“Why me??? I don’t know anything about the HIPAA Security Rule or technology!”

You were just told you are your organization’s HIPAA Security Officer. As you read through the HIPAA Security Rule and its breakdown into Safeguards, Standards, and more detailed Implementation Specifications to protect electronic Protected Health Information (ePHI,) you may be wondering:

  • “Why me?”
  • “I don’t understand all this technical lingo. How can I possibly be responsible for our HIPAA Security?”
  • “HIPAA says we must do things, but how can I find out how to do them?

You aren’t alone, and there are resources that can guide you. You may also decide to outsource your IT services and compliance management so you can stay focused on managing your practice or Business Associate company.

Since 2005 all HIPAA Covered Entities – health care providers (that bill electronically) and payers have had to comply with the HIPAA Security Rule. Now, Business Associates and their subcontractors must be compliant before September 23, 2013.

The first Standard in the HIPAA Security Rule is a Security Management Process, but before we get into WHAT needs to be done, let’s skip to the second Standard,Assigned Security Responsibility, and look at WHO is going to be responsible.

While the ultimate responsibility for organizational compliance may rest with your CEO and board of directors, your organization is required to assign someone to be responsible for your compliance with the HIPAA Security Rule that focuses on the protection of electronic Protected Health Information (ePHI.) Because the focus is on electronic data, it would seem logical to appoint your IT Director or Chief Information Officer. But what if you don’t have one? What if you outsource your IT services? While you can delegate HIPAA compliance tasks, someone within your organization must be given the HIPAA compliance responsibility, even if they just direct others to do the work.

Because skills and responsibilities vary widely within health care organizations, there is no minimum standard, no certification, and no specific training required to be a HIPAA Security Officer. A doctor or executive pointing a finger at you can get the responsibility assigned. (For auditing purposes a short memo formalizing the assignment is recommended, along with a job description.)


While HIPAA compliance training isn’t required, it is recommended. 4Medapprovedoffers HIPAA compliance training and certification, so you can get a good understanding of the rules and how to implement them. (This certification also looks good on your resume.)

There are lots of books and online guidance to help you build a HIPAA compliance program. Before you spend anything, here are some free resources that will get you going in the right direction.

Security Rule Guidance from US Department of Health & Human Services (HHS) & National Institute of Science & Technology (NIST)

Privacy Rule Guidance from HHS

HHS Office for Civil Rights (OCR)

Business Associates

HIPAA Omnibus Final Rule

HIPAA Enforcement & Penalties

"originally written for 4MedApproved"