Skip to Content

HIPAA - Assigned Security Responsibility 164.308(a)(2)

438  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.


Action Items:
1) Obtain and review documentation of the assigned Security Official(s) responsibilities (e.g., job description) and that a natural person has been named to act as the Security Official and/or other individuals have been assigned with other security duties. Evaluate and determine whether the organization has assigned responsibility for compliance with the Security Rule to a Security Official who oversees the development and implementation (to include monitoring and communication) of security policies and procedures and/or assigned other individuals with other security duties; and the responsibilities of the Security Official(s) have been clearly defined.


Related Documents:
1) Documentation of the assigned Security Official(s) responsibilities (e.g., job description) and that a natural person has been named to act as the Security Official and/or other individuals have been assigned with other security duties.


Additional Guidance:
The purpose of this standard is to identify who will be operationally responsible for assuring that the covered entity complies with the Security Rule. Covered entities should be aware of the following when assigning security responsibility:
1) This requirement is comparable to the Privacy Rule standard at §164.530(a)(1), Personnel Designations, which requires all covered entities to designate a Privacy Official.
2) The Security Official and Privacy Official can be the same person, but are not required to be.
3) While one individual must be designated as having overall responsibility, other individuals in the covered entity may be assigned specific security responsibilities (e.g., facility security or network security).


Sample questions for covered entities to consider:
- Would it serve the organization’s needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider office)?
- Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?
- How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?

 
Not Rated
Secure Code