HIPAA Security Officer Job Description

Background

• The security standard requires hospitals, health insurers and health care clearinghouses to designate an officer to lead efforts to safeguard health data created, stored and transmitted for claims processing and other routine health care operations. The rule, drafted by the U.S. Department of Health & Human Services (HHS), took effect in April 2003. As electronic exchange of health care data has increased, a HIPAA security officer's duties may fall under the broader role of an organization's health information technology officer.

Salary

• While compensation is based on the size, type and extent the organization relies on information technology in its operations, the U.S. Department of Labor Bureau of Labor Statistics lists the median salary for a health care services manager with these responsibilities at $80,240 as of May 2008. The middle 50 percent earned between $62,170 and $104,120. The lowest 10 percent earned less than $48,300. The highest 10 percent earned more than $137,800, according to BLS.

Responsibilities

• The guiding principle for health care data exchange is HIPAA's "minimum necessary" rule, which requires health care organizations to disclose only the minimum amount of patient information to accomplish each intended purpose. The HIPAA security officer must develop administrative procedures, establish physical safeguards and implement technology solutions in line with this concept, according to HHS guidance.

Administrative Procedures

• Three ongoing responsibilities of the job require the officer to determine the risk of improper patient data disclosure, establish policies for records processing and develop contingency plans. A HIPAA security officer must create policies determining how much information to make available to each health care professional based on role or rank. The HIPAA security officer must ensure that employees receive security awareness training and establish sanctions for security policy violations, according to HHS.

Physical Safeguards

• A HIPAA security officer must develop policies for granting and restricting access to the organization's buildings, workstations, hardware, software and data files. Physical safeguards for patient data also involve the organization's policy on disposing old media, such as computer hard drives that contain patient records. In addition to workstation and computer terminal placement, the security officer also may develop policy on worker relocation, remote terminals and terminating access to data, according to HHS.

Technical Safeguards

• Technical safeguards involve evaluating computer systems to ensure they have appropriate security features including technology that records each attempt to access health data and develop a course of action for security violations. Determining the hardware and software the organization uses to maintain a "unique identifier" for each employee and set up automatic logoff features on computer terminals, as required by the security rule, also are part of a HIPAA security officer's job.