The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires all doctors, dentists, chiropractors, and other covered entities to designate a Security Officer. Unfortunately, many covered entities turn a blind eye to this stipulation, assuming it's of little-to-no concern to them. But failure to designate a Security Officer may result in violation and potential fines handed down by the Health and Human Services (HHS).
Job Description of HIPAA Security Officer
The Security Officer is responsible for managing and maintaining the security policies, techniques, procedures and technical applications of the covered entity's Protected Health Information (PHI). Long story short, this individual is responsible for ensuring the entity's data is safe and secure. The Security Officer is the team leader regarding compliance of the HIPAA Security Rule, which is why it's important for him or her to familiarize themselves with the nuances of this Rule (see http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ for more information on the HIPAA Security Rule).
Electronic Protected Health Information
The Security Officer must implement meaningful and appropriate measures to prevent Electronic Protected Health Information (ePHI) from being disclosed or accessed by unauthorized individuals or organizations. This may include the use of encryption, firewalls, unique identifier codes (e.g. employees are given their own login name or number), and other measures.
One of the responsibilities of the HIPAA Security Officer is to train new and existing employees on the awareness of security threats. You have to remember that most nurses and healthcare professionals aren't trained on cybersecurity and privacy in medical school. This training comes afterwords in the form of HIPAA compliance. The covered entity for whom they work's Security Officer must train them on potential cyber threats and privacy risks, as well as the specific Rules regarding HIPAA.
The Security Officer is also responsible for handling audits. Whether internal or external, audits typically fall on the shoulders of the Security Officer. When an individual or organization performs an audit of the covered entity's practices, the Security Officer must go through each and every element identified, implementing the necessary changes to fix them.
These are just a few of the many responsibilities of the Security Officer. It's important to note that HIPAA also requires covered entities to designate a Privacy Officer. While the two jobs may sound similar, there are subtle differences between them that shouldn't go unnoticed. Check back with our blog for a description of the HIPAA Privacy Officer.