DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Frequently, a covered entity or business associate seeks to appoint someone outside of their organization as the HIPAA Privacy Official or HIPAA Security Official. This article provides general guidelines about this practice.
HIPAA does not require that the HIPAA privacy official or HIPAA security official be an employee, and it does not forbid an outside person or entity from serving in that role. As a practical matter, though, there may be dangers to having the privacy official or security official be an outside person. Organizations should assess the potential risks of appointing an outside person as the privacy or security official:
Privacy and security officials are required to implement an organization’s policies and procedures. If a client wants to outsource the role, the outside person must be trained and experienced in the Privacy Rule or Security Rule. The outside person must be given full authority to address all Privacy Rule or Security Rule requirements. This means, for example, the outside person must be able to impose discipline on an employee of someone else’s company if sanctions are warranted. It also means that the outside person must be available in real time to address privacy violations, or security incidents and breaches, and be able to interview the client’s employees and conduct investigations.
If the outside person has a business relationship (e.g., is the MSP of) with the company that hired it to be a privacy or security official, a conflict of interest problem might arise. Say the privacy official or security official may have committed a HIPAA violation/a violation of the company’s (the company that appointed him or her) P&P. Say that the outside person might be at fault. As the privacy or security official, the outside person would be obligated to conduct an investigation as Privacy or Security Official against his or her own company - against himself or herself- raising an serious issue of whether this person can fairly and impartially investigate the issue for the company that hired him or her to serve as the official. Companies seeking to hire outside people with whom they have outside business relationships should be mindful of this.
If the outside person does not have an existing relationship with the client, the client could outsource the role to that person (assuming the person is not prohibited by their own company from accepting outside employment). Again, though, there is a practical concern. The outside person, because they already have a full or part-time job, would have limited availability to be able to fulfill all Privacy or Security Official requirements. Someone who cannot commit the necessary time should not be appointed.
Lastly, it is not uncommon for a covered entity to want to outsource the Security Official role because they “don’t know how to deal with security and don’t want to.” The CE client is ultimately responsible for compliance with the Security Rule, though, and for meeting its requirements. The client can outsource the position, but not this obligation.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article