The job of security officer should not be given out by default or assigned to a staffer who takes it on because “no one else is doing it.” HIPAA requires physician offices to have a security officer. The role should be proactive and ongoing. If a practice does not have a security officer named—or it does, but the officer has not picked up a procedure manual in months— it is time to make a change. Following are a few tips for ensuring your office is doing it right.
Who does it?
The staffer who should not hold the position of security officer is a physician. Because doctors have so much on their plate with their clinical work, HIPAA compliance will be “nonexistent if the doctor gets it,” said Roman Diaz, president of Touchstone Compliance in San Diego.
In many offices, the role of security officer falls to office managers—one of many hats they perpetually wear. This can work, in part, because they often are the person to whom staffers go when problems arise. The security officer should be managing daily HIPAA issues as the “conscience of the organization around HIPAA,” Diaz said.
The security officer should clearly be someone familiar with HIPAA, but should also be able to communicate well with staff and have a basic understanding of IT and security issues.
If no one in-house fits these qualifications, you may have to look outside of the organization. It is best to avoid placing someone in a position where they are in over their head, said Kevin Beaver, an information security consultant with Principle Logic LLC of Acworth, GA.
“That may go well for a while but once a breach occurs, it’s going to be tricky trying to justify to opposing counsel, a judge, or a jury what you thought was a good idea,” he said.
When a security officer is named, do not keep it a secret. Everyone in the office should know who he or she is and how to reach this person should problems arise.
“If there is an unannounced audit, they [auditors] will ask to see the security officer,” Diaz said. “If they get a blank stare, that’s not a good sign.”
There should, in fact, be a document created with the person’s name, contact information, and job responsibilities. HIPAA regulations require this kind of documentation for the position. Cutting and pasting from the regulations and adding them to the individual’s job description are a few ways to do this. Templates for this documentation can also be found online.
While it may be simple to create the paperwork necessary to prove you have a security officer, it takes a lot more documentation to prove they are doing their job. “It has to be implemented with demonstrable evidence that the role is functional in day-to-day or, at least, week-to-week security oversight,” Beaver said.
Some things the security officer should be doing and documenting include:
- Maintaining a training log that shows frequency of training for themselves, staff, and new hires
- Completing security logs
- Keeping a policies and procedures manual and ensuring everyone has access to a copy—particularly in areas that pertain to them
On top of keeping documentation of their own tasks, security officers should ensure the staff is performing their HIPAA duties as outlined in the plan. Should an audit occur, the auditor will interview people to see what they are doing in comparison with the documented policies and procedures. “If it isn’t a match, there is a problem,” Diaz said.
As with many administrative tasks in an office, things often begin with a bang and get placed on the back burner over time. This should not be the case with a security officer. This person should set aside some time each week for tasks like assessing risk, reviewing mitigation plans or training staff.
“HIPAA is like quality: you never achieve it,” Diaz said. “It is a moving target and you can always work on it.”
Security Officer Responsibilities
HITECH Security Advisors LLC offers a job description template online. Included is a listing of security officer responsibilities:
- Develops, enforces, and trains staff on information security policies and procedures.
- Maintains security policies including administrative, physical and technical safeguards.
- Maintains security procedures, including compliance, disaster recovery, incident response, testing, improvement, and documentation of security incidents.
- Works to guard against unauthorized access to electronic protected health information through measures including encryption, access control and authentication.
- Ongoing monitoring of information systems.
- Undertaking periodic risk assessments.
- Performing gap analyses.
- Provides ongoing staff training and awareness programs.
- Acts as a HIPAA resource and reports security activities to a compliance committee.
- Manages security of EHRs and health information with patients and external vendors.