How to choose your HIPAA security officer

One of the requirements of the Health Insurance Portability and Accountability Act (HIPAA) is to name a security officer. In smaller practices, the position of security officer is often filled by whoever appears to have the time to fill it.

However, taking some time to consider the talents and skills of each staff member could mean the difference between having a security officer who is truly dedicated to getting the job done, and having one in name only, says Diane Robben, JD, of Sandberg Phoenix & von Gontard, in St. Louis, Missouri.

Privacy vs. security officer

HIPAA requires practices to name both a privacy officer and a security officer. The two roles do have some overlap, however, Robben suggests that having separate people fill them allows for checks and balances. 

A significant difference in the two roles is that the security officer needs to be more focused on the  technology side of operations. The security officer needs to know whether or not physicians and staff members are accessing protected health information (PHI) from their phones or tablets, whether there is even a remote possibility of a laptop containing accessible PHI being lost or stolen, and where physical charts are located within the office.

“The security officer has to understand all of that and then develop policies to help control PHI and to keep it safe,” Robben says.

Recruiting staff vs. outsourcing

In smaller practices, staff members may lack technological know-how. Robben says that is not a terrible handicap, even for the security officer.

“The security officer doesn’t have to have all the answers,” she says, “but they do need to be able to [identify] the issues,” and know when to ask for help.

Having an outside firm come in to help audit security practices or to strengthen a firewall is reasonable and often necessary. Robben notes that in smaller practices, “often decisions are made on a financial basis,” and risks must be prioritized.

Robben says a common question among small-to-medium sized practices is whether it is possible to outsource the role of HIPAA security officer. Robben strongly advises against having an IT company serve as the HIPAA security officer for a practice, as “you are not going to have the cultural shift within the organization without someone having the responsibility.”

Find a proactive person

Rather than naming a staff member who will simply take responsibility for the role of security officer, practices should look for an individual who will seek out educational opportunities, read the latest HIPAA and technology news and look for chances to learn.

“You want someone who is going to be proactively looking at the systems and the organization and who will take steps to tighten things down instead of waiting to react when something happens,” says Robben, “because something is going to happen.” 

She offers the example of a stolen laptop, noting that if the security officer has done a good job, the practice is facing a rather small property loss and not an expensive and potentially embarrassing data breach with possible legal ramifications.