How to choose your HIPAA security officer
One of the requirements of the Health and Information Portability and Accountability Act (HIPAA) is to name a security officer. In smaller practices, the position of security officer is often filled by default, by whoever appears to have the time to fill it.
However, taking some time to consider the talents and skills of each staff member could mean the difference between having a security officer who is truly dedicated to getting the job done, and having one in name only.
Diane Robben, JD, of Sandberg Phoenix & von Gontard, in St. Louis, Missouri, says one of the most important steps a practice can take regarding HIPAA is developing a culture of compliance. “Unless compliance is built into daily operations, and the staff is living and breathing it” says Robben, then all you will have is a set of policies in a binder on a shelf, which are unlikely to be useful in the event of a data breach.
Privacy vs. security officer
HIPAA requires practices to name both a privacy officer and a security officer. The two roles do have some overlap; however, Robben suggests that having two separate people fill them allows for checks and balances. Both the privacy officer and the security officer need to have a thorough understanding of how the practice operates, where the problems with compliance are most likely to occur and a good idea of what will motivate the staff. They both need to be connected to every part of the practice, from the doctors and nurses to the billing and front office staff.
One big difference in the two roles is that the security officer needs to be more focused on the IT and technology side of operations. “They have to know where your (personal health information) PHI lives,” says Robben. Every medical practice has PHI that must be protected, whether it is contained in paper charts, or, more likely, in an electronic health record (EHR) system accessible from networked computers, online or even through mobile applications. Each technological innovation brings along a security risk, and the security officer should be aware of each of those risks.