HIPAA Privacy Officer vs. Security Officer – what’s the difference?

Shredding patient records and securing ePHI.

Understanding HIPAA regulations requires knowing the distinct roles of a HIPAA Privacy Officer and a HIPAA Security Officer. This article breaks down their unique responsibilities and shows why both are essential for protecting patient information. Dive in to learn the key differences and how they impact healthcare privacy and security.

In this Article …


What’s Required?

The Health Insurance Portability and Accountability Act (HIPAA) regulations call for both a HIPAA Privacy Officer and a HIPAA Security Officer. The requirement for a HIPAA Privacy Officer is found in the HIPAA Privacy Rule. The requirement for a HIPAA Security Officer is found in the HIPAA Security Rule. Some healthcare providers subject to both the HIPAA Privacy Rule and the HIPAA Security Rule combine these roles into one HIPAA Compliance Officer position, but they have distinctly different responsibilities.

It may be a real stretch for small organizations such as individual physician medical offices to employ someone full-time as a Privacy Officer, but that does not negate the requirement to assign the duties of a HIPAA privacy official to someone. And no one wants to be under consideration for penalties related to HIPAA violations and wind up on the HIPAA “Wall of Shame.”


Roles and Responsibilities of a HIPAA Privacy Officer

The HIPAA Privacy Rule contains one specific responsibility for the privacy officer, or “privacy official” as the title is described in the rule. Covered entities must designate a privacy officer responsible for developing and implementing the privacy policies and procedures of the organization. Of course, that simple statement covers a lot of ground, and the actual duties often include long lists of responsibilities.

  1. Doctor speaking with patient in privacy of the exam room.Establish and serve as Chair of the Privacy Committee, which is charged with monitoring regulatory requirements, developing an organization-wide privacy program, and implementing appropriate strategies to promote compliance with the program.
  2. Initiate general privacy and HIPAA awareness programs.
  3. Collect and inventory all privacy and/or confidentiality policies and procedures, including unwritten procedures currently in use.
  4. Perform gap analyses based on the outcome of policy inventories. Coordinate with Senior Management to develop and maintain an organization-wide Privacy Policy.
  5. Conduct studies of current information exchange and data flow within and between outside agencies and internal programs, including exchanges with other contract providers and vendors.
  6. Perform and/or oversee initial and periodic information and privacy risk assessments and conduct related ongoing compliance monitoring activities in coordination with the organization’s other compliance and operational risk management functions.
  7. Inventory all existing business associate and trading partner relationships with outside contract providers, vendors, and consultants; maintain an inventory of current and past business associate agreements.
  8. Coordinate with the relevant legal consultants to develop, execute, and monitor all business associate and trading partner agreements, to ensure all legal requirements are met.
  9. Coordinate with consultants, experts, or legal counsel regarding impacted programs to develop all legally required documents and forms including, but not limited to, Notice of Privacy Practices, Consent, Authorization, and Requests to Access/Amend Records, Request to Restrict Access, and Denial of Access or Amendment.
  10. Work closely with affected programs, consultants and/or legal counsel, to establish criteria to meet HIPAA requirements. Including, but not limited to, procedures for:
    1. release of information,
    2. review of non-routine requests,
    3. verification of identity, setting minimum necessary standards,
    4. sharing of PHI with other entities,
    5. de-identification of Protected Health Information,
    6. breach notification,
    7. encryption of electronic data,
    8. accounting of disclosures,
    9. physical security standards, electronic security standards,
    10. security incident procedures,
    11. disaster recovery plans, and
    12. internal auditing and monitoring plans.
  11. Develop and implement a comprehensive training and education process for all employees and contract employees, including a system for tracking and documenting ongoing employee training in HIPAA Privacy and Security policies.
  12. Coordinate with appropriate legal counsel to develop and monitor appropriate sanctions policies as required by HIPAA, for failure to comply with the organization’s privacy program.
  13. As part of the HIPAA regulations implementation and compliance plan, coordinate with the Security Officer and outside providers to ensure policies and procedures relating to cyber privacy and security are developed and implemented for the organization’s hardware, software, and telecommunications systems.
  14. As part of the HIPAA compliance plan, coordinate with the Fiscal Officer or individual(s) responsible for health care billing to ensure systems subject to federal regulations are identified and necessary vendor and /or partner communications are initiated. Ensure required remediation of systems is implemented before deadlines for compliance with electronic standards.
  15. Serve as liaison to regulatory agencies, both state and federal, for privacy and security-related activities.
  16. Coordinate the receipt of complaints and inquiries and investigations about the organization’s privacy, security, and compliance programs; maintain confidential files of complaints, inquiries, and investigations of HIPAA Privacy or Security complaints or breaches.
  17. Develop policies for documenting and reporting self-disclosures and breach notifications based on evidence of privacy violations.
  18. Plan and oversee periodic internal reviews of operations to identify and rectify possible barriers to compliance with the privacy program.
  19. Prepare effective, clear, and concise status reports.
  20. Prepare annual reports regarding the status of the organization’s Privacy Program.
  21. Maintain awareness of changes in HIPAA Privacy and Security Rules; make changes to existing policies, procedures, and practices to comply with regulatory changes or updates; ensure staff members and contractors are notified and trained in new policies, procedures, and practices related to changes in HIPAA Privacy and Security Rules.
  22. Represent the organization effectively at meetings, before boards, commissions, and committees.
  23. May coordinate and supervise subordinate staff, related to HIPAA and Privacy issues.


HIPAA Privacy Officer Certification

There is no regulatory requirement for covered entities to employ or contract for a “certified” HIPAA Privacy officer, and there is no definition of what such a certification should include. However several training programs offer certification, and many of these organizations also offer employee privacy training. Certainly for a large covered entity employing a full-time HIPAA Privacy Officer, investing in, or requiring, certification from a reputable training program would be highly advisable.


HIPAA Security Officer Duties and Responsibilities

HIPAA security shield.The requirement for a HIPAA Security officer is found in the Administrative Safeguards section of the HIPAA Security Rule. Much like the description of duties of HIPAA Privacy Officers, HIPAA Security Officers are responsible for developing and implementing policies and procedures required for compliance with the provisions of the Security Rule. The Administrative Safeguards also explicitly permit the Privacy Officer and Security Officer to be the same person. Moreover, the standard permits assigning specific security responsibilities to other individuals as long as one individual is identified as having overall responsibility.

The Security Officer’s job touches on almost every aspect of information security in a covered entity that creates, maintains, or transmits electronic protected health information. A short list of the compliance standards the Security Officer must oversee includes:

  1. Conduct risk assessments or a risk analysis.
  2. Set up an Information System Activity Review.
  3. Participate in the administration of sanctions policies and procedures.
  4. Set up policies and procedures for authorization of access and access controls.
  5. Ensure there are termination procedures for users who no longer need access to electronic protected health information.
  6. Implement a security awareness and training program for all users with access to electronic PHI.
  7. Develop procedures for guarding against, detecting, and reporting malicious software.
  8. Implement policies and procedures to address security incidents.
  9. Establish plans to deal with disaster recovery and data backup.
  10. Perform security audits that include periodic technical and nontechnical evaluations to address changes in the operating environment.


Overlap Between a HIPAA Privacy Officer’s Role and a HIPAA Security Officer’s Role

There are definitely overlapping areas in security practices and privacy concerns in covered entities subject to both the Privacy Rule and the Security Rule.

  • Patient privacy breaches often require a joint response. Healthcare organizations that suffer a breach involving electronic patient health information must address the physical and technical aspects of such a breach, which would be the role of the Security Officer. Privacy officers are likely to be involved with patient notifications and reports to Health and Human Services and other state authorities. Both officers are usually involved in incident management and consider potential sanctions for existing employee misconduct.
  • Both members of the HIPAA Compliance Team have responsibilities related to employee training programs. Administering provisions related to patient privacy like releasing copies of medical records are complicated, so training is very important. Likewise, training on protecting user access to electronic health information systems is also vital.
  • Conducting risk assessments and evaluating the needs for, and capabilities of business associates are also examples where both perspectives on the HIPAA rules are necessary. Risk Assessments involve both technical safeguards and human services practices. Business associate compliance must also be evaluated for technical and administrative safeguards that protect patient health information.

One final thing to note is this: healthcare providers who create and maintain patient-protected health information must have a Privacy Official and a HIPAA-compliant privacy program. Only healthcare organizations that create, and maintain electronic patient health information are required to comply with the HIPAA Security Rule.

Achieving and maintaining HIPAA compliance is a big job. Outsourcing HIPAA Security Officer functions and HIPAA Privacy Officer functions is certainly a feasible option for many healthcare provider organizations. However, an organization’s compliance is a function of not only the HIPAA Compliance Team but of everyone who has access to the protected health information of the organization. Effective leaders are important, but so are conscientious followers!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.