This entry is part 55 of 59 in the series Complete Guide to HIPAA Security Final Rule

(a) A covered entity must, in accordance with § 164.306:

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

Tell Me More:

The Assigned Security Responsibility standard is also the implementation specification.  The objectives of this standard/implementation specification is to identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.  Assigned security responsibility is the practice established by management to administer and supervise the execution and use of security measures to protect data, and to manage and supervise the conduct of the workforce in relation to the protection of data.

The final Security Rule requires that the final responsibility for a covered entity’s security must be assigned to one official – this is to ensure accountability. More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall responsibility for the security of the entity’s electronic PHI. Depending on the size of the organization and other factors, it is possible for the same person to fill the role for both security and privacy.

Implementation is expected to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, large organizations creating a full-time HIPAA Security Officer or designating both the Security and Privacy official responsibilities to one individual.  Regardless of the division of responsibilities, however, the ultimate responsibility for the security program, which is to bring the organization into compliance with the Final HIPAA Security rule, must rest with one individual.  The HIPAA Security Officer is charged with overseeing the placement of the appropriate technical, organizational and administrative safeguards as well as enforcing the program and reviewing the conduct of those responsible for protecting EPHI for the organization.

complete set of HIPAA Security Policies and Procedures may be purchased here.



Series Navigation<< 164.312(a)(2)(iii) Standard: Access control – Automatic logoff164.310(b) Physical safeguards – Standard: Workstation use >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.