Security Standards
Does HIPAA Security Rule Require a Privacy Officer? What Small Practices Must Do
Small medical practices trying to sort out the HIPAA Security Rule's actual requirements—including whether a designated officer is mandatory and what training obligations apply to covered entities.
Small medical practices are trying to sort out the HIPAA Security Rule's actual requirements, including whether a designated officer is mandatory and what training obligations apply to covered entities.
This article is for independent physicians, small group practices, dental offices, behavioral health providers, and any covered entity operating without a dedicated compliance team.
What You Need to Know
- The HIPAA Security Rule imposes administrative, physical, and technical safeguard requirements on all covered entities regardless of size.
- Small practices must designate a security official—a specific, named individual—not a role that floats between staff.
- Training on security policies is a required implementation specification, not optional guidance.
- HHS issued a Notice of Proposed Rulemaking in December 2024 to strengthen Security Rule cybersecurity requirements, and the gap between what small practices have documented and what OCR expects to see is where enforcement exposure lives.
What's Happening
The HIPAA Security Rule requires covered entities to designate a security official responsible for developing and implementing security policies and procedures. This is a distinct administrative safeguard standard under 45 C.F.R. § 164.308(a)(2). The Privacy Rule has a parallel requirement for a privacy official under 45 C.F.R. § 164.530(a).
These are not the same role, and they do not have to be the same person—but both must be formally designated.
In a small practice, it's common for one person to fill both seats. That's permitted. What's not permitted is leaving either role unfilled, undocumented, or informally understood.
The Gap
The Security Rule's administrative safeguards also require a risk analysis, a risk management plan, a sanction policy, and a workforce training program—all documented, all implemented, all reviewable.
The risk analysis is where most small practices fall short. It must cover all electronic protected health information (ePHI) the practice creates, receives, maintains, or transmits. That includes EHR systems, billing platforms, email, text messaging tools used for patient communication, and any cloud storage.
Training is a required implementation specification under 45 C.F.R. § 164.308(a)(5). Covered entities must train all workforce members on security policies and procedures. The rule requires periodic retraining when policies change. "We did an orientation once" is not a training program.
The Security Rule also distinguishes between required implementation specifications and addressable ones. “Addressable” does not mean optional. It means the covered entity must assess whether the specification is reasonable and appropriate given its size and risk profile—and document that assessment either way.
If your practice skipped an addressable specification, OCR expects a written explanation of why. If that documentation doesn't exist, the gap isn't just operational—it's a compliance record problem.
Business associates inherit direct Security Rule obligations under the HITECH Act. Any vendor handling ePHI on your behalf—billing services, IT managed service providers, transcription platforms, and patient portal operators—must have a signed business associate agreement in place. What small practices often miss is that subcontractors those vendors use are also bound as business associates. The chain extends further than most practices track.
What to Do
- Formally designate a security official and document it. This means a written designation identifying the individual by name and role. If that person leaves, the designation must be updated. A policy that says "the practice manager" without naming someone does not satisfy this requirement.
- Conduct and document a risk analysis that covers all ePHI locations. Include every system, device, and workflow that touches patient data—not just the EHR. The analysis must be current; a risk assessment from 2019 does not reflect your current environment.
- Build a training program with records. Document who was trained, on what policies, and when. Retraining after policy changes is a requirement, not a best practice. Retaining training records gives you evidence of compliance if OCR comes asking.
- Audit your business associate agreements. Confirm you have a signed BAA with every vendor that accesses, stores, or transmits ePHI. Confirm those agreements reflect current operations—vendors get acquired, platforms change, and BAAs written five years ago may not cover current data flows.
- Document your addressable specification decisions. For every addressable safeguard your practice did not implement, write down the reasoning. OCR's expectation is a documented, reasoned determination—not silence.
If you're unsure whether your current security posture holds up to scrutiny, get in touch.
Sources
- 45 C.F.R. § 164.308 (Administrative Safeguards), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308.
- 45 C.F.R. § 164.530 (Administrative Requirements—Privacy Official), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530.
- Health Information Technology for Economic and Clinical Health (HITECH) Act, Pub. L. No. 111-5, §§ 13400–13424, 123 Stat. 258 (2009), https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html.
- HIPAA Security Rule NPRM, U.S. Dep't of Health & Hum. Servs., Off. for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html.
- HIPAA Security Rule, U.S. Dep't of Health & Hum. Servs., Off. for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/security/index.html.