I know I have posted a few articles on this but who is the designated security officer in your practice? I wanted to touch on this subject again. know there seems to be some confusion when understanding the role of the office, and what exactly they are responsible for. It’s not a promotion, or in some cases its not a pay increase. So why do you want to do it? Why does anyone want to take on this responsibility? Because it’s management, and nothing more. Its taking on management responsibilities just like a manager does. The HIPAA standard requires the covered entity to identify the security official who is responsible for the development and implementation of the policies and procedures required by the security rule. In the final rule, it requires a named individual.

Who is the designated security officer?

In most practices, the practice manager or IT director is often the security officer, and the clinical director is often the privacy manager. Sometimes, it is the same individual for both. There are no required credentials for this role. They just need to be identified, and facilitate the policies and procedures. Because some practices are too small to hire someone with a Masters Degree in information technology, HHS has not defined any credentials for this position. It’s basically something that is added to the workload of the current management.

Who to report to

Make sure whoever you designate reports to someone higher up in the practice. The designated security officer will have to report the breach to the physician or CEO and they can determine what needs to be done. It is important the manager understands that in the event of a breach, they know what to do. Have a good sanction policy in place so that employees can be counseled, trained, or terminated if necessary. They will want to know when a breach has to be reported, or just corrected. Make sure you have good HIPAA training program and that your staff is very aware of what they can, and cannot do.

Have a security risk assessment performed

If you have not had a security risk assessment performed, now is as good a time as any. Even if you are not attesting to meaningful use, you want to be sure that your patient data is safe and secure. You want to minimize your risk and implement best practices. Tier3MD can help you with the assessment.

For more information, contact our security department at: 855-698-4373