DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses whether an organization can appoint an individual from outside of the organization to serve as the HIPAA Privacy or Security Official.
Does HIPAA Require that the Privacy or Security Official be a Member of the Workforce?
The HIPAA Privacy Rule requires organizations to “Designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”
The HIPAA Security Rule requires organizations to “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.
HIPAA does not require that the HIPAA privacy official or HIPAA security official be a member of the workforce. HIPAA does not prohibit an "outside" person or entity from serving in that role.
Privacy and security officials are required to implement an organization’s policies and procedures. If an organization wants to "outsource" the role, the outside person should be given the authority to address Privacy Rule or Security Rule requirements, and develop and implement the organization's policies and procedures. The outside person should be available for matters such as addressing privacy incidents and violations, and security incidents and breaches.
An entity and the person whom the entity wants to designate as the Privacy or Security Official, may agree to designate the Privacy or Security Official as a member of the entity's workforce. Or, the entity and the person or entity under contemplation for the Privacy or Security Official role, may enter into a business associate agreement.
What Concerns May Arise with Hiring a Privacy or Security Official Who is Not a Workforce Member?
If the outside person or entity has a pre-existing business relationship with the company that hired it to be a privacy or security official, issues may arise.
Say that the outside entity is a managed service provider (MSP) with whom the entity has a business associate agreement. The entity then designates an individual employee of the MSP to serve as the Security Official. The outside entity tasks the Security Official with investigating and remediating security incidents. Assume that at some point, a security incident occurs, and the security incident might have occurred because of something that the MSP did, or failed to do. If the Security Official investigates the incident, the Security Official will effectively be investigating their own company, and possibly themselves as well. Under these circumstances, whether the Security Official can fairly and impartially investigate the issue may be problematic.
Who Bears the Ultimate Compliance Responsibility?
While the Privacy or Security Official may delegate responsibilities to others, the ultimate responsibility for the development and implementation of policies and procedures falls on the individual designated as the Privacy Official or Security Official. As between someone who is delegated a responsibility, and the Privacy Official or Security Official, the Privacy or Security Official is the proverbial "person in charge."
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article