Roles, Responsibilities & Permissions in The Guard

Compliancy Officer
The phrase “compliancy officer” does not appear in the HIPAA regulations, however, The Guard requires the designation of a Compliance Officer. Compliancy Group uses the term to denote the person that has overall compliance responsibility for an Organization. This means the person has overall responsibility for Privacy and Security Compliance. Many smaller Organizations designate the same individual as Compliance Officer, Privacy Officer, and Security Officer. Many larger Organizations have one individual as the Compliance Officer, and a second and third person as the Privacy and Security Officers, respectively. Still, other Organizations may have one person as both the Compliance Officer and one of the other Roles (e.g., Compliance Officer and Privacy Officer; or Compliance Officer and Security Officer).

• Compliancy Officer Permissions
  • Receives a notification if there is a Compliance Gap or a Compliance Incident has been reported. Creates a task and assigns it to a user or Site Admin.  
  • Can close an Incident.
  • Can check if the Users read or watched the training materials.

Privacy Officer
The Guard requires Organizations to designate a Privacy Officer. A HIPAA Privacy Officer, sometimes called a Chief Privacy Officer (CPO), oversees the development, implementation, maintenance of, and adherence to Privacy Policies and Procedures.

These Policies and Procedures ensure that protected health information is not used or disclosed without permission or without authorization.

HIPAA only requires that the Privacy Officer have the job duty of being responsible for the development and implementation of the Policies and Procedures of the Organization. Because this Role develops and implements Policies and Procedures, this person typically has other responsibilities that flow logically from their being responsible for this development and implementation.

These include:

• Development, review, and modification of the Notice of Privacy Practices, Authorization to Release PHI form, and overall review of and responsibility for other Privacy Rule forms, including the Accounting of Disclosure forms, Amendment of PHI forms, Authorization for Sale of PHI/Marketing/Fundraising Forms, etc. 
• Keeping abreast of changes in the regulatory landscape, and updating forms, Policies and Procedures, and other documents accordingly.
• Being the point person/spokesperson for privacy-related issues that the media/HHS may inquire about. 
• Overall responsibility for Privacy Rule and Privacy Policy and Procedure training for the workforce.
• Overseeing Vendor Management; ensuring that Business Associate Agreements are entered into with appropriate Vendors; termination of Vendor relationships where Vendors are not fulfilling their responsibilities under the Business Associate Agreement.
• Ensuring Business Associate Agreement language is up to date, and contains required legal content.
• Implementing a process for receiving, documenting, tracking, investigating, and acting on all complaints concerning breaches in Privacy Policies and Procedures.
• Applying sanctions to workforce members who have committed Privacy Rule/Privacy Policy and Procedure infractions.
• Responsibility for maintaining Privacy Rule-related documentation for the required time periods imposed by law.’
• Coordinating and working with Security Officers to investigate potential data breaches.
• Ensuring the Organization reasonably safeguards protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.
• Conducting and monitoring privacy-related self-audits.
• Establishing procedures to track employee access to and flow of PHI.
• Ensuring overall workforce compliance with Privacy Policies and Procedures.

• Privacy Officer Permissions
  • Receives a notification if there is a Privacy Gap or a Privacy Incident has been reported. Creates a task and assigns it to a user or Site Admin.  
  • Can close an Incident.
  • Can check if the Users read or watched the training materials.
    
    

Security Officer
The Guard requires Organizations to designate a Security Officer.  Under HIPAA, the Security Officer is responsible for the development and implementation of the Policies and Procedures required by the Security Rule. 

The Security Officer is responsible for four main items, and Covered Entities and Business Associates must do the following: 

• Ensuring the confidentiality, integrity, and availability of all electronic protected health information the Covered Entity or Business Associate creates, receives, maintains, or transmits.

• Protecting against any reasonably anticipated threats or hazards to the security or integrity of such information. 

• Protecting against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule.
• Ensuring Security Rule compliance by the workforce. 
  
  

Specific Security Officer responsibilities include: 

• Development, review, and modification of all the Security Rule Policy and Procedures and Security Rule-related forms. 

• Responding to security incidents, potential data breaches, and data breaches, and coordinating with other personnel (e.g., Privacy Officer, Compliance Officer) as appropriate.
• Keeping abreast of changes in the security/cybersecurity regulatory landscape, and updating forms, Policies and Procedures, and other documents accordingly.
• Being the point person/spokesperson for security-related issues that the media/HHS may inquire about. 
• Overall responsibility for Security Rule and Security Privacy Policy and Procedure training for the workforce, including Security Rule training and awareness program as required by the HIPAA Security Rule.

• Managing security aspects of Business Associate Agreements; ensuring that Business Associate Agreements are entered into only after performing due diligence on Vendor’s current state of security; termination of Vendor relationships where the Vendor is not fulfilling their security responsibilities under the Business Associate Agreement.

• Ensuring Business Associate Agreement Security Rule language is up to date, and contains all required security language.

• Implementing a process for receiving, documenting, tracking, investigating, and acting on all complaints concerning breaches in Security Policies and Procedures.

• Applying sanctions to workforce members who have committed Security Rule/Security Policy and Procedure infractions.

• Responsibility for maintaining Security Rule-related documentation for the required time periods imposed by law.’

• Coordinating and working with Privacy Officer, Compliance Officer, Supervisors, Managers, etc., to investigate potential security data breaches.

• Ensuring, along with Privacy Officer and Compliance Officer, that all required Breach Notification Rule breach notification are given to affected individuals, HHS, and the media.
• Developing, conducting, and monitoring privacy-related self-audits.
• Establishing procedures to track Employee access to and flow of ePHI.
• Granting, denying, modifying, and terminating ePHI workforce access to ePHI, as needed.
• Ensuring information access management is reviewed and modified, as necessary. 
• Developing, implementing, and modifying HIPAA contingency plans and risk analysis, as necessary.
• Performing risk mitigation, remediation, and evaluation, as necessary.
• Ensuring appropriate administrative, technical, and physical security measures are developed and implemented, and enforcing such measures.
• Cooperating with the Office of Civil Rights (OCR) and other Legal Entities and Organization Officers in any compliance reviews, audits, or investigations.
  
  
• Security Officer Permissions
  • Receives a notification if there is a Security Gap or a Security Incident has been reported. Creates a task and assigns it to a user or Site Admin.  
  • Can close an Incident.
  • Can check if the Users read or watched the training materials.

All Officers and Organization Administrators have the following rights:

• Access to the entire organization
• Ability to create Organizations, Sites and Departments
• Ability to add questions to the audits
• Ability to add training documents
• Ability to add Users
• Ability to inactivate Users
• Ability to add Officers

Organization Administrators: (includes external IT Providers)

• Complete audits and support Users at an Organization Level.
• Can be assigned to a task.
• Can help other Users with their tasks.
• Can be assigned to training. Can check if the Users read or watched the training materials.

Location Managers (Previously "Site Admins"):

• Complete audits and support Users at a Site Level.
• Can be assigned to a task.
• Can help other Users with their tasks.
• Can be assigned to training. Can check if the users read or watched the training materials.

Users (Legacy Functionality):

• Can be assigned to a task.
• Can be assigned to training.
• Can check if they read or watched the training materials.
• Can report an incident (anonymously, or not)