Articles page   HIPAA page  

Privacy, Security and Compliance Officers: Who’s Responsible for What?

Just when we thought we understood what it meant to be a Compliance Officer, we are now faced not only with understanding the role of a Privacy Officer but also the role of a Security Officer!  Let’s see if we can define and differentiate among these roles.

Privacy Officer (PO):  Under the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Officer is responsible for:

  • Acting as the focal point among the staff for privacy compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with privacy laws and regulations.  To do so, the PO will need to ensure that federal and state privacy, security and confidentiality laws and regulations are adhered to.  In this capacity, the PO will need to coordinate efforts with the Security Officer (SO) in evaluating and monitoring operations and systems development that comply with privacy and security requirements.
  • Developing and implementing training programs in the area of privacy.  The PO will need to coordinate such programs with the SO with respect to security training programs.
  • Monitoring the effectiveness of the privacy program.  Coordination with the Quality Improvement Program Director is essential.
  • Coordinating efforts with the Compliance Officer (CO), the SO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the privacy policies and procedures.
  • Coordinating with the CO, SO and possibly other department heads regarding the investigation and resolution of patient complaints involving the area of privacy.
  • Participating as a member of the Compliance Committee.

Security Officer (SO):  Under the Health Insurance Portability and Accountability Act, the Security Officer is responsible for:

  • Acting as the focal point among both the technology and non-technology staff for information security compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with information security laws and regulations.  To do so, the SO will need to ensure that security standards are compliant with federal and state laws and regulations as they relate to health information.  In this capacity, the SO will need to coordinate efforts with the Privacy Officer (PO) in evaluating and monitoring operations and systems development that adhere to privacy and security requirements. 
  • Security policies and procedures will need to focus on, among other things:  Administrative security (e.g.; processing records); Personnel security (e.g.; ensuring that personnel have access to only confidential information that they have authorization to access); Physical safeguards (e.g.; control access to information media and workstations); Technical safeguards (e.g.; access and authorization; and emergency procedures).
  • Developing and implementing training programs in the area of security.  The SO will need to coordinate such programs with the PO with respect to security training programs.
  • Monitoring the effectiveness of the security program.  Coordination with the PO is essential.
  • Coordinating efforts with the Compliance Officer (CO), the PO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the security policies and procedures.
  • Coordinating with the CO, PO and possibly other department heads regarding the investigation and resolution of privacy complaints involving the area of security.
  • Participating as a member of the Compliance Committee.

Compliance Officer (CO):  Under the Health Insurance Portability and Accountability Act, the Compliance Officer is responsible for:

  • Acting as the focal point among the staff for fraud and abuse compliance-related activities and responsibilities;
  • Developing and implementing policies and procedures that are consistent with fraud and abuse laws and regulations.  To do so, the CO will need to ensure that federal and state fraud and abuse laws and regulations are adhered to.  In this capacity, the CO will need to coordinate efforts with the SO and PO in evaluating and monitoring operations and systems development that adhere to privacy and security requirements.
  • Developing and implementing training programs in the area of fraud and abuse.  The CO will need to coordinate such programs with the SO with respect to security training programs.
  • Monitoring the effectiveness of the privacy program.  Coordination with the Quality Improvement Program Director is essential.
  • Coordinating efforts with the PO, the SO and the Human Resources Director to develop appropriate sanctions for both employees and business associates who do not comply with the privacy policies and procedures.
  • Coordinating with the PO, the SO and possibly other department heads regarding the investigation and resolution of patient complaints involving the area of privacy.
  • Participating as a member of the Compliance Committee.

Bear in mind that there is no requirement that each of these roles be filled by a different individual.  Depending upon the size of your office or facility, the most practical and economical decision may be to have one individual handle all three roles.  The key is effectiveness.  The approach taken should support the most effective compliance program.

For more information, please Call or E-mail



Articles page   HIPAA page   top of this article