19

The role of HIPAA Security Officer is very important in maintaining compliance. In smaller organizations, there's overlap in employees' roles, so the person that ends up as the HIPAA Security Officer may not have a whole lot of background in compliance. Does the individual serving in this role face more personal liability for breaches than other employees?

John Straka
  • 771
  • 7
  • 11

3 Answers3

13

Good question! But there's not a solid answer I'm afraid. As with most of these cases, it depends case by case, but there are a few things to consider.

First of all if there has been some for of negligence than an individual can be personally liable.

However I don't think that an HIPAA Security officer is any different than any other person responsible for the security of sensitive personal information; usually these cases don't make it to court.

Timo Willemsen
  • 808
  • 1
  • 7
  • 8
  • Asked our company's lawyer and pretty much got the same answer. Though I admit "I can tell you that it hasn't happened yet" wasn't as reassuring as I'd hoped. – John Straka Oct 14 '11 at 12:21
  • 3
    @JohnStraka Professional liability from a company officer usually requires inappropriate ignorance of conditions or malice. If you made the best reasonable efforts, you ought to be in a sound position. – Jeff Ferland Oct 26 '11 at 23:05
  • Any update to this? Anyone know of any cases where Security Officer was held personally liable? – Andrew Oct 07 '19 at 14:46
10

Does the individual serving in this role face more personal liability for breaches than other employees?

Disclaimer: I am not a lawyer, but I have been through several rounds of HIPAA training.

Is a HIPAA security officer automatically liable for a breach? No. If the security officer has done due diligence, the proper safeguards are in place, and some malicious user goes and sells a celebrity's health information to a paparazzi anyway, it seems doubtful that the security officer would be named in any resulting lawsuit. Even if they were named, they've done their job and should have nothing to fear.

But is a HIPAA security officer exposing him/herself to more potential liability than the average employee? Maybe. By taking on the responsibility for this area, it's possible that they might face some form of liability if they are negligent in the safeguards they put into place or the training of others. (Though as @John Straka pointed out, I've never heard of it happening.)

4

Unfortunately, I think the question is currently moot. While I think HIPAA compliance is important, enforcement is still non-existent.

Franken noted dryly that 64,000 privacy complaints have been filed with the OCR—and that nearly 500 were referred to the Justice Department for criminal investigation. But the Justice Department told his staff, Franken said, there have been just 16 HIPAA criminal prosecutions. Meanwhile, HHS had secured only one civil monetary penalty and six settlements, he said.

http://www.modernhealthcare.com/article/20111116/BLOGS02/311169962/candid-comments-on-hipaa-privacy-rules-enforcement

Until enforcement changes occur, we won't know who will really end up being responsible.

Chris K
  • 446
  • 2
  • 6