All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News

rss

Keep up to date with Data Fast Solutions for your business.


Appointing a HIPAA Privacy and Security Officer

HIPAA Password Security and ManagementIn a previous article, Small Healthcare Providers and HIPAA Compliance, it was noted that many small to mid-sized healthcare offices are less likely to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. Part of the challenge is that privacy and security officers are hard to find across many sectors. The healthcare industry, requiring candidates with in-depth knowledge of HIPAA and HITECH, can make filling the position even more difficult. However, as HIPAA rules and technology continue to evolve, this is one area where adhering to the HIPAA mandate can keep smaller offices from experiencing a privacy breach.

Understanding the responsibilities of each officer can help smaller organizations find existing or new employees who may fit the requirements with little or no additional training.

Responsibilities of a HIPAA Privacy Officer

According to the American Health Information Management Association (AHIMA), a privacy officer’s responsibilities include:

  • Builds a strategic and comprehensive privacy program that defines, develops, maintains and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected health information (PHI), paper and/or electronic, across all media types. Ensures privacy forms, policies, standards, and procedures are up-to-date.
  • Works with organization senior management, security, and corporate compliance officer to establish governance for the privacy program.
  • Serves in a leadership role for privacy compliance
  • Collaborate with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department.
  • Establishes, with the information security officer, an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information. Monitor patterns of inappropriate access and/or disclosure of protected health information.
  • Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation.
  • Conducts related ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions.
  • Takes a lead role, to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
  • Oversees, develops and delivers initial and ongoing privacy training to the workforce.
  • Participates in the development, implementation, and ongoing compliance monitoring of all business associates and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
  • Works cooperatively with the Health Information Management (HIM) Director and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
  • Manages all required breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on privacy and security complaints
  • Performs required breach risk assessment, documentation, and mitigation. Works with Human Resources to ensure consistent application of sanctions for privacy violations
  • Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
  • Maintains current knowledge of applicable federal and state privacy laws and accreditation standards.
  • Works with organization administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.
  • Serves as information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.
Responsibilities of a HIPAA Security Officer

AHIMA describes the responsibility of a HIPAA Security Officer as one who:

  • Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization. Ensures information security policies, standards, and procedures are up-to-date.
  • Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
  • Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
  • Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
  • Manages security incidents and events involving electronic protected health information (ePHI)
  • Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
  • Ensures the institution/organization complies with the administrative, technical and physical safeguards.
  • Collaborates with organization senior management, Privacy Officer, and Corporate Compliance officer to establish governance for the security program.
  • Serves in a leadership role for security compliance.
  • Works closely with the Privacy Officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison to the information systems and compliance departments.
  • Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation. Responsible for development and implementation of security risk management plan.
  • Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
  • Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
  • Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
  • Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities
  • Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
  • Assists Privacy Officer as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on security incidents which may result in a privacy breach breaches.
  • Partners with Human Resources and Privacy Officer to ensure consistent sanctions for security violations
  • Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities, and organization on officers in any compliance reviews or investigations.
  • Serves as information security consultant to all departments for all data security related issues.

HIPAA Password Security and ManagementIt’s important to note that if one individual meets the requirements of both officers it is acceptable for one person to perform both roles. However, many smaller offices tend to appoint an existing office or billing manager to the privacy and security position. In doing that, one or more privacy and security duties may not be performed adequately. So, it is okay for some work to be delegated to others if the privacy and security officer makes sure that the work is carried out properly.

For assistance from an I. T. security standpoint, a HIPAA knowledgeable I.T. professional can help. Data Fast Solutions has been providing HIPAA I.T. services in the Dallas Fort Worth area for many years. If you have any questions about your information technology and HIPAA compliance, contact Data Fast Solutions today!

This article is ©2017 Data Fast Solutions • All Rights Reserved