Under the HIPAA Security Rule, covered entities and business associates are required to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI). The administrative safeguard provision of the HIPAA regulations is broken into a series of standards whose requirements must be met.
One of these standards is known as the Assigned Security Responsibility Standard. The standard requires that covered entities and business associates designate a HIPAA Security Official (sometimes referred to as a “security officer”). The responsibilities of the HIPAA Security Official are discussed below.
What Are the Responsibilities of the HIPAA Security Official?
The security official must be responsible for developing and implementing the policies and procedures required by the HIPAA Security Rule.
The requirement to designate a Security Rule Security Official is comparable to the Privacy Rule Personnel Designations Standard. That standard requires designation of a Privacy Official, who is responsible for developing and implementing privacy policies and procedures.
The HIPAA Security Official and Privacy Official can be the same person, but are not required to be. Furthermore, under the Security Rule, while one individual must be designated as having overall responsibility, other individuals in the covered entity or business associate may be assigned specific security responsibilities. For example, an individual other than the Security Officer may be tasked with facility security responsibility, while yet a third individual may be tasked with network security responsibilities.
What Should Covered Entities Consider Before Designating a HIPAA Security Official?
Before designating a HIPAA Security Official, organizations should consider whether it would serve the organization’s needs to designate the same individual as both the Privacy and Security Official. In a small medical office with few staff members, it may be sensible to designate the same individual as both Privacy and Security Official.
Before designating the Security Official or Security Officer, the organization should also agree upon, identify, and document the responsibilities of the Security Official. In addition, the organization should tailor the responsibilities of the Security Official to “fit” the organization’s size, complexity, and technical capabilities. This means, among other things, ensuring that the Security Official can actually fulfill the responsibilities assigned to him or her. If, for example, an organization is sufficiently large that tasking the Security Official with ALL security responsibilities would be impractical, the entity should consider tasking other individuals with specific security responsibilities (i.e., one person can be tasked with network security responsibilities, while another can be tasked with mobile device or app security responsibilities).
