, and can work well with senior management and staff to ensure that everyone on the team is on board with HIPAA Compliance. This person (or people) will also need to work with vendors (business associates) to whom your organization may entrust PHI. As a legal requirement, business associates must sign a Business Associate Agreement (BAA) that acknowledges their obligations to protect PHI that is in their care, both at rest (that is, data that is stored) and in transit (in other words, as it is being transmitted).
If your organization is like most others in the healthcare field, it’s likely that you rely on transmitting PHI via fax. If so, then it’s important you understand the implications and choose a cloud fax provider who clearly understands HIPAA, has put stringent security measures in place, and will sign a BAA that meets your needs. If your organization needs HIPAA-compliant fax, we’d love to talk with you. Contact us to learn more.
