Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Selecting a HIPAA Security Officer

For many companies handling Protected Health Information (PHI), ransomware attacks and other cybersecurity threats are a very real danger. Having a strong security program is important for keeping your company’s information safe. This makes choosing your HIPAA Information Security Officer (ISO) a very important decision.

Wouldn’t it be nice to have a security expert in your back pocket? The reality is, most of us don’t. Your Security Officer doesn’t have to be a security expert, but they do need to have strong technical skills, know where your ePHI is stored, and understand what information Business Associates have access to. Having this knowledge will help your ISO be poised and ready for all HIPAA security risks. Leadership, attention to detail, and IT management skills are other traits held by a successful ISO which will help your company have a solid security foundation.

This week, we’ll be reviewing the duties of a Security Officer and his or her role in internal HIPAA enforcement. Then, we’ll take a look at the requisite skills that make for a qualified ISO. Selecting the right Security Officer is the first step in creating a sound company security foundation.

What are the HIPAA Security Officer’s responsibilities?

  1. Understanding the HIPAA Security Rule and how it applies to the organization
  2. Adopting appropriate Security Policies and Procedures
  3. Overseeing the Security of ePHI within the company in all phases: Transit, Rest, and Storage
  4. Identifying and evaluating threats to the confidentiality and integrity of ePHI
  5. Responding to actual or suspected breaches of the confidentiality or integrity of ePHI
  6. Consulting with the Privacy Officer before contracting with any outside vendors (in a small organization the same person can fill both Privacy and Security roles)
  7. Performing or coordinating periodic security audits of all computer systems and networks
  8. Arranging for all employees who handle ePHI to be trained on HIPAA and trained on the company’s specific Security Policies
  9. Interfacing with HHS if there is an audit

What should you look for in a HIPAA Security Officer?


Beyond knowing about HIPAA, your ISO should be a leader in your company such as a manager or officer. The ISO should be able and willing to enforce the rules and sanction employees when necessary.

Attention to Detail

Since the ISO’s job involves a broad range of responsibilities, he or she will have to manage details thoroughly and successfully. With many details comes the need to have strong organizational skills, too. One of the ISO’s most important responsibilities is completing a thorough Risk Assessment, which requires an in-depth understanding of the organization’s administrative, physical and technical safeguards.

IT Management

Your ISO should be able to manage the technical side of HIPAA security successfully. This may mean that other employees are designated to perform jobs relating to HIPAA security. Or, your ISO may choose to hire an outside IT vendor that can assist in security duties and problem solving. 

Before you hire anyone, remember:

  1. Any consultant who accesses your PHI is your Business Associate
  2. Audit any BA’s Privacy and Security Policies and Procedures BEFORE granting access to your network
  3. Any HIPAA violations contractors create are legally your issues!

By law, someone in your organization has to fill the role of HIPAA Security Officer. The level of an ISO’s expertise varies from organization to organization. Even with all of the skills above, one person often can’t navigate it alone — and they shouldn’t have to. Your ISO can easily delegate responsibilities internally to help lighten his or her load. But if you choose to hire outside help, make sure the person understands not only IT but HIPAA, too.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)