Appointment & Responsibilities of HIPAA Privacy Officer

Reference 45 CFR Part 164.530 Ver. No. 1.0

Doc ID Version # Process Owner(s) Effective Date

EXT/HIPAA/ARH Version 1.0 CISO 15th July 2019
PO/01

Revision History

Ver. Date of Release Author(s) History of Changes Approver

No.

1.0 15th July 2019 CISO First Baseline CISO

EXT/HIPAA/ARHPO/01 Page 1 of 4
 Appointment & Responsibilities of HIPAA Privacy Officer
Reference 45 CFR Part 164.530 Ver. No. 1.0

1. Objective
The purpose is to appoint the Privacy Officer at Exterprise and define the
responsibilities.

2. Scope
This policy applies to all Exterprise workforce members including, but not limited to
full-time employees, part-time employees and appointing senior management of the
Organization.

3. Process Overview
In terms of HIPAA compliance, the privacy officer shall oversee all ongoing activities
related to the development, implementation and maintenance of the
practice/organization’s privacy policies in accordance with applicable federal and
state laws.

4. Policy
Exterprise will appoint a HIPAA Privacy Officer to oversee the compliance with the
HIPAA Privacy Rule.

4.1 Process Details and Tasks

For the role of HIPAA Privacy Officer at Exterprise, the appointed person shall be
responsible for the following duties.

 Understand the HIPAA Privacy Rules and how it applies within each
Covered Component.
 Develop appropriate policies and procedures to comply with the
HIPAA Privacy Rules.

EXT/HIPAA/ARHPO/01 Page 2 of 4
 Appointment & Responsibilities of HIPAA Privacy Officer
Reference 45 CFR Part 164.530 Ver. No. 1.0

 Oversee the enforcement of patient privacy rights within each

Covered Component.
 Monitor each Covered Component for compliance with privacy
policies and procedures.
 Develop and implement HIPAA privacy training for employees within
each Covered Component.
 Notify the HIPAA Authorities of any Business Associate Agreements
that implicate EPHI, prior to the execution or amendment of any such
agreement.
 Receiving and responding to complaints of alleged non-compliance
with the HIPAA Privacy Rule.

4.2 Retention:
Every policy and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other Exterprise requirements may stipulate a longer
retention; HIPAA Audit information and logs relevant to security incidents must
be retained for six years.

4.3 Compliance:
Failure to comply with this or any other privacy policy will result in disciplinary
actions. Legal actions also may be taken for violations of applicable regulations
and standards such as the HIPAA Privacy Rule and others.

4.4 References

 Omnibus HIPAA Final Rulemaking,

http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html

EXT/HIPAA/ARHPO/01 Page 3 of 4
 Appointment & Responsibilities of HIPAA Privacy Officer
Reference 45 CFR Part 164.530 Ver. No. 1.0

 HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
Human Services,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
14, 2002.
 HIPAA Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
/
 Health Information Privacy, Security, and EHR
http://www.healthit.gov/providers-professionals/ehr-privacy-security
 Achieve Meaningful Use: Protect Electronic Health Information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures/protect-electronic-health-information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures-2/protect-electronic-health-information

EXT/HIPAA/ARHPO/01 Page 4 of 4