DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What are the HIPAA Rules Regarding the Appointment of a Security Official?
The HIPAA Security Rule has a requirement for covered entities and business associates to appoint a Security Official: “Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for the covered entity or business associate.”
This identification must be in writing, either in the Security Policy Manual or in another document, and when the name changes, employees must be notified in writing of the change.
To meet the writing requirement, the covered entity or business associate may put language to this effect in its policy:
"Organization has appointed a designated Security Official to develop and enforce the company’s data security policies and procedures. The Security Official should be sufficiently senior in the company. The designated Security Official is listed below:
Name:
Title:
Email or Phone:"
What are the Duties of the Security Official?
The Security Official is responsible for, among other things, the development of security policies, the implementation of procedures, training, risk assessments, and monitoring compliance. The Security Official develops and implements policies and procedures covering the administrative, physical, and technical safeguards for ePHI.
The responsibilities of the Security Official can include the development and the impementation of policies and procedures that touch on any ePHI safeguard requirement listed in 45 CFR 164.308 (administrative safeguards), 310 (physical safeguards), or 312 (technical safeguards), including, for example, the development of a Disaster Recovery Plan (an administrative safeguard), device and media controls (a physical safeguard), and transmission safeguards to prevent unauthorized access to PHI (a technical safeguard).
In smaller settings, the roles of a HIPAA Privacy Official and HIPAA Security Official are often performed by the same person.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article