The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers, insurers, and other so-called “covered entities” assign someone in their organization to the role of HIPAA compliance officer. This extends to business associates as well, - that is, the organizations with whom covered entities routinely share protected health information (PHI). Business associates include companies that provide e-mail or other IT services, billing agencies, or anyone else who comes into contact with PHI.
But what exactly does a HIPAA Compliance Officer do? Here is a list of the primary responsibilities that person must perform:
Many organizations select an existing employee to serve as the HIPAA Compliance Officer. However, HIPAA rules allow companies to outsource the position to a third party consultant, either temporarily or permanently. In organizations where existing staff has limited time, that kind of arrangement can ensure that HIPAA compliance gets the focused attention that it deserves.
In larger organizations, the role of HIPAA Compliance Officer may be subdivided into two separate roles, - Privacy Officer and Security Officer. This ensures that the totality of the job can be adequately addressed when an organization must deal with a higher level of complexity.
In this case, a HIPAA Privacy Officer focuses on the following areas:
A HIPAA Security Officer, in contrast, typically has the following responsibilities:
The roles of HIPAA Privacy Officer and Security Officer often overlap. The primary difference is in focus. The Security Officer tends to cover technology and electronic PHI (although it certainly can includes physical security measures as well); whereas the Privacy Officer tends to be more focused on policies, procedures, and “the human element”, including the handling of complaints and investigations.
In both of those roles, - as well as in the combined role of HIPAA Compliance Officer, - it’s important to identify someone who clearly understands the importance of safeguarding PHI, is detail-oriented, and can work well with senior management and staff to ensure that everyone on the team is on board with HIPAA Compliance. This person (or people) will also need to work with vendors (business associates) to whom your organization may entrust PHI. As a legal requirement, business associates must sign a Business Associate Agreement (BAA) that acknowledges their obligations to protect PHI that is in their care, both at rest (that is, data that is stored) and in transit (in other words, as it is being transmitted).
If your organization is like most others in the healthcare field, it’s likely that you rely on transmitting PHI via fax. If so, then it’s important you understand the implications and choose a cloud fax provider who clearly understands HIPAA, has put stringent security measures in place, and will sign a BAA that meets your needs. If your organization needs HIPAA-compliant fax, we’d love to talk with you. Contact us to learn more.