HIPAA compliance means marriage between security, privacy officers

Both security officers and privacy officers must work together when it comes to achieving HIPAA compliance.

When it comes to those positions, according to an article at HealthITSecurity.com, you cannot have one without the other if strong security is a goal. 

Angela Rose, director of HIM Practice Excellence at the American Health Information Management Association, says in the article that health information management professionals, while often more focused on privacy, need to understand the more technical aspects of the business.  

“We may not need to walk the walk, but we have to talk the talk,” she said.

The privacy officer needs to know, for instance, what a firewall does, but not necessarily how to install one. There also needs to be a “marriage” between the technical person and the one who understands compliance requirements, she added.

“It’s all about the writing of the policies and procedures, the [staff] training, what the law says,” she said of the privacy officer role.

The ways organizations implement security and privacy might vary, but senior management must be “on board 150 percent” for creating a culture of securing patient information, Rose said. She advocated for making protecting privacy part of employee evaluations, saying there must be repercussions for failing to follow the organization’s privacy procedures.

Not all privacy and security requirements are black and white, she said, and that’s where the privacy and security teams have to put their experience and trust in each other to work. They have to understand at least the rudiments of the other’s job.

“That's why it's so important for those two to work together. It's not just privacy or security anymore,” she said.