Health Information Compliance Alert

Published on Mon Feb 28, 2011 PDF

Question: Do we need to hire a security officer to begin our compliance efforts with the security rule, or can our privacy officer do double duty?

Answer: That depends on the individual and the size of the practice, says Robert Markette, an attorney with Gilliland & Caudill in Indianapolis. With a large medical office, the privacy officer's going to have a lot of work to do, and it may be asking too much to also put them in charge of security rule compliance when they're also going to be managing day-to-day privacy issues. In this case, you might want to designate another individual familiar with risk management issues to be the security officer.

And though some practices may simply want to give the privacy officer a break and hire someone new, others may be small enough with so few staff that they can't help but to appoint the privacy officer as the security officer, too. Essentially, this all depends on the size and technical infrastructure of your office, but Markette feels that privacy officers will play a role in security issues no matter what.

"There are a lot of privacy officers out there that are about to become a security officer, just because you're stuck there, everyone knows your name now, and they associate you with HIPAA. You're kind of trapped," he says. Whatever you decide, you're going to have to have somebody who understands what HIPAA requires on the regulatory side of things to oversee your information technology concerns, he advises.