healthcare compliance tips
Patient Requests & Disclosures [Healthcare Compliance Tips]
Healthcare Compliance Tips
Breach Notification [Healthcare Compliance Tips]

HIPAA Privacy Officer [Healthcare Compliance Tips]

Assign an employee or hire a Privacy Officer to develop and monitor your HIPAA-compliant privacy program.

Per HIPAA, it is required that privacy personnel are designated within your practice.  You can hire new personnel, train a current employee, or pay a HIPAA consultant.

Keep in mind that there are many areas the privacy personnel will oversee, but not limited to:

  • Developing and implementing privacy policies and procedures.
  • Investigate complaints.
  • Provide ongoing training, development of materials, and assessment.

The designated policy personnel will also play a role in helping you and your staff understand the following:

Administrative Safeguards

This focuses on internal organization, policies, procedures, and maintain security measures to protect patient health information.  This is the true foundation of the three safeguards with the Workforce Security Standard being a subset.

Under this standard, practices should ensure that all members have appropriate access to electronic PHI and prevent those that shouldn’t get access.  An example of this is, implementing policies and procedures on computer access and password management.  

Physical Safeguards

This standard is where you must ensure physical measures, policies, and procedures are enacted to protect electronic information systems, related buildings and equipment, natural and environmental hazards, and unauthorized intrusion.

A common subset of this safeguard is Workstation Security, which is ensuring that employees are authorized to access certain programs and that the same programs are non-accessible to non-employees.

Technical Safeguards

The primary focus is to implement policies and procedures to protect electronic health information and control access to it.

Transmission Security Standard is a subset of this safeguard in which the practice should implement measures to guard against unauthorized access through the network.  A good example of this is not allowing anyone to modify or destroy electronic information unless they are authorized.  Also, data encryption should be utilized for certain information.

Remember, covered entities must maintain records of their policies and procedures or any other action/activity for at least six years.

**The opinions and observations from the group/author are not a promise to exempt your practice from fines and penalties.  Research, modify, and tailor the advice to fit your specialty.

Joi Sherrod, MPH, CPC, CPCO
Joi Sherrod, MPH, CPC, CPCO
Joi is an educator and owner of JNC Healthcare Compliance Group. After working for distinguished academic teaching hospitals and clinics, she is passionate about helping medical, dental, and behavioral health practices rethink healthcare compliance one trend at a time. Contact Joi at