QUESTION: Is our group well being plan permitted to outsource the roles of HIPAA privateness official and safety official?

ANSWER: Presumably, however it might be prudent to hunt the recommendation of authorized counsel given the absence of official steering. Most coated entities should designate a privateness official who’s accountable for the event and implementation of the entity’s HIPAA privateness insurance policies and procedures. Equally, a coated entity should appoint a safety official who’s accountable for the event and implementation of HIPAA safety insurance policies and procedures. A coated entity’s safety official would be the similar particular person serving because the entity’s privateness official.

Though there may be language within the preamble to the privateness rule that appears to imagine that the privateness official can be an worker of the coated entity, there isn’t a specific requirement to that impact. And since some coated entities (e.g., most group well being plans) won’t have staff, the privateness official’s duties should be carried out by a 3rd social gathering (for a bunch well being plan, normally an worker of the plan sponsor).

The preamble additionally supplies that the identical particular person might be the privateness official for multiple entity. Moreover, it emphasizes that the privateness guidelines are meant to be “scalable”—i.e., they might be met in a wide range of methods relying on the scale and complexity of the group. Even when this requirement is delegated to a 3rd social gathering (such because the group well being plan’s third-party administrator), the coated entity itself remains to be legally accountable for HIPAA compliance and is topic to potential penalties for noncompliance.

For extra info, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXVIII.A (“Privateness Official and Contact Individual or Workplace”) and XXX.B.2 (“Commonplace: Assigned Safety Duty”). See additionally EBIA’s Self-Insured Well being Plans handbook at Part XXXI.E (“Privateness and Safety Challenges for Sponsors of Self-Insured Well being Plans”).

Contributing Editors: EBIA Workers.