One of the requirements of the Health Insurance Portability and Accountability Act (HIPAA) is to name a security officer. In smaller practices, the position of security officer is often filled by whoever appears to have the time to fill it.
However, taking some time to consider the talents and skills of each staff member could mean the difference between having a security officer who is truly dedicated to getting the job done, and having one in name only, says Diane Robben, JD, of Sandberg Phoenix & von Gontard, in St. Louis, Missouri.
Privacy vs. security officer
HIPAA requires practices to name both a privacy officer and a security officer. The two roles do have some overlap, however, Robben suggests that having separate people fill them allows for checks and balances.
A significant difference in the two roles is that the security officer needs to be more focused on the technology side of operations. The security officer needs to know whether or not physicians and staff members are accessing protected health information (PHI) from their phones or tablets, whether there is even a remote possibility of a laptop containing accessible PHI being lost or stolen, and where physical charts are located within the office.
“The security officer has to understand all of that and then develop policies to help control PHI and to keep it safe,” Robben says.
Recruiting staff vs. outsourcing
In smaller practices, staff members may lack technological know-how. Robben says that is not a terrible handicap, even for the security officer.
“The security officer doesn’t have to have all the answers,” she says, “but they do need to be able to [identify] the issues,” and know when to ask for help.