Practical guidance for healthcare teams and business associates
Published: December 5, 2025 | Updated: March 18, 2026 | 10 min read
Role of the HIPAA Compliance Officer
Every covered entity must name a compliance officer. This person builds and runs HIPAA policies and steps.
The Privacy Rule needs a Privacy Officer. The Security Rule needs a Security Officer. Many small practices have one person for both roles.
Regardless of how roles are divided, the officer keeps the entire program running smoothly.
The role has changed since HIPAA passed. Today's officers face cyber threats, new regulations, staffing issues, and stricter guidelines. They must train staff, conduct reviews, develop strategy, and manage important connections. Practices that provide their officers with real authority and resources perform much better.
This guide covers everything about the compliance officer role. Use it whether you are hiring, stepping into the role, or weighing an outsourced model.
Regulatory Foundation
What HIPAA Requires
The HIPAA Privacy Rule (45 CFR 164.530(a)) requires covered entities to name a privacy official. That person must build and run privacy policies and steps.
The Security Rule (45 CFR 164.308(a)(2)) requires a security official as well. That person must build and run security policies and steps.
Minimum necessary rules include the following:
- A person is assigned to each role (privacy and security).
- The assignment is official when the person is named inside a policy.
- That person must have authority to build and enforce rules.
- Contact details must be available to staff and the public.
- One person may fill both roles, or the roles may be split.
HIPAA does not set specific training or reporting rules for the officer. But OCR history shows that practices must give their officers real authority and resources to do the job.
Qualifications and Skills
HIPAA does not require specific credentials. Even so, the role demands a strong skill set. The best officers combine rule knowledge, technical ability, and leadership skills.
Essential skills:
Deep HIPAA knowledge: Full grasp of the Privacy Rule, Security Rule, Breach Notice Rule, and Enforcement Rule.
Healthcare ops knowledge: Know-how in clinical flows, billing, and health IT systems.
Risk management skill: Able to run risk reviews, gap analyses, and build risk-reduction plans.
Communication skills: Able to turn complex rules into plain guidance for staff.
Review skills: Experience conducting compliance reviews and root cause analysis.
Project management: Skilled at running multiple compliance projects at once.
Leadership presence: The standing to drive change, including hard talks with senior leaders.
Valuable certs:
- Certified in Healthcare Compliance (CHC)
- Certified in Healthcare Privacy Compliance (CHPC)
- Certified Information Privacy Professional (CIPP/US)
- Certified Information Systems Security Professional (CISSP)
- Healthcare Information Security and Privacy Practitioner (HCISPP)
Key Responsibilities
Compliance Program Management
The compliance officer is in charge of the entire HIPAA compliance program. This includes creating, keeping, and improving the frameworks that keep the practice compliant.
Core program duties:
Policy development: Create, review, and update all HIPAA-related policies and steps on a regular cycle.
Risk assessment oversight: Lead or coordinate the annual risk review process and make sure findings drive corrective action.
Training program mgmt: Design and oversee the HIPAA training program for all staff.
Incident management: Lead the review and response for all suspected and confirmed breach events, including responding to HIPAA complaints filed by patients or OCR.
Audit coordination: Manage internal audits and serve as the main contact for outside audits and OCR audit program reviews.
Business associate oversight: Make sure all business associates have current business associate agreements and meet their roles.
Rule tracking: Monitor rule changes, audit trends, and new threats that affect the practice.
Day-to-Day Actions
Daily work varies by practice size and current compliance status, but certain tasks come up each time.
Typical daily and weekly actions:
- Review and respond to compliance questions from staff.
- Check incident reporting channels and triage new reports.
- Review audit logs and access reports for problems.
- Meet with department heads on compliance matters.
- Update compliance tracking systems and dashboards.
- Review and approve PHI access requests.
- Conduct walk-through checks of physical security controls required under HIPAA.
- Draft or review compliance notices.
Monthly and quarterly actions:
- Present compliance metrics to leadership and the compliance committee.
- Review and update policies affected by rule or practice changes.
- Conduct or review internal audit work.
- Analyze incident trends and build prevention measures.
- Review business associate compliance status.
- Update the risk assessment based on new threats or practice changes.
- Work with IT on security tracking findings.
Reporting Structure
Where the officer reports affects their results. OCR guidance says the officer must have direct access to senior leadership.
Recommended reporting structure:
Reports to: CEO, COO, or the Board - not IT, not legal, not ops.
Direct access to: Board or the board's compliance committee.
Works with: Legal counsel, IT leadership, HR leadership, and clinical leadership.
Manages: Compliance staff, privacy analysts, and security analysts in larger practices.
The officer must not report to the person who runs the functions being watched. That independence is key for fairness.
An IT director who also serves as security officer has a built-in conflict. Speed and security rules often pull in opposite directions.
Relationship with Key Departments
Working with IT
The compliance officer and IT leadership must have a strong working relationship. Many Security Rule needs are set up and kept by IT. The compliance officer sets the policies. IT builds the tech controls.
Key areas to work on together:
- Security control setup and monitoring
- Access control review
- Encryption deployment and key management
- Incident detection and response
- Flaw tracking and patch coordination
- Tech vendor review and monitoring
Working with Legal
Legal counsel provides key support to the compliance program. The officer and legal team work together often on matters that carry legal risk.
- Breach review and notice decisions
- Rule interpretation and policy building
- Review oversight and written records
- Penalty response and cuts
- Contract review for business associate agreements
- Litigation hold and discovery support
Working with HR
HR is a natural partner for staff-related compliance matters.
- Training program management and tracking
- Sanctions and disciplinary action steps
- Background check needs for compliance-sensitive roles
- Onboarding and offboarding compliance steps
- Employee access rights and deactivation
- Policy distribution and acknowledgment tracking
Common Challenges and Solutions
Insufficient Resources
The most common challenge is not having enough resources. Compliance programs compete with clinical, tech, and ops priorities for budget and staff.
How to address resource limits:
- Build a case using breach cost data, penalty amounts, and risk exposure numbers.
- Prioritize actions based on risk impact rather than trying to do all tasks at once.
- Use tech to automate routine compliance tasks -- see our list of recommended HIPAA compliance tools for options.
- Use the risk review to justify specific resource requests to leadership.
- Document resource limits so they become part of the practice record.
Workforce Resistance
Not everyone welcomes compliance oversight. Clinicians may see rules as obstacles to patient care. Admins may see compliance as a cost center.
How to overcome resistance:
- Focus on how compliance protects patients and the practice, not just legal duties.
- Build ties before you need them. Learn each department's work and challenges.
- Find compliance champions in each department to reinforce messages from within.
- Show quick wins that prove compliance can improve operations, not just add burden.
- Present compliance data in business terms that connect with leadership.
Keeping Current
The rule and threat landscape shifts often. Officers must stay current on updates, audit actions, new threats, and best practices.
How to stay current:
- Subscribe to the OCR listserv and audit action notices.
- Join peer groups such as HCCA (Health Care Compliance Association).
- Attend annual compliance conferences and webinars.
- Build peer networks with compliance officers from similar practices.
- Follow key legal and cybersecurity news sources.
- Keep up continuing education for your certs.
Career Path
Growing Into the Role
Many compliance officers come from nearby roles. Common backgrounds include healthcare admin, nursing, health information management, IT, and legal. The path usually means growing duties in compliance-related work.
Common career steps:
Entry: Compliance analyst, privacy analyst, or health information specialist.
Mid-level: Compliance coordinator or compliance manager.
Senior: Compliance officer, privacy officer, or security officer.
Executive: Chief Compliance Officer (CCO) or Chief Privacy Officer (CPO).
Consulting: Independent compliance consultant serving multiple practices.
Professional Development
Ongoing learning is vital for officers who want to advance and stay effective.
- Earn industry certs (CHC, CHPC, CIPP).
- Build expertise in cybersecurity basics.
- Develop project and change management skills.
- Build leadership and exec contact skills.
- Gain experience with compliance tech platforms.
The Outsourced Compliance Officer Option
When Outsourcing Makes Sense
Not every practice needs a full-time compliance officer. Smaller practices, start-ups, and practices with tight budgets often do well with an outsourced model.
Outsourcing fits well when:
- The practice has fewer than 50 staff members.
- Budget limits prevent hiring a qualified full-time officer.
- The practice needs expert skills not found among staff.
- A new compliance program needs to be built from scratch.
- The practice wants outside oversight without internal politics.
What an outsourced compliance officer provides:
- Expert compliance knowledge without a full-time salary and benefits cost.
- Freedom from internal politics.
- Access to a team of experts rather than a single generalist.
- Scalable services that match the practice's actual needs.
- Current knowledge of rule trends, audit actions, and best practices.
Ensuring Outsourced Effectiveness
Outsourcing requires clear goals, regular contact, and real engagement from leadership.
- Spell out specific tasks, duties, and reporting needs in the contract.
- Make sure the outsourced officer has direct access to leadership and enough authority.
- Schedule regular on-site visits and virtual check-ins.
- Set clear escalation steps for incidents and urgent issues.
- Keep internal staff who can handle day-to-day compliance tasks between check-ins.
Compliance Officer FAQ
Can one person serve as both Privacy Officer and Security Officer?
Yes. HIPAA allows one person to serve as both Privacy Officer and Security Officer. This is common in small and mid-size practices. Larger practices benefit from splitting the roles. The work in each area can be too much for one person. Either way, both roles must be filled by someone with enough time and resources to do the job.
Does the compliance officer need to be an employee?
No. HIPAA does not require the Privacy Officer or Security Officer to be an employee. This role is often filled by a contractor, consultant, or outsourced provider. The key need is that a specific person is named, that person has enough authority and resources, and the designation is documented.
What is the difference between a compliance officer and a compliance committee?
The compliance officer is the named person responsible for day-to-day program running. A compliance committee is a group of leaders from across the practice. The committee provides oversight, guidance, and support for the program. The compliance officer often chairs or reports to the committee. Both are best practices, but only the named officer is the HIPAA must.
How much does a HIPAA compliance officer earn?
Pay varies by practice size, location, experience, and credentials. As of 2026, HIPAA compliance officers in the U.S. typically earn between $75,000 and $150,000. Chief Compliance Officers at large health systems earn more. Outsourced compliance officer services often run $2,000 to $10,000 per month, depending on practice size and scope of services.
Is it legally required to have a HIPAA compliance officer?
Yes. Under 45 CFR 164.530(a)(1), every covered entity must name a Privacy Official in charge of building and carrying out privacy policies and procedures. The Security Rule (45 CFR 164.308(a)(2)) separately requires designation of a Security Official. Business associates are not required to designate a formal Privacy Officer, but they must designate a Security Officer. In small practices, one person can fill both roles — the requirement is that the designation is documented, not that it is a separate position.
What qualifications does a HIPAA compliance officer need?
There is no single required credential. HIPAA sets the duty but not the educational path. In practice, certifications like the Certified HIPAA Professional (CHP), Certified in Healthcare Compliance (CHC), or Certified in Healthcare Privacy Compliance (CHPC) significantly strengthen a compliance officer’s credibility with OCR auditors, legal counsel, and leadership. Most organizations require three to seven years of experience in healthcare compliance, privacy, health information management, or a related field. Smaller practices often designate an existing office manager or administrator who then pursues targeted HIPAA training.
What does a HIPAA compliance officer do on a daily basis?
Daily responsibilities vary by organization size and current compliance maturity, but typically include: reviewing access logs for unauthorized PHI access, handling patient privacy complaints, reviewing BAAs for new vendors (see our BAA management guide for vendors and MSPs), and coordinating staff training completions. Quarterly work includes policy reviews, compliance reporting to leadership, and internal audit activities. Annual work includes overseeing the full security risk assessment cycle, renewing the full policy set, and verifying training completion for all workforce members. Officers at small practices wear more hats; officers at large systems typically manage a team of compliance analysts and privacy coordinators.
Can a small medical practice use a part-time or fractional HIPAA compliance officer?
Yes, and many do. Solo practices and small groups often designate an existing office manager or practice administrator as Privacy Officer, supplemented by external HIPAA consultants or compliance software platforms. The key requirement is that the designation is documented and the person receives adequate training and resources to perform the role. Outsourced compliance officer arrangements are fully permissible under HIPAA — the rule requires a named, designated person with authority, not a specific employment structure. For practices that go the outsourced route, defining clear deliverables, escalation procedures, and contact availability in the engagement contract is essential.
What is the difference between a HIPAA Privacy Officer and a Security Officer?
The Privacy Officer is responsible for the organization’s compliance with the HIPAA Privacy Rule — governing how PHI is used, disclosed, and protected in any form (paper, electronic, or verbal). The Security Officer focuses specifically on electronic PHI (ePHI) and the technical, physical, and administrative safeguards required by the Security Rule. In small organizations, one person typically fills both roles. In larger health systems, the roles are split: the Privacy Officer often has a background in health information management or legal, while the Security Officer typically comes from IT or cybersecurity. Both roles require documented designation and must have sufficient authority and resources to perform their respective functions.
What happens during an OCR review involving the compliance officer?
The compliance officer serves as the main contact for OCR reviews. They gather and provide requested records, coordinate the internal response, and assist with staff interviews. They also work with legal counsel to build the practice's response. A well-prepared officer can improve the outcome by showing a thorough, documented compliance program.
Compliance Officer Role Takeaways
The HIPAA compliance officer is the most important role in your compliance program. The right person, given real authority and support, can build a strong program that protects patients and cuts risk.
The wrong fit creates a single point of failure. So does the right person without enough support. Either way, the whole practice is at risk.
No matter what you decide, start with the basics: deep rule knowledge, strong contact skills, independence, and leadership support.
The compliance officer cannot succeed alone. But without an effective compliance officer, the practice cannot succeed at compliance.
Privacy Officer vs. Security Officer: The Critical Distinction
HIPAA creates two distinct officer designations, and conflating them is one of the most common structural mistakes compliance programs make. Understanding the boundary between the roles is essential — whether you are filling both seats with one person or assigning them separately.
The Privacy Officer (required under 45 CFR 164.530(a)(1)) is responsible for compliance with the HIPAA Privacy Rule. Their domain is PHI in any form — paper, electronic, or verbal. Core duties include developing Notice of Privacy Practices, handling patient rights requests (access, amendment, restriction, accounting of disclosures), managing workforce training on permissible uses and disclosures, and fielding patient privacy complaints.
The Security Officer (required under 45 CFR 164.308(a)(2)) is responsible for compliance with the HIPAA Security Rule. Their domain is electronic PHI (ePHI) exclusively. Core duties include overseeing the annual security risk assessment, implementing and monitoring technical, physical, and administrative safeguards, managing workforce access controls, and coordinating incident response for ePHI-related breaches.
Where the roles overlap and where they differ:
| Responsibility Area | Privacy Officer | Security Officer |
|---|---|---|
| Patient access requests | Yes | No |
| Breach notification decisions | Yes (all PHI) | Yes (ePHI incidents) |
| Annual risk assessment | Oversight role | Lead role |
| BAA management | Yes | Yes (technical vendors) |
| Workforce training | Privacy Rule content | Security Rule content |
| Audit log review | Access/disclosure logs | System/technical logs |
| Physical safeguards | Shared | Lead role |
| Notice of Privacy Practices | Yes | No |
| EHR/system access controls | Policy level | Implementation level |
In organizations with fewer than 50 staff, one person routinely fills both roles. OCR accepts this as long as the designation is documented and the person has adequate time and resources for both functions. When one person holds both seats, the greater risk is the Security Officer responsibilities going underfunded — privacy complaints are visible, but security gaps are invisible until a breach surfaces them.
In bigger healthcare groups, the Security Officer typically has a background in IT or cybersecurity, while the Privacy Officer comes from health information management, legal, or nursing. Both report to senior leadership — ideally separately, to preserve independence.
HIPAA Compliance Officer Certifications Compared
HIPAA does not require any specific credential for the compliance officer role. In practice, though, certifications carry real weight — with OCR auditors, with legal counsel assessing program credibility, and with leadership evaluating whether the program is run by someone who actually knows the rules.
Chuck Weiselberg, CHP and Founder of One Guy Consulting, holds the Certified HIPAA Professional (CHP) designation and has spent more than 10 years as a HIPAA subject matter expert supporting compliance officers across hundreds of healthcare organizations. His experience shaped the guidance in this article.
Here is how the major HIPAA-relevant certifications compare:
| Certification | Issuing Body | Focus Area | Best For | Exam Required | CE Required |
|---|---|---|---|---|---|
| CHP — Certified HIPAA Professional | AAPC / various | HIPAA Privacy and Security Rules end-to-end | Compliance officers, privacy analysts, consultants | Yes | Yes (annual) |
| CHC — Certified in Healthcare Compliance | HCCA / SCCE | Broad healthcare compliance program management | Chief Compliance Officers, compliance managers | Yes | Yes (biennial) |
| CHPC — Certified in Healthcare Privacy Compliance | HCCA / SCCE | Healthcare privacy law and operations | Privacy Officers, health information managers | Yes | Yes (biennial) |
| CIPP/US — Certified Information Privacy Professional | IAPP | U.S. privacy law (HIPAA, CCPA, FERPA, etc.) | Privacy Officers with multi-regulation scope | Yes | Yes (annual) |
| HCISPP — Healthcare Information Security and Privacy Practitioner | (ISC)² | Security and privacy intersection in healthcare | Security Officers with dual privacy/security scope | Yes | Yes (triennial) |
| CISSP — Certified Information Systems Security Professional | (ISC)² | Broad information security architecture | Security Officers from IT/cybersecurity backgrounds | Yes | Yes (triennial) |
Which certification matters most? For a pure HIPAA compliance officer role, the CHP gives the most focused preparation. For a broader Chief Compliance Officer role managing multiple regulatory programs, the CHC is the industry standard. Security Officers from technical backgrounds often pursue the HCISPP because it bridges security architecture and healthcare privacy law — two domains that rarely appear together in general IT certifications.
Regardless of credential, the most credible compliance officers pair certification with direct experience conducting HIPAA risk assessments, managing breach investigations, and building policies from scratch — not just studying for an exam.
HIPAA Compliance Officer Salary Ranges (2026)
Salary data for HIPAA compliance officers varies significantly by organization size, geography, and whether the role is in-house or outsourced. The figures below are based on 2025–2026 data from the Bureau of Labor Statistics (BLS SOC code 13-1041: Compliance Officers), HCCA compensation surveys, and Indeed aggregates for healthcare compliance roles.
By organization size:
| Organization Type | Typical Title | Salary Range (Annual) |
|---|---|---|
| Solo / small practice (1–10 staff) | Office Manager doubling as Privacy Officer | Role add-on; rarely a separate salary line |
| Small group practice (10–50 staff) | Compliance Coordinator / Privacy Officer | $55,000 – $80,000 |
| Mid-size medical group (50–250 staff) | Compliance Officer / Privacy Officer | $80,000 – $115,000 |
| Large health system or hospital | Director of Compliance / CCO | $115,000 – $175,000 |
| Enterprise health system | Chief Compliance Officer | $175,000 – $300,000+ |
| Business associate (SaaS, billing, IT) | HIPAA Compliance Manager | $90,000 – $140,000 |
By region: Compliance officer salaries follow healthcare market density. The highest pay is found in New York City, San Francisco, Boston, and Washington D.C. (proximity to federal agencies drives premium pay). Mid-tier markets include Chicago, Dallas, Atlanta, and Denver. Rural and smaller metro markets typically run 15–25% below national median.
Fractional and outsourced compliance officer rates: Groups that cannot justify a full-time hire often bring in outsourced HIPAA compliance officers. Typical engagement structures run $2,500–$6,000 per month for small practices (monthly check-ins, policy maintenance, risk assessment oversight), and $6,000–$15,000 per month for mid-size organizations requiring weekly involvement, breach response support, and audit readiness work. Hourly consulting rates for independent HIPAA compliance experts range from $150 to $350 per hour depending on credentials and specialization.
One Guy Consulting offers compliance program support structured for small and mid-size healthcare organizations — including access to a HIPAA policy library, risk assessment tools, and staff training modules that reduce the workload on whoever holds the compliance officer role.
Annual HIPAA Compliance Officer Checklist
The compliance officer role is not a one-time setup task — it is a continuous operational function. The checklist below covers the recurring tasks that OCR expects to see documented evidence of during an audit. Items marked “Required” have a direct regulatory mandate; items marked “Best Practice” are what OCR looks for as evidence of a functioning program.
| Task | Frequency | Regulatory Basis | Documentation Required |
|---|---|---|---|
| Conduct or oversee security risk assessment | Annual (minimum) | Required — 45 CFR 164.308(a)(1) | Signed risk assessment report with findings and remediation plan |
| Review and update all HIPAA policies | Annual | Required — 45 CFR 164.530(i) | Policy version log with review dates and approvals |
| Deliver HIPAA training to all workforce members | Annual (new hires at onboarding) | Required — 45 CFR 164.530(b) | Training completion records by employee with dates |
| Review and renew all business associate agreements | Annual review; update on material changes | Required — 45 CFR 164.308(b) | BAA inventory with expiration dates and signed copies |
| Audit access logs for unauthorized PHI access | Monthly (minimum) | Best Practice — supports 45 CFR 164.312(b) | Audit log review records with any anomalies investigated |
| Test breach response procedures | Annual tabletop exercise | Best Practice — supports 45 CFR 164.308(a)(6) | Tabletop exercise summary and lessons learned |
| Review Notice of Privacy Practices | Annual; update when policies change materially | Required — 45 CFR 164.520 | Current NPP version posted and distributed |
| Evaluate physical safeguards | Semi-annual walkthrough | Best Practice — supports 45 CFR 164.310 | Facility walkthrough checklist with date and reviewer |
| Report compliance metrics to leadership / board | Quarterly | Best Practice — OCR audit expectation | Compliance dashboard or report with leadership acknowledgment |
| Review sanction policy and document any applied sanctions | As incidents occur; review annually | Required — 45 CFR 164.530(e) | Sanction log with disciplinary action records |
| Verify encryption status of all ePHI storage and transmission | Quarterly check; annual full audit | Best Practice — supports 45 CFR 164.312(a)(2)(iv) | Encryption inventory and verification records |
| Submit HHS breach reports for incidents ≥ 500 individuals | Within 60 days of discovery | Required — 45 CFR 164.408 | HHS breach portal submission confirmation |
The checklist above is a starting point, not an exhaustive compliance program. Every organization’s risk profile is different. A behavioral health practice faces different exposure than a dental group or a billing clearinghouse. The risk assessment drives what additional tasks belong on your specific checklist.
Building a HIPAA Compliance Program from Scratch
New compliance officers — whether stepping into the role for the first time or taking over a neglected program — face the same challenge: where to start when everything needs attention. The answer is sequencing. Not everything can be done at once. The goal of the first 90 days is to assess what exists, stop the bleeding on the highest-risk gaps, and build credibility with leadership.
Days 1–30: Assess and orient
- Meet with leadership, IT, HR, and department heads to understand the current state of compliance activities.
- Collect all existing compliance records: policies, training records, risk assessment reports, BAA list, incident logs, audit logs.
- Identify immediately critical gaps: Are BAAs missing with active vendors? Has the risk assessment ever been done? Are there open breach incidents with no documentation?
- Review the most recent three years of OCR enforcement actions in your sector to understand what auditors focus on.
- Set yourself up as the named Privacy Officer and Security Officer in formal records.
Days 31–60: Address the highest-risk gaps
- Launch or schedule the security risk assessment if one has not been completed in the past 12 months. This is the single most frequently cited OCR deficiency.
- Inventory all active vendors and identify any that handle PHI without a signed BAA. Execute missing BAAs immediately — review our guide to common business associate agreement mistakes to avoid errors.
- Confirm that HIPAA training records exist for current workforce. If not, schedule a training cycle.
- Review the Notice of Privacy Practices for accuracy and confirm it is posted and distributed correctly.
- Document everything you are doing. An OCR auditor will ask what the officer did when they found gaps — your documentation is your answer.
Days 61–90: Build the ongoing program
- Draft or update the core policy set: privacy policies, security policies, breach response policy, sanctions policy, and staff training policy. One Guy Consulting’s policy library provides pre-written, legally reviewed templates as a starting point.
- Set up a compliance calendar with recurring task dates (yearly risk assessment, yearly training, quarterly BAA review).
- Present a compliance program status report to leadership — current state, gaps identified, remediation timeline, and resource needs.
- Identify which HIPAA compliance tools can reduce the manual workload (policy management, training tracking, risk assessment modules, audit log review).
- Build a tie with legal counsel for breach response and policy reading support.
The first 90 days will not produce a perfect compliance program. The goal is a documented, functioning program with visible momentum. OCR evaluates intent, effort, and documentation — not perfection.
Sources
- HHS: HIPAA Privacy Rule — Privacy Policies and Procedures (45 CFR 164.530)
- HHS: HIPAA Security Rule Guidance — Security Official Designation (45 CFR 164.308(a)(2))
- HHS: HIPAA Security Rule NPRM 2025 — Proposed Updates
- Bureau of Labor Statistics: Compliance Officers (SOC 13-1041) — Wage Data
- Health Care Compliance Association (HCCA) — CHC and CHPC Certification
- International Association of Privacy Professionals — CIPP/US Certification
Key stat: Under 45 CFR 164.530(a)(1), every covered entity must designate a Privacy Officer responsible for developing and implementing privacy policies. Under 164.308(a)(2), every covered entity must designate a Security Officer responsible for the security program. These can be the same person in small practices, but the roles must be formally documented. OCR routinely asks for this documentation during investigations.
Sources
- 45 CFR 164.530(a) - Privacy Officer Designation
- 45 CFR 164.308(a)(2) - Security Officer Designation
- HHS OCR Compliance and Enforcement
- NIST SP 800-66 Rev. 2 - HIPAA Security Rule Implementation