Selecting a HIPAA Security Officer

You’ve likely heard of the recent WannaCry and Patya ransomware attacks that affected hundreds of countries and hundreds of thousands of computers. We’re living in an age of malware, and the threat affects all of us! Challenges we’re facing in technology today make choosing your HIPAA Security Officer a really important decision!

Wouldn’t it be nice if we had a tech expert in our back pocket? The reality is, most of us don’t. Your HIPAA Security Officer doesn’t have to be the security expert, but they do need to have strong technical skills, know where your ePHI is stored, and what Business Associates are going to be touching this information. Having this knowledge will help your HIPAA Security Officer be poised and ready for all HIPAA security risks, but that’s not the end of the story. There are other ISO traits that will help your company have a solid security foundation.

This week, we’ll look at what HIPAA information a Security Officer is in charge of. Then, we’ll take a look at a few skills that will lighten the load of the ISO – traits that make for a smart HIPAA Security Officer choice and a sound company security foundation.

What are the HIPAA Security Officer’s responsibilities?

  1. Understanding the HIPAA Security Rule and how it applies to the organization
  2. Adopting appropriate Security Policies and Procedures
  3. Overseeing the Security of ePHI within the company in all phases: Transit, Rest, and Storage
  4. Identifying and evaluating threats to the confidentiality and integrity of ePHI
  5. Responding to actual or suspected breaches in the confidentiality or integrity of ePHI
  6. Consulting with the Privacy Officer before contracting with any outside vendors (in a small organization the same person can fill both Privacy and Security roles)
  7. Performing or coordinating periodic security audits of all computer systems and networks
  8. Arranging for all employees who handle ePHI to be trained on HIPAA and trained on the company’s specific Security Policies
  9. Interfacing with HHS if there is an audit

What should you look for in a HIPAA Security Officer?


Beyond knowing about HIPAA, your ISO should be a leader in your company, such as a manager or an officer. They should be able and willing to enforce the rules and sanction fellow employees when necessary.

Attention to Detail

Since the ISO’s job involves a long list of items the officer will need to address, your ISO will have to manage details thoroughly and successfully. With many details comes the need to have strong organizational skills, too. A very important job of the HIPAA Security Officer is to complete a thorough Risk Assessment that includes contributions to the administrative, physical and technical assessment.

IT Management

Your ISO should be able to manage the technical side of HIPAA security successfully. It may mean that other employees are designated to perform jobs relating to HIPAA security. Oftentimes this means hiring an outside IT vendor that can help assist in security problem solving and duties. Before you hire anyone, remember:

  1. Any consultant who accesses your PHI is your Business Associate.
  2. Audit any BA’s Privacy and Security Policies and Procedures BEFORE granting access to your network.
  3. Any HIPAA violations contractors create are legally your issues!

By law, someone has to fill the role of HIPAA Security Officer in your organization. The level of expertise of your ISO varies from organization to organization. Even with the skills above, most of the time, one person can’t navigate it alone – and they shouldn’t. With all of the technical terminology involved, delegate from within to help lighten the load. And if you hire outside help, make sure the person understands not only IT but HIPAA, too!

Free Sample Security Training

Sharing is caring!