A compliance manager doesn’t necessarily need to have a background in HIPAA compliance. However, the compliance manager is responsible for managing their organization’s compliance program. Generally, this role is filled by an employee with other job responsibilities such as an office or practice manager.
What are the Responsibilities of a Compliance Manager?
A compliance manager must ensure that their organization has an effective HIPAA compliance program. This includes:
- Self-audits: the Department of Health and Human Services (HHS) requires organizations working with protected health information (PHI) to complete self-audits annually to assess their safeguards securing PHI. HIPAA covered entities (CEs) are required to complete six annual audits, while HIPAA business associates (BAs) and managed service providers (MSPs) are required to complete five.
- Gap identification and remediation plans: an essential component of HIPAA compliance is identifying your gaps and addressing those gaps with remediation plans. Once you have completed your self-audits in our HIPAA platform, gaps are automatically identified. Then our Compliance Coaches create remediation plans for you to implement, allowing you to close your gaps.
- Policies and procedures: policies and procedures dictate the proper uses and disclosures of PHI by staff members. They also describe what safeguards you have in place safeguarding PHI. Policies and procedures identify your Privacy Officer, Security Officer, and Compliance Officer. Within your policies and procedures should be a section discussing how to report a suspected breach, and who to report a breach to.
- Employee training: also required to be completed annually, employees must be trained on HIPAA standards, as well as your organization’s policies and procedures. Employee training educates staff members on HIPAA requirements, the proper uses and disclosures of PHI, how to recognize a possible breach, who breaches should be reported to, and how social media is permitted to be used.
- Business associate management: to be HIPAA compliant, organizations must vet their vendors to ensure that they are adequately protecting the PHI that they create, maintain, store, or transmit on the organization’s behalf. Once vendors have been vetted, the next step is to send them business associate agreements (BAAs). A BAA is a legal document that dictates the safeguards the business associate must have in place. It also limits the liability for both signing parties in the event of a breach as it states that each party is responsible for maintaining their own compliance. Lastly, a BAA determines which party is responsible for reporting a breach, should one occur.
- Incident management: organizations that experience a healthcare breach, whether it is internal or external, are required to report the incident. Employees must have the ability to report suspected breaches anonymously.
