Who is your “security official”? Executives, have you named someone? Associates and colleagues, do you know who it is? To comply with the HIPAA security Final Rule, each Covered Entity and Business Associate (and soon, likely, subcontractor) must identify a “security official” responsible for developing and implementing HIPAA security policies.
A Covered Entity under HIPAA is any health care provider, health plan, or health care clearinghouse engaged in electronic transactions involving protected health information. Virtually all health care providers are Covered Entities. A Business Associate is any individual or organization that serves a Covered Entity and creates, receives, maintains or transmits protected health information (PHI) or electronic PHI (ePHI) in the course of delivering their services to the Covered Entity.
The HIPAA Security Final Rule Standard 45 C.F.R. § 164.308(a)(2) reads:
Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
The security official needs a good working knowledge of the HIPAA security standards and how your organization will implement them. Identifying the security official early on and involving that person directly in the implementation process is an easy and effective way to build that working knowledge. The security official should be responsible to a Privacy and Security oversight or governance committee comprising executive team members.
The privacy standards also required the designation of a privacy official, and depending on the size of the organization, it may be a good fit to have the same individual serving as both the privacy and security official.
The complete HIPAA Privacy and Security regulations are here.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016