(a) A covered entity must, in accordance with § 164.306:
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
Tell Me More:
The Assigned Security Responsibility standard is also the implementation specification. The objectives of this standard/implementation specification is to identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. Assigned security responsibility is the practice established by management to administer and supervise the execution and use of security measures to protect data, and to manage and supervise the conduct of the workforce in relation to the protection of data.
The final Security Rule requires that the final responsibility for a covered entity’s security must be assigned to one official – this is to ensure accountability. More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall responsibility for the security of the entity’s electronic PHI. Depending on the size of the organization and other factors, it is possible for the same person to fill the role for both security and privacy.
Implementation is expected to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, large organizations creating a full-time HIPAA Security Officer or designating both the Security and Privacy official responsibilities to one individual. Regardless of the division of responsibilities, however, the ultimate responsibility for the security program, which is to bring the organization into compliance with the Final HIPAA Security rule, must rest with one individual. The HIPAA Security Officer is charged with overseeing the placement of the appropriate technical, organizational and administrative safeguards as well as enforcing the program and reviewing the conduct of those responsible for protecting EPHI for the organization.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-12 chapter 3 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-30 Risk Management Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations