Entities are required to appoint both a privacy officer and a security officer. These can be the same person and they can handle compliance responsibilities themselves or manage those who ensure compliance. Most organizations with cloud-based ePHI assign this responsibility to a high-ranking IT staffer like the director of IT.
Whoever is assigned should have the following qualities:
- A thorough understanding of HIPAA requirements.
- Experience with risk assessment and understanding of cyber security and the organization’s electronic record handling.
- The empowerment to implement policies and ability to enforce them among employees.