Healthcare information security

Regulatory Compliance for HIPAA Security Officers

Prior to the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, the healthcare industry had no generally accepted set of security standards or requirements for protecting health information. Around the same time, the rapid uptake of new technologies meant that the healthcare industry began to move away from paper-based processes for paying claims, answering eligibility questions, providing health information and many other administrative and clinical processes.

While there were many advantages of a more digital approach to patient information, it also opened up a lot of security risks for networks and potential privacy issues for confidential data.

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

In recent years this has led to the deputizing of IT Managers and CIOs into HIPAA Security Officers. New positions within healthcare organizations have also been created specifically for HIPAA Security Officers.

It is a legal requirement under 45 C.F.R. § 164.308(a)(2) that every covered entity (healthcare provider) must identify a HIPAA Security Officer who is responsible for compliance. Failure to comply with HIPAA can result in civil and criminal penalties ranging from $100 per minor violation up to an annual maximum fine of $1.5 million for wilful, serious violations.

In this article I will discuss how to become a HIPAA Security Officer and what a typical HIPAA Security Officer’s job description looks like.

What are the duties and responsibilities of an HIPAA Security Officer?

Although a HIPAA Security Officer must come from a technical background and need solid technological skills, as little as 30% of the actual job may involve direct technological intervention. A majority of the HIPAA Security Risk Analysis and Compliance Gap Assessment (SRA) involves myriad other tasks and competencies, including SRA administration (for example, writing and curating training protocols, procedures, policies and critical incident response plans) and SRA management, including overseeing physical safeguards such as visitor sign in, CPU security, and the creation of organizational agreements with business associates and suppliers.

Essentially the main duties and responsibilities of an HIPAA Security Officer fall under one of four broad categories:

Managing and overseeing the information security of an individual's confidential health information
Managing information security staff
Improving communication within an organization about information security best practices
Keeping informed and up-to-date regarding changes and developments to/within local, state or federal information security regulations.

On a day-to-day level this may involve anything from:

monitoring operational compliance,
future information security planning,
holding presentations for staff (both existing and newly inducted) on healthcare information security,
handling internal complaints and imposing sanctions for data and information security breaches,
developing plans to ensure security of ePHI during transit, rest and storage,
delegating tasks to information security personnel,
perform periodic security audits of all software and hardware,
reviewing security practices with contractors,
tracking and reporting on staff’s access to confidential data,
serving on the organization’s Privacy Committee,
developing job descriptions for new information security personnel,
making recommendations to senior management for operational and procedural guidelines necessary to safeguard patient data,
liaising with OCR auditors,
ensuring continuity of service in the event of a disaster,
staying informed of latest web tools and technologies; and even
working with law enforcement agencies in instances of information security violations, noncompliance and cybercrime.

What is an average HIPAA Security Officer salary?

Pay scales vary dramatically for HIPAA Security Officers, depending on a multitude of factors, including years of experience, size of organization, geographic location, and level of certification. According to Payscale.com the average salary for an HIPAA Security Officer with a valid CHSS (Certified HIPAA Security Specialist) certification and 5-9 years of industry experience is around $85,000. However, salaries can vary from anywhere between $45,000 and $120,000. This is because in some organizations the compliance role of a HIPAA Security Officer may be combined with some other technological responsibilities.

Are there HIPAA Security Officer certifications?

There are a variety of courses one can take to become HIPAA certified, some more specialized than others. Most can be done online, while others can be gained through attending a few-day block course. Both generally contain a short exam that one must pass before receiving their certifications. Certifications generally only last for a few years, and must be renewed. Be wary of training institutions that offer you a one-off lifetime certification as rules and regulations change fast, and it is in your best interests to stay up-to-date and renew your certifications either annually or bi-annually.

Here are some of the common certifications that a HIPAA Security Officer may require:

Certified HIPAA Professional (CHP)
Certified HIPAA Privacy Security Expert (CHPSE)

Certified HIPAA Security Specialist (CHSS)

Certified HIPAA Compliance Officer (CHCO)

Certified HIPAA Security Professional for Compliance Officers (CHSP)

It is worth noting that there are three different streams of HIPAA Certification: security, privacy and compliance (as you can see from the list above). Some courses will provide you with certification to work across multiple levels of HIPAA, while others are specific to one area only, so do your research first. A HIPAA Security Officer should be certified in HIPAA Security first and foremost, however additional certifications in HIPAA privacy or compliance may come in handy.

Who should become a HIPAA Security Officer?

Becoming an HIPAA Security Officer is a suitable career choice for someone who has a 4-year college Computer Science degree and either a CISSP or CISA certification as well. This is not generally considered a good role for a recent graduate. Healthcare organizations prefer to hire those who have at least three years’ information security work experience in either a public or private setting (both is preferable).

A potential HIPAA Security Officer, must, above all else, be able to demonstrate that they are a person who is full of integrity and have a proven reputation of trustworthiness. This may discount people from becoming HIPAA Security Officers who have criminal records, especially those related to fraud, theft or dishonesty crimes.

Other skills and life experiences that are advantageous for this role include familiarity with healthcare settings, good verbal and written communication skills, project management or training experience and working knowledge of all the hardware or software packages healthcare organizations use.

What is the job outlook for HIPAA Security Officers?

There is a growing market for HIPAA Security Officers thank to the 2009 Act amendment, and the high prevalence of severe network security breaches at healthcare organizations across the country over the last few years.

People who are successful in receiving a position as a HIPAA Security Officer often receive attractive non-salary benefits such as full medical and dental insurance or coverage from their employers.

Those who prove themselves over several years as a HIPAA Security Officer can expect career advancement opportunities including ongoing professional development, opportunities to take on higher management positions over the course of their career, and potentially after ten plus years move into a CISO or Director of Security position.