Should a Hygienist or RDA Serve as HIPAA Officer?

by Olivia Wann
This is a great question. We appreciate anyone willing to serve as HIPAA Officer in compliance capacities in a practice. First, let’s establish that the role and designation of the HIPAA Privacy Officer and the role of the HIPAA Security Officer may be combined into one designation as the HIPAA Compliance Officer in smaller practices. However, compliance with the Privacy Rule versus the Security Rule is a bit different.
HIPAA Privacy Rule
The HIPAA Privacy Rule addresses the use and disclosure of protected health information. Day to day, the practice may use and disclose PHI for its own treatment, payment, and health care operations activities. The practice maintains procedures for patients to complain about how their PHI was handled to the designated Privacy Officer.
HIPAA Security Rule
The HIPAA Security Rule, on the other hand, involves the protection of electronic PHI. This involves but is not limited to conducting a HIPAA Security Risk Assessment, ensuring the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit while implementing administrative, physical, and technical safeguards.
Challenges with Clinical Team Members as HIPAA Security Officer
It can be a disadvantage when a clinical team member such as a RDH or RDA is assigned as the HIPAA Security Officer and this individual knows very little about the inner workings of HIPAA security and cybersecurity because their job focus is clinical patient care. For example, in conducting routine HIPAA Security Risk Assessments, a well-meaning clinical team member may be assigned to assist our office in gathering information about the practice’s data security. Questions about firewalls, encryption, multi-factor authentication, and access control measures may sound like unfamiliar terminology. As a result, we have numerous areas of the assessment incomplete.
Who Should Serve as HIPAA Officer?
Who should serve as the HIPAA officer? For smaller practices, I recommend designating the practice owner as the HIPAA officer. This prevents having to revise the policies so frequently when someone leaves the practice. Despite the doctor being designated in this role, the actual tasks may be delegated to a team member such as an office manager, administrative assistant, or a clinical team member.
HIPAA Officer in Larger Practices
In a larger practice, the HIPAA Security Officer may be an operations manager, an office manager, or for large DSOs, an in-house IT manager or their in-house counsel.
Team Effort for HIPAA Compliance
Our goal is to satisfy compliance in the least cumbersome manner possible. The old saying, “It takes a village to raise a child” resonates. When it comes to compliance, it takes the ENTIRE TEAM to satisfy HIPAA compliance. Everyone’s efforts are much appreciated as we learn more and grow our practices.
Have any questions?
Compliance Law, Dental Law, HIPAA, Modern Practice Solutions
