HIPAA Designation Checklist: Appointing Your Privacy Official and Security Official

HIPAA requires covered entities to formally appoint a Privacy Official and a Security Official to build, run, and document your privacy policies and security policies. This HIPAA Designation Checklist helps you select the right people, create solid designation documentation, organize compliance monitoring, strengthen workforce training, and prepare for breach notification.

Use the sections below to confirm minimum requirements, define responsibilities, and operationalize an appointment process you can defend in audits and in day‑to‑day operations.

Privacy Official Designation

Minimum requirements

• Formally designate a Privacy Official in writing with clear authority to develop, approve, and enforce privacy policies and procedures.
• Give direct access to leadership, budget influence, and independence to investigate complaints and apply sanctions.
• Ensure cross‑functional reach across patient access, health information management, clinical teams, billing, marketing, and vendors.
• Identify a trained delegate for coverage during absences and specify an escalation path.

Selection criteria

• Proven knowledge of HIPAA Privacy Rule requirements and related state privacy laws that affect uses and disclosures of PHI.
• Strength in policy drafting, change management, and complaint resolution with strong interpersonal communication.
• Ability to translate regulation into workflows, forms, and system controls used by frontline staff.
• Experience coordinating with compliance, legal, HR, HIM, and security teams.

Core duties

• Develop, maintain, and communicate privacy policies; align procedures for uses/disclosures, minimum necessary, and patient rights.
• Oversee the Notice of Privacy Practices, authorization templates, and forms for access, amendments, and accounting of disclosures.
• Operate the complaint intake and response process; oversee mitigation and sanction policies.
• Coordinate workforce training on privacy topics and maintain training records.
• Manage business associate privacy obligations in coordination with contracting and vendor management.
• Maintain designation documentation and all related records for at least six years from the date of creation or last effective date.

Security Official Designation

Minimum requirements

• Formally identify a Security Official responsible for developing and implementing the organization’s security policies and procedures.
• Grant authority to direct administrative, physical, and technical safeguards across IT, facilities, and operations.
• Ensure the role can coordinate incident response, risk analysis, and remediation with sufficient resources.

Selection criteria

• Hands‑on experience with security risk management, identity and access management, vulnerability management, and incident response.
• Ability to work with clinical applications, EHRs, cloud platforms, medical devices, and third‑party service providers.
• Competence in policy writing and security architecture, plus skill in communicating risk to executives and auditors.

Core duties

• Perform and update risk analysis and risk management plans; track remediation through closure.
• Publish and maintain security policies covering access control, encryption, backup/recovery, logging/monitoring, and change management.
• Implement safeguards: workforce security, facility controls, device/media controls, and technical protections such as MFA and encryption.
• Lead security incident handling and coordinate with privacy on potential breaches.
• Run ongoing security awareness and workforce training; measure effectiveness and adjust content.
• Oversee vendor security due diligence and business associate security requirements.
• Maintain designation documentation, system inventories, network diagrams, and incident logs.

Combined Roles Considerations

When it works

• Small or resource‑constrained covered entities where one seasoned leader can manage both privacy and security programs.
• Organizations with low system complexity and straightforward data flows.

When to separate

• Larger enterprises, multi‑site systems, research programs, or complex vendor ecosystems.
• Environments needing strong segregation of duties for access provisioning, monitoring, and investigations.

Safeguards if combined

• Issue a single charter that distinctly defines privacy vs. security responsibilities and decision rights.
• Assign deputies for day‑to‑day tasks and establish an independent review (e.g., internal audit) for compliance monitoring.
• Publish clear escalation to senior leadership and schedule routine reports on training, incidents, and risk remediation.

Documentation and Role Definition

Designation documentation checklist

• Signed appointment letters naming the Privacy Official and Security Official with effective dates and scope.
• Role descriptions outlining authority, responsibilities, KPIs, and required collaboration points.
• Organization chart and contact details; identify delegates and backup coverage.
• Cross‑references to privacy policies and security policies owned or co‑owned by each role.
• Procedures for complaint handling, incident response, and change control.

Retention and version control

• Retain designation documentation, policy versions, and training records for at least six years.
• Use version numbers, approval signatures, and effective dates; archive superseded documents.
• Store records in a controlled repository with access logging.

Communication plan

• Announce appointments to the workforce and publish contact channels for questions and complaints.
• Embed roles and responsibilities into onboarding materials and departmental playbooks.
• Review and update communications when personnel or procedures change.

Compliance Monitoring Responsibilities

Recurring activities

• Run an annual security risk analysis and a privacy risk review; update risk registers and remediation plans.
• Conduct periodic audits of access, minimum necessary, disclosures, and device/media handling.
• Test incident response and breach notification procedures with tabletop exercises.
• Assess vendor compliance, including business associate agreements and security attestations.
• Review policy effectiveness and align controls with operational changes and new technologies.

Metrics and reporting

• Training completion rates, phishing metrics, and required policy acknowledgments.
• Access anomalies, privileged access reviews, and timeliness of termination/deprovisioning.
• Patch/vulnerability aging, encryption coverage, and backup test success rates.
• Incident counts, time‑to‑detect, time‑to‑contain, and root‑cause trends.
• Vendor risk scores and BAA status tracking.

Training Requirements

Workforce training essentials

• Provide privacy and security training to all workforce members at hire and periodically thereafter.
• Offer role‑based modules for high‑risk functions such as HIM, billing, research, and IT administrators.
• Run continuous security awareness: phishing simulations, safe data handling, and secure remote work practices.

Content priorities

• Privacy topics: minimum necessary, permissible disclosures, patient rights, and complaint handling.
• Security topics: password hygiene, MFA, device/media controls, email and messaging safeguards, and incident reporting.
• Scenario‑based exercises using your systems and workflows to make training practical.

Documentation and follow‑up

• Track attendance, completion scores, and policy acknowledgments; remediate gaps quickly.
• Refresh content after incidents, technology changes, or policy updates.
• Include training evidence in your designation documentation package.

Breach Notification Procedures

Immediate response (contain, investigate, decide)

• Secure systems, preserve evidence, and begin incident logging; coordinate between Security and Privacy Officials.
• Conduct a four‑factor risk assessment: data sensitivity, unauthorized recipient, whether PHI was actually viewed/acquired, and mitigation extent.
• Decide whether the event is a reportable breach and document the rationale.

Notification timelines and thresholds

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• If 500 or more individuals in a state or jurisdiction are affected, notify prominent media and report to HHS within 60 days.
• For fewer than 500 individuals, log the breach and submit to HHS no later than 60 days after the end of the calendar year.
• Business associates must notify the covered entity without unreasonable delay and no later than 60 days, providing details needed for notices.

Notification content

• Brief description of the incident, types of PHI involved, dates, and discovery date.
• Steps individuals should take to protect themselves and what your organization is doing to mitigate harm.
• Contact information for questions and free credit monitoring or identity protection if warranted.

After‑action improvements

• Remediate root causes, update policies, and strengthen controls; verify completion through compliance monitoring.
• Refresh workforce training to address lessons learned and reduce recurrence risk.
• Retain all breach documentation and communications for at least six years.

Bringing these steps together, your HIPAA Designation Checklist ensures the right leaders are appointed, duties are clear, designation documentation is complete, compliance monitoring is routine, workforce training is effective, and breach notification can be executed confidently when needed.

FAQs.

Who must be designated as the Privacy Official under HIPAA?

Each covered entity must designate a Privacy Official responsible for developing, implementing, and maintaining the organization’s privacy policies and procedures. The role may be full‑time or assigned to an existing leader, but it must have authority to act and access to senior management.

What are the key responsibilities of the Security Official?

The Security Official leads the security program: performing risk analysis, managing safeguards, publishing security policies, coordinating incident response, overseeing access controls and logging, directing security awareness training, evaluating vendors, and maintaining documentation that demonstrates compliance.

Can one person serve as both the Privacy Official and Security Official?

Yes. HIPAA permits one person to serve in both roles. If combined, ensure the individual has sufficient time, expertise, and authority, and put guardrails in place—delegates, independent reviews, and clear separation of duties for high‑risk activities.

How should covered entities document these personnel designations?

Create designation documentation that includes signed appointment letters, detailed role descriptions, org charts, contact information, deputies, and links to relevant privacy and security policies. Keep training records, incident logs, and approvals, and retain all documents for at least six years.