HIPAA Privacy Officer and Security Officer: What Small Clinics Need

HIPAA does not allow a covered entity to own its compliance program collectively without naming someone responsible for it. The regulation requires every covered entity to designate specific individuals to own privacy and security functions — and to document those designations. This requirement applies to a 200-physician hospital system and a two-person family practice equally.

This article explains the HIPAA compliance officer role — actually two distinct regulatory requirements — and what the job looks like week to week in a small clinic.

The two separate regulatory requirements

HIPAA creates two distinct designation requirements under different rules.

Privacy official: 45 CFR §164.530(a)

The Privacy Rule at 45 CFR §164.530(a) requires every covered entity to designate a privacy official who is responsible for developing and implementing the covered entity’s privacy policies and procedures.

This is a “required” implementation specification — not addressable. There is no flexibility to skip it or substitute an alternative.

The privacy official must:

• Develop and maintain privacy policies and procedures consistent with the Privacy Rule
• Receive and process complaints related to privacy practices
• Train the workforce on privacy policies (with or without delegating the actual training delivery)
• Ensure the clinic’s Notice of Privacy Practices (NPP) is current and distributed appropriately
• Oversee patient rights requests — access to records, amendments, accounting of disclosures, restrictions
• Maintain documentation of privacy policies and their revision history

The regulation specifies the function, not the title. “Privacy officer,” “compliance officer,” “HIPAA officer,” and “privacy coordinator” are all acceptable titles so long as the person actually performs the required functions.

Security official: 45 CFR §164.308(a)(2)

The Security Rule at 45 CFR §164.308(a)(2) requires every covered entity to identify a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule.

This is also a required implementation specification with no opt-out.

The security official must:

• Oversee the clinic’s risk analysis and risk management program
• Develop and maintain security policies and procedures
• Ensure workforce security training is conducted
• Manage access control — who can access which systems containing ePHI
• Oversee physical security of workstations, servers, and devices that store or access ePHI
• Respond to security incidents and coordinate breach response
• Maintain documentation of security policies and procedures

The security official does not need to be a technical expert. In many small clinics, the security official is the office manager or administrator who coordinates with an IT managed service provider for technical implementation. What matters is that one person owns accountability for security decisions and documentation.

Can one person hold both roles?

Yes. HIPAA does not require separate individuals for privacy and security functions. Small clinics routinely designate one person — typically the practice administrator, office manager, or in solo practices, the physician — to serve as both privacy official and security official.

Combining the roles has practical advantages in a small clinic. The privacy and security functions overlap significantly. Breach response, workforce training, and vendor oversight all require coordination between both functions. One person holding both roles eliminates handoff problems and keeps accountability clear.

The practical limitation is capacity. The combined role carries real work. If the designated individual is also managing scheduling, billing, and front desk operations, the compliance functions may not get the attention they need. That is not a regulatory problem on its face, but it becomes one when documentation falls behind or incidents are not escalated properly.

Does every practice need a designated official?

Yes. There is no size exemption. The requirement applies to:

• Solo physician practices
• Two-physician partnerships
• Group practices of any size
• Clinics, urgent care centers, and specialty practices
• Any other covered entity as defined at 45 CFR §160.103

HHS guidance confirms that all covered entities, regardless of size, must designate privacy and security officials. A solo practitioner must designate someone — even if that someone is the physician themselves. The physician then documents their own designation and carries the compliance responsibilities accordingly.

What the role looks like week to week

In a small clinic, the privacy/security officer role is not a full-time job. It is a recurring set of functions that require consistent attention:

Ongoing functions (continuous)

• Receiving and triaging privacy complaints from patients or staff
• Reviewing access logs or audit reports from EHR and practice management systems
• Answering staff questions about permissible PHI uses

Periodic functions (monthly or quarterly)

• Reviewing any security incidents or near-misses that were logged
• Checking that BAA list is current as vendor relationships change
• Reviewing workforce training completion records

Annual functions

• Conducting or commissioning the required HIPAA risk analysis
• Updating privacy policies and procedures to reflect any regulatory changes or operational changes
• Conducting workforce HIPAA training (new hire training may be more frequent)
• Reviewing and updating the Notice of Privacy Practices if any practices have changed
• Auditing physical safeguards — device inventory, workstation security, visitor controls

Event-driven functions

• Responding to patient requests to access, amend, or restrict records
• Managing breach investigation and notification if a reportable incident occurs
• Reviewing any new software or vendor that will access ePHI before onboarding

In a well-run small clinic, a practice administrator who takes the role seriously can fulfill these functions in a few hours per month during normal operations. A breach or an OCR complaint will demand significantly more time.

What documentation demonstrates the designation

Documentation serves two purposes. First, it creates accountability — the designated official knows what they own. Second, it provides evidence during an OCR audit or compliance review.

At minimum, the clinic should maintain:

A written designation letter or appointment. This document names the individual, identifies the role (privacy official, security official, or both), and states the effective date. It should be signed by the physician owner or clinic leadership. If the designated official changes, a new document should record the new designation and the transition date.

A role description or responsibility summary. This maps the regulatory requirements — the functions listed in 45 CFR §164.530(a) and 45 CFR §164.308(a)(2) — to the specific tasks the designated individual is responsible for at your clinic. A generic job description is less useful than a document that references the specific regulatory sections.

Training records for the designated official. If the person completed HIPAA-specific training or a compliance certification course, retain those records. They demonstrate that the designation was substantive, not nominal.

Policies signed or approved by the designated official. As the official develops and maintains privacy and security policies, those policies should bear their name or approval signature. This creates a paper trail connecting the person to the function over time.

The OCR audit perspective

OCR’s HIPAA audit protocol includes verification of both the privacy official designation and the security official designation. Auditors ask to see documentation of the designation and evidence that the official actually performs the required functions — not just a name on a chart.

Common findings that create problems in audits:

• The designated official left the clinic and no successor was named
• The designation document exists but the designated official cannot describe their compliance responsibilities
• No training records exist for the designated individual
• Privacy and security policies exist but bear no indication of who developed or approved them

A designation that exists only on paper — with no supporting evidence of actual function — provides limited protection in an enforcement context.

The practical starting point

For a small clinic without a designated official, the path forward is straightforward:

1. Select the person who will serve as privacy and security official (typically the practice administrator)
2. Draft a designation letter naming that person and effective date, signed by clinic leadership
3. Create a one-page summary of responsibilities keyed to the regulatory citations
4. Schedule the initial risk analysis if one has not been completed
5. Document the designation in the clinic’s HIPAA policy binder or compliance management system

From that foundation, the designated official can build out the policies, training program, and documentation practices that constitute a functioning compliance program.