Skip to the main content.

3 min read

Who Offers Security Compliance Officer Services To Healthcare Organizations?

If you own or run a healthcare organization, you probably have someone on staff who acts as your security compliance officer. However, is it their primary job or area of expertise? Having a knowledgeable and experienced security compliance officer or resource is very important since the consequences of violating privacy regulations can be quite serious.

Compliance Officer

For example, did you know that federal regulators can fine an organization up to $50,000 per HIPAA violation and as much as $1.5 million per year in fines for releasing a patient’s protected health information (PHI)?

That’s why you need to know what a security compliance officer does and if it makes sense for you to work with an external company to help your organization comply with security regulations to avoid hefty fines.

What are a security compliance officer’s responsibilities?

According to the American Health Information Management Association (AHIMA), a healthcare security compliance officer oversees activities for developing, implementing, maintaining, and following an organization’s privacy policies and procedures. This is to ensure a patient’s PHI is kept secure and you’re complying with federal and state privacy laws.

Some of the compliance officer’s responsibilities include:

  • Understanding government privacy regulations, especially HIPAA rules, to make sure your organization is complying with them.
  • Assessing your organization’s risks and what steps are necessary to prevent and minimize exposure of your patients’ PHI.
  • Creating, testing, and reviewing an organization’s information security systems to protect PHI.
  • Setting up a security awareness program to meet HIPAA reporting requirements.
  • Overseeing a reporting and management system to record and investigate a data breach, and prevent future violations.
  • Maintaining a budget to fund information security management programs and processes.
  • Managing a training program for employees to help prevent a privacy breach.

Who should be your security compliance officer?

Since this is such an essential role in your organization, it’s critical to have the right person for this job. It shouldn’t be just a part-time or extra job for one of your employees, such as an office manager or human resources director. As mentioned, the consequences of a data breach can be very serious and expensive.

While having IT experience can be helpful, this position also includes auditing, training, handling an incident, and managing business associate agreements with external partners and vendors. Other responsibilities may consist of making and updating a disaster recovery plan and overseeing facility security.

An ideal candidate is someone with the ability to organize, understands HIPAA and other privacy rules, and is knowledgeable about IT and computer systems.

In addition to picking the right person for the job with the relevant experience, the position should have the authority and power to implement needed changes to ensure compliance with HIPAA and privacy rules.

What if you use a cloud-based IT service?

You might assume if you use a cloud-based service for your IT systems, then you don’t need to worry about HIPAA compliance. However, an organization must ensure such services are secure and perform a risk analysis before using a cloud service for storing or transmitting electronic protected health information (ePHI).

In 2015, St. Elizabeth’s Medical Center in Brighton, MA had to pay $218,400 in penalties for violating the HIPAA Security Rule when they uploaded data without doing a risk analysis of the cloud service. An organization needs to set up risk management policies to lower the chances of a data breach as much as possible, even if they use a cloud-based service.

If you manage a healthcare organization, a cloud service provider is considered as a “HIPAA business associate.” This means they must sign a business associate agreement (BAA) before patient data is uploaded to the cloud service. You must have a signed BAA even if the information you upload is encrypted and the cloud service doesn’t have a decryption key.

What can happen if you don’t have a signed BAA from a cloud-based service provider? In one case, Oregon Health & Science University was fined $2.7 million by the Department of Health and Human Services’ Office for Civil Rights because they didn’t get a signed BAA from a cloud-based IT vendor.

The business associate agreement should outline how ePHI is used and disclosed and that both parties have security procedures to prevent the unauthorized release of PHI. This includes verifying that the cloud service vendor:

  • Has reliable systems so information is readily available to a healthcare organization.
  • Maintains a back-up and data recovery system in case of a natural disaster, ransomware attack, or other emergencies.
  • Allows you to obtain data from their systems if you stop using their cloud services.
  • Keeps information as secure as possible.
  • Limits the use, retention and disclosure of PHI.

Should you work with a consultant or IT provider?

In some cases, you may decide that you need to work with an IT professional or consultant to assess your IT systems and infrastructure for potential weaknesses that can lead to a privacy breach.

Also, it may not be ideal for your internal staff to perform a risk assessment since it can be a challenge to objectively evaluate their practices and identify weaknesses. If you decide to contract with a third party for a risk assessment, make sure they’re experienced and knowledgeable about HIPAA and privacy rules.

Another option is using compliance software that’s customized for your organization’s needs and structure to help perform a risk assessment, train employees, and handle other functions.

Does Your Managed IT Services Company Offer Data Recovery Services?

Does Your Managed IT Services Company Offer Data Recovery Services?

Whether you are an entrepreneur, the owner of a small business or the manager of an already established brand, you are aware of the benefits that...

Read More
Knock Your Socks Off Customer Service

Knock Your Socks Off Customer Service

When it comes to IT support companies, a simple fact of the matter is that not all organizations are created equally. Sure, most companies will...

Read More
Secure Your Files with Off-Site Data Storage

Secure Your Files with Off-Site Data Storage  

Not much wrecks your day like losing your computer files. It might be ten years of family photos. It could be the payroll list for your company. It...

Read More