Common Staff Roles & Responsibilities for HIPAA

HIPAA requires each covered entity or Business Associate to designate a person accountable for all HIPAA compliance requirements and to serve as the single HIPAA point person for the organization. Often, smaller organizations leverage a single person to fulfill other roles while other organizations leverage third party providers for governance roles. Larger organizations often have specific HIPAA Security, Privacy, and IT Security Officers. The specific title and duties vary based on organization structure and risk requirements.

Common HIPAA roles

Common titles and responsibilities include:

HIPAA Security Officer

  • This role is often Administrative, IT, or hybrid.
  • The establishment and implementation of the HIPAA program. This includes policies, practices, procedures, and standards. Include Physical, Technical, and administrative safeguards.
  • Implement Risk Management Program. Preform periodic risk analysis and audits, include Business Associates.
  • Identify and manage ePHI confidentiality, integrity, and availability.
  • Training, including HIPAA awareness, work practices, and sanctions.
  • Incorporating IT cybersecurity and HIPAA compliance with business strategies.
  • Work with HIPAA Privacy Officer
  • Establish and manage Business Continuity, Disaster Recovery, and Incident Response Programs.

HIPAA Privacy Officer

  • Focus on HIPAA specifically.
  • Has great depth of HIPAA knowledge.
  • HIPAA Privacy Rule, each company must identify Privacy Officer
  • Focus on threats to PHI. Identify, evaluate, and manage threats to confidentiality.
  • Preform periodic of technology focusing on users and safety practices.
  • Liaise with other organizations or government agencies ensuring that they are current on all regulatory requirements.

Traits of a good leader

HIPAA Security, Privacy, or hybrid roles require a special type of person. This role(s) requires

  1. Leadership – beyond knowing HIPAA, this person should be a leader within your organization. Often with the authority of manager, director, or company officer.
  2. Organized – the three facades of HIPAA are challenging; this person needs to figure out how to successfully implement and manage the program.
  3. Attention to detail – this person needs to move past the rules and figure out how to manage through the details and updates to the regulations.
  4. Teamwork – this person needs to work with senior leadership, business and practice requirements, IT, and regulators.

Staffing models differ between organization; however, three basic guidelines exist. Shortcutting requirements and guidelines leads to incomplete programs placing PHI and your organization at risk.

  • Separation of Duties. It is very difficult to obtain compliancy if the same person is creating, implementing, and testing the HIPAA program. Even the smallest organization should separate tasks to different people.
  • Checks and balances. Create an internal audit program testing and validating those activities are occurring. If your organization does not separate people completing different roles, consider a third-party vendor to serve as your internal auditor.
  • Complete the required tasks. No shortcuts, create and implement a holistic HIPAA program that protects PHI and your organization.


HIPAA Privacy Rule: