There are two important roles defined under HIPAA. Many companies that are new to HIPAA appoint one data officer as a checkbox for HIPAA. Both roles can be filled by the same person though, for best security practices, the duties would ideally be separated between multiple people. The distinction between the roles is important as there are a lot of responsibilities associated with each.
One role is defined by the Privacy Rule and one role is required by the Security Rule. Similar to the distinction between the rules themselves, the privacy officials define how to do things (policies and procedures) and the security official needs to ensure implementation aligns with those policies and procedures.
The privacy rule mandates that organizations appoint a privacy official. The key task for this official is to create and maintain the organization’s privacy policies and procedures. These policies and procedures need to address all of the requirements of HIPAA. In addition, the privacy official is often, and should, be responsible for answering questions about permitted disclosures of PHI.
The security official required by the Security Rule is in charge of implementing the privacy policies and procedures. Sometimes this means creating additional procedures that map privacy policies to day to day work. We see this most when it comes to applying privacy policies to modern technology such as cloud-based technologies.
The two roles under HIPAA correspond to the two rules of HIPAA.