Should a Hygienist or RDA serve as HIPAA Officer?
By Olivia Wann, JD
This is a great question. We appreciate anyone willing to serve in compliance capacities in a practice. First, let's establish that the role and designation of the HIPAA Privacy Officer and the role of the HIPAA Security Officer may be combined into one designation as the HIPAA Compliance Officer in smaller practices. However, compliance with the Privacy Rule versus the Security Rule is a bit different.
The HIPAA Privacy Rule addresses the use and disclosure of protected health information. Day to day, the practice may use and disclose PHI for its own treatment, payment, and health care operations activities. The practice maintains procedures for patients to complain about how their PHI was handled to the designated Privacy Officer.
The HIPAA Security Rule, on the other hand, involves the protection of electronic PHI. This involves but is not limited to conducting a HIPAA Security Risk Assessment, ensuring the confidentiality, integrity, and availability of all ePHI they create receive maintain or transmit while implementing administrative, physical and technical safeguards.
It can be a disadvantage when a clinical team member such as a RDH or RDA is assigned as the HIPAA Security Officer and this individual knows very little about the inner workings of HIPAA security and cybersecurity because their job focus is clinical patient care. For example, in conducting routine HIPAA Security Risk Assessments, a well-meaning clinical team member may be assigned to assist our office in gathering information about the practice's data security. Questions about firewalls, encryption, multi-factor authentication, and access control measures may sound like unfamiliar terminology. As a result, we have numerous areas of the assessment incomplete.
Who should serve as the HIPAA officer? For smaller practices, I recommend designating the practice owner as the HIPAA officer. This prevents having to revise the policies so frequently when someone leaves the practice. Despite the doctor being designated in this role, the actual tasks may be delegated to a team member such as an office manager or administrative assistant or a clinical team member.
In a larger practice, the HIPAA Security Officer may be an operations manager, an office manager or for large DSOs, in-house IT manager or their in-house counsel.
Our goal is to satisfy compliance in the least cumbersome manner possible. The old saying, "It takes a village to raise a child" resonates. When it comes to compliance, it takes the ENTIRE TEAM to satisfy HIPAA compliance. Everyone's efforts are much appreciated as we learn more and grow our practices.