QUESTION: Is our group health plan permitted to outsource the roles of HIPAA privacy official and security official?
ANSWER: Possibly, but it would be prudent to seek the advice of legal counsel given the absence of official guidance. Most covered entities must designate a privacy official who is responsible for the development and implementation of the entity’s HIPAA privacy policies and procedures. Similarly, a covered entity must appoint a security official who is responsible for the development and implementation of HIPAA security policies and procedures. A covered entity’s security official may be the same person serving as the entity’s privacy official.
Although there is language in the preamble to the privacy rule that seems to assume that the privacy official will be an employee of the covered entity, there is no explicit requirement to that effect. And because some covered entities (e.g., most group health plans) will not have employees, the privacy official’s duties will have to be performed by a third party (for a group health plan, usually an employee of the plan sponsor).
The preamble also provides that the same person could be the privacy official for more than one entity. Furthermore, it emphasizes that the privacy rules are intended to be “scalable”—i.e., they may be met in a variety of ways depending on the size and complexity of the organization. Even if this requirement is delegated to a third party (such as the group health plan’s third-party administrator), the covered entity itself is still legally responsible for HIPAA compliance and is subject to potential penalties for noncompliance.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVIII.A (“Privacy Official and Contact Person or Office”) and XXX.B.2 (“Standard: Assigned Security Responsibility”). See also EBIA’s Self-Insured Health Plans manual at Section XXXI.E (“Privacy and Security Challenges for Sponsors of Self-Insured Health Plans”).
Contributing Editors: EBIA Staff.