What is the role and purpose of a HIPAA compliance officer? In your organization, who is responsible for ensuring HIPAA compliance? The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and all their business associates assign someone to the role of HIPAA compliance officer. This person doesn’t necessarily need to be an internal employee. It’s perfectly acceptable to outsource the job, and in many instances, outsourcing may be the ideal way to go.
Congress passed HIPAA in 1996 to protect confidential health information by providing standards for organizations to deal with patient health records. It later enacted the HITECH Act to handle the emergence of electronic health records.
A HIPAA compliance officer is responsible for implementing and maintaining programs to adhere to HIPAA and HITECH. Today we’ll take a thorough look at the role the compliance officer plays. From there, you can decide whether you should assign this role to an existing employee, hire someone full time or outsource the job completely.
Responsibilities of the HIPAA compliance officer
The following are common responsibilities of a compliance officer:
- Develop a HIPAA-compliant privacy program or administer an existing one. The program must maintain the safety of PHI.
- Enforce the organization’s privacy policies.
- Monitor changes to the HIPAA rules. Ensure updates of policies regularly to comply with new HIPAA regulations.
- Create training materials and courses to teach employees about the organization’s privacy program. Any employee who deals with PHI or ePHI will need to understand procedures for maintaining privacy.
- Conduct risk assessments on HIPAA compliance. The compliance officer may conduct the assessments or he/she may ask a consultant to conduct a HIPAA risk analysis.
- Provide patients with a user-friendly explanation of their rights under HIPAA per the notice of privacy practices.
- Investigate and respond to complaints of HIPAA non-compliance.
- Act as a resource to employees/staff and Business Associates regarding HIPAA regulations. Be available to answer all questions regarding the rules governing PHI.
- Keep abreast of all state and federal laws concerning patients’ rights. When laws are changed, or new regulations are introduced, the compliance officer must modify the organization’s program to include the changes.
Roles of privacy officers and security officers
In large organizations, one person can’t usually take on the many responsibilities of the HIPAA compliance officer. In these instances, the role may need to be divided between two individuals: the privacy officer and the security officer.
A privacy officer is responsible for the development and implementation of a HIPAA-compliant privacy program. Or, if one already exists, the privacy officer oversees it to ensure the program remains HIPAA-compliant.
Duties of the privacy officer include:
- Implementing HIPAA-compliant privacy programs.
- Conducting employee training on HIPAA policies.
- Conducting risk assessments for HIPAA violations.
- Investigating breaches and reporting them to the necessary authorities when required.
- Keeping apprised of the most recent laws regarding patient privacy.
Security officers play a similar role to the privacy officer. They are responsible for implementing procedures, training employees, conducting risk assessments, and monitoring compliance. Yet, the focus for the security officer is more on the administrative, physical and technical safeguards of the Security Rule.
Duties the security officer may be responsible for:
- Implementing the technology to keep PHI protected.
- Developing a company-wide disaster recovery plan.
- Preventing unauthorized access to PHI.
- Implementing procedures for transmitting electronic PHI (ePHI).
- Determining how to properly store ePHI.
Because the duties of the privacy officer and security officer often overlap in smaller organizations, one compliance officer usually fulfills both roles.
Qualifications for a HIPAA compliance officer
Now that we’ve talked about the role and purpose of compliance officers, let’s consider what qualifications you should look for when appointing someone to this role. This can help you determine whether you want to hire a full-time compliance officer, appoint an existing employee or outsource the job.
Skills and abilities:
- Strong organizational abilities.
- Attention to detail.
- Excellent analytical abilities.
- Four-year degree in the health care field.
- Familiarity with health care legislation and standards for protecting PHI.
- Problem-solving, teamwork, and collaborative abilities.
- Demonstrated skills in communication, including writing abilities.
- Thoroughly understand various HIPAA laws and the HITECH Act.
- Stay updated about constantly changing regulations.
- Deal with customer complaints in a compassionate and empathetic manner.
- Create training programs for employees who deal with PHI.
- Implement programs to keep private information secure.
- Understand and enforce the HIPAA Breach Notification Rule.
- Work with senior management to establish governance for the privacy program.
- Develop strategies to promote compliance with staff.
- Create and implement the process for the investigation of privacy complaints.
- Cooperate with the OCR and state attorneys general regarding investigations and compliance reviews.
Outsourcing your HIPAA compliance officer function
As discussed, the successful compliance officer completes a variety of tasks. Understanding the importance of adhering to HIPAA regulations is critical to avoiding breaches. HIPAA breach penalties can be severe and costly for healthcare organizations and their business associates. The compliance officer plays a vital role in your organization. Unless you have an employee, or two employees for large organizations, who can take on the job full-time, it may be hard for an employee with an already full workload to fulfill all its responsibilities.
An outsourced compliance officer will have experience working in a variety of settings with different challenges, giving them insight into what works best for your organization.
Hiring a full-time worker to fulfill these roles is not always cost-effective for a smaller organization. It may be worthwhile to look into outsourcing the compliance officer role, and this comes with several benefits:
- An outsourced compliance officer is already well-versed in HIPAA regulations. There’s no learning curve and no need to spend time and money training the consultant.
- The consultant is highly familiar with HIPAA and related laws and has the time and resources to keep vigilant regarding the latest updates to the rules.
- The organization can save money by not needing to hire one or two full-time employees for this position, which would require pay and benefits.
- The staff has professional assistance in implementing HIPAA privacy programs.
- The organization gains an independent and objective assessment of its HIPAA program. An objective third party has no previous investment in the program and can deliver fresh insights that the staff person may have otherwise overlooked.
What to expect next in the year ahead
Your compliance officer needs to keep abreast of the latest policies and trends for HIPAA. Here are some big changes coming this year.
- The National Patient Identifier ban could be lifted. When HIPAA was originally passed in 1996, it established a National Patient Identifier (NPI). Proponents of the NPI believed it would help match patient records and minimize errors. However, objections to the identifier relate to the danger to patient privacy. So, right after the NPI passed, Congress overruled it and pulled the funding until now. In June 2019, Congress voted to lift the ban. But in September of that year, once again, the Senate voted to uphold the ban. However, the ban might still be lifted later this year. A thorough compliance officer must watch out for what becomes of this ruling. If the safety and privacy issues can be worked out, having a unique patient identifier could be a great benefit to reducing medical errors and ensuring hospitals are accurately matching patient information.
- Social media is a venue for HIPAA violations. Social media has grown immensely and shows no signs of slowing. It’s a new tool that organizations can use to conveniently communicate with patients; however, it must be used with caution. And Social media becomes a critical communication tool in a crisis! Proper training and policies related to social media can prevent many mishaps from occurring in your organization. Your compliance officer must be well-versed in HIPAA regulations for social media.
- State attorneys general (AGs) are getting involved. State AGs used to stay out of enforcing HIPAA rules. However, this is changing. You need to be aware that not only is the Office for Civil Rights enforcing HIPAA, but state AGs are getting in on the act as well. State AGs have begun to combine efforts and initiate multi-state lawsuits against healthcare organizations. In 2009 HITECH gave state AGs the right to bring civil actions on behalf of their residents for violations. Now states are banding together to bring suits for breach of PHI. At the end of 2018, 12 state AGs filed a collective lawsuit against Medical Informatics Engineering. Led by Indiana, the suit grew to 16 states and a payout of $900,000. Compliance officers need to keep an eye on these trends!
The HIPAA compliance officer’s exact role and duties in your organization will vary. You won’t be able to determine exactly what the duties of a compliance officer are from the HIPAA guidelines. The law leaves this open for companies to determine because every organization has its own unique requirements. You can view The Fox Group’s effective corporate compliance program checklist to help you outline your compliance officer’s responsibilities.