Determining Your Compliance Officer
Who should be our compliance officer? If you have an executive team, should it be someone on that team? The short answer is yes, and no! You don’t have to choose someone on the executive team, but you should add them to the team after they have been designated. This is hard for some practices because this person may be a good HIPAA chief security officer, however you don’t necessarily want them making decisions on executive team.
If your HIPAA compliance officer is not at your executive team table, they can miss out on strategic planning decisions and are not offered the opportunity to weigh in on network, policy or compliance concerns or risks. Had they been at the table earlier, they may have been able to weigh in before money was spent or planning was done. They could mitigate the risk before it actually becomes a risk.
When choosing this person, you want someone who understands the practice, the flow of the practice, and the people who work there. They can always gain knowledge of the HIPAA rule, but to have a full understanding of what it takes to run a practice is most helpful. Should it be the practice manager? I don’t think so. Definitely not the CEO because you don’t want anything to take away from those CEO duties. How about the Chief Operating Officer? In my opinion, this would be a good choice. Someone who has the power to put processes in place, and has the time to follow up on them. That doesn’t mean they have to do the clerical work required for HIPAA, such as putting together a policy and procedure manual. That is an easy hire. There are many ways to have the manual put together for you. A security risk assessment is the first thing that comes to mind. HIPAA training is always important, and you could easily outsource both.
The job of the compliance officer will be to make sure the staff is following HIPAA rules and regulations, and not exposing your practice to unnecessary violations. Sometimes the violations occur from nothing more than a simple lack of understanding. Not only that, but the HIPAA required and addressable rules are actually best practice, and actually help you get your practice safe and secure. It also helps when the compliance officer does not have a strong IT background. This is a great way to make sure the IT staff has all their ducks in a row.
The compliance officer you choose should report to the managing partner of the practice. Most likely, this is a Physician. If you do not have a operations director, you can choose someone on the clinical staff, or someone you feel has a strong knowledge of your practice. Again, they can always be taught the HIPAA rule, and outsourcing most of this is very beneficial.
Keep in mind, that person can always be changed, but do designate someone. It’s a HIPAA rule that you do!