Blog Home Page Next article: Privileged Access Management
HIPAA Understood: Assigned Security Responsibility
This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.
To effectively manage any process, you must first identify all personnel who have a critical role in that process and make sure they know a few things. The first thing they should know is that they have a critical role in said process, this seem obvious, but I’ve encountered many instances where the first time a person knew they held a role was during an interview with me about the duties associated with their role. The second thing they should know are the duties associated with their role, similarly to my above statement I have encountered many, many instances where the person who held a certain role had no idea what their responsibilities were. HIPAA requires that that the person responsible for development and implementation be identified.
“164.308(a)(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.”
You may read this rule and assume all you need is to name a person who is responsible for creating and implementing policies and procedures pertaining to HIPAA, however this is one of the few rules where it initially sounds simple but upon further review is much more complicated. So yes, you must identify the individual responsible for these actions. The most efficient method is to have this role formally appointed by a member of senior management (or a board if your organization has one), this role is typically labeled one of the following: HIPAA Privacy Officer, HIPAA Security Officer, and/or HIPAA Compliance Officer.
But the development and implementation of the policies and procedures is a bit more involved than creating some documents and handing them out to the appropriate parties. Treat this development as a living process wherein you are constantly revising the documents based on how they perform; even when they are to a point where they meet all regulatory requirements you are still reviewing them to ensure they are still efficiently meeting said requirements. This ties directly into implementing these documents. You may not be the one implementing every aspect of every policy, let’s hope not anyway, but you should have some oversight and be receiving feedback on the effectiveness of your documents from those responsible for the implementation.
In many situations the HIPAA officer will delegate some or all these responsibilities to other individuals within their organization, the misconception here is that they are no longer responsible for these processes, this is false as HIPAA requires that an individual and not a group be responsible, so the responsibility will still fall to whomever was appointed.
This sounds like a lot more than the rule requires but having a competent person appointed and an efficient method for developing and implementing policies and procedures will establish the foundation of your HIPAA Compliance program.