Sample (Chief) Security Officer Job Description
Position Title: (Chief) Security Officer1
Immediate Supervisor: Chief Executive Officer, (Chief) Compliance Officer, Senior Executive (Chief operating officer, CIO), (Senior) In-house Counsel, or Practice Manager; Corporate/Administrative Oversight Services Information System Director
Position Overview: Under the HIPAA (the Health Insurance Portability and Accountability Act of 1996) Security Rule every Covered Entity (CE) and Business Associate (BA) must designate a security official. The security official may have other titles and duties in addition to his/her security official designation in a typical practice or organizational setting. In terms of HIPAA compliance the security official shall oversee and ensure compliance with both the required and addressable, technical, administrative and physical safeguards in accordance with applicable federal and state laws, especially the HIPAA Security Rules.
General Purpose: The Security Officer is responsible for the organization's Security Program including but not limited to daily operations of the IT security program, oversight of the annual and ongoing risk assessment process, development, implementation, and maintenance of policies and procedures, ensuring the confidentiality, integrity and access of electronic protected health information and of monitoring program compliance as well as investigation and tracking of incidents and breaches and in compliance with federal and state laws.
- Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization. Ensures information security policies, standards, and procedures are up-to-date.
- Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
- Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
- Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
- Manages security incidents and events involving electronic protected health information (ePHI)
- Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
- Ensures the institution/organization complies with the administrative, technical and physical safeguards.
- Collaborates with organization senior management, Privacy Officer, and Corporate Compliance officer to establish governance for the security program.
- Serves in a leadership role for security compliance.
- Works closely with the Privacy Officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison to the information systems and compliance departments.
- Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation. Responsible for development and implementation of security risk management plan.
- Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
- Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
- Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
- Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities
- Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
- Assists Privacy Officer as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
- Establishes and administers a process for investigating and acting on security incidents which may result in a privacy breach breaches.
- Partners with Human Resources and Privacy Officer to ensure consistent sanctions for security violations
- Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
- Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities, and organization on officers in any compliance reviews or investigations.
- Serves as information security consultant to all departments for all data security related issues.
- Baccalaureate degree in information systems or a related healthcare field.
- Knowledge and experience in state and federal information security laws, including but not limited to HIPAA, including NIST, PCI and all other applicable regualtions.
- Demonstrated organization, facilitation, written and oral communication, and presentation skills.
- Recommended Security certification such as Certified in Healthcare Privacy and Security (CHPS) and/or other healthcare industry related security credentials.
- Demonstrated skills in collaboration, teamwork, and problem-solving to achieve goals.
- Demonstrated skills in verbal communication and listening.
- Demonstrated skills in providing excellent service to customers.
- Excellent writing skills.
- A high level of integrity and trust.
- Knowledge of HIPAA, state and federal guidelines on security, transactions and security.
- Extensive familiarity with health care relevant legislation and standards for the protection of health information and patient security.
The title for this position will vary from organization to organization, and may not be the primary title of the individual serving in the position. "Chief" would most likely refer to very large integrated delivery systems. The term "Security Officer" is not specifically mentioned in the HIPAA Security Regulation.