The HIPAA Security Rule mandates that every practice or health care organization that creates, stores, or transmits ePHI, must designate a privacy compliance officer regardless of their size. In larger firms there will typically be a dedicated HIPAA privacy officer, however in smaller firms the role might fall on an employee with administrative or IT responsibilities as well. Below, we’ve outlined some of the key features of the role of a HIPAA privacy officer, along with what they should be expected to know when it comes to maintaining HIPAA compliance.
HIPAA Privacy Officer Duties and Responsibilities:
Privacy Oversight Committee
A Privacy Oversight Committee is primarily responsible for overseeing the maintenance of the privacy and integrity of a firm’s PHI. Subcommittees should be formed among the members of the privacy oversight committee to specifically handle risk, safety, quality, compliance, and audits, with one steering committee to coordinate responsibilities between all of them. Committees should be assembled with a few key points in mind:
- Specific oversight roles should be assigned to each member of the steering committee. The steering committee’s primary responsibility should be maintaining oversight of the privacy and security measures being carried out by the various subcommittees.
- Monitoring privacy and information security should be assigned to one of the subcommittees.
- Committee members must undergo regular training to keep informed of changes to federal and state HIPAA regulation so that solutions can be incorporated into privacy policies and procedures.
Notice of Privacy Practices (NPP)
The HIPAA Privacy Rule requires Covered Entities (CEs) to develop and distribute or post an NPP that provides clear explanations of patients’ rights in regards to how their PHI is handled, as well as the CE’s overall privacy practices. A HIPAA chief privacy officer is responsible for maintaining an updated NPP to reflect changes in regulatory requirements or procedures at the firm in order to avoid most common HIPAA violations.
Business Associate Agreements
A Business Associate Agreement (BAA) is a written agreement between a CE and a Business Associate (BA) which states that both sides will do all they can to maintain the safety and integrity of PHI along with provisions that determine which kinds of PHI will be handled by the BA. It is the HIPAA compliance privacy officer’s responsibility to keep BAAs thorough and up to date.