What is a Compliance Officer?

A Compliance Officer is an individual that needs to have a strong understanding of his/her organization's processes, documentation practices, risk management practices, incident response plan and current compliance requirements. Read below for additional details or download the detailed job description.

Download a Compliance Officer Job Description

What is a Compliance Officer

Organizational Processes

Information acquisition, utilization and disposition are processes that must be efficient and effective to enable the business to accomplish its mission.

  • The Compliance Officer must understand these processes to ensure their correct functioning.
  • Knowing these processes will also help the Compliance Officer realize potential points of exposure, compromise, or misuse; so they can be addressed and corrected as quickly as possible before exposures occur (if possible).
  • Exposures include the unintentional "mistake" and the intentional "attack" for internal or external sources.
HIPAA Compliance Officer Organization

Documentation, Risk Management and Incident Response

The Compliance Officer needs to understand documentation because he/she will have to produce it during normal performance of their tasks:

  • Documentation is also used for internal or external investigative efforts.
  • These tasks include classification and categorization of information, chain of custody, records retention practices, declassification and disposal practices, system audits, and other such activities.
Compliance Officer Documentation

A Compliance Officer needs to understand the basics of risk management and remediation:

  • This is so they know what constitutes "risk" (of compromise, etc.), asset valuation, methods of mitigation, and so forth.

They need to understand how to respond to incidents of compromise:

  • Compromises can, do, and will occur no matter how good our programs are.
  • When they do, the Compliance Officer needs to know the "five R's" - Recognize, React, Remediate, Restore, and Resume.

Compliance Requirements

The Compliance Officer most certainly needs to understand requirements and what it means to be "compliant" in each case.

This is more than simply knowing them, the Compliance Officer must know how to achieve them in a balanced way that allows them to establish a compliant position (either in the "letter" or the "spirit" of the law as the case may be), while enabling the entity to function efficiently and effectively.

Definition of a Healthcare Provider

This means the Compliance Officer must understand about control types:

  • Administrative: Paper-based directives which include Policy, Standard, Procedure, and Guideline.
  • Technical: Components of hardware, software, firmware and their configurations.
  • Physical: Locks, monitoring, facility management and similar aspects.
  • Organizational: Contracts, BA addendum, and audit tools for BA (SAS 70, ISO 27002).

The Compliance Officer must also understand the individual categories (each of these exists in each of the above types):

  • Preventive/Deterrent
  • Detective
  • Corrective/Recovery
  • Compensating

Appropriate PHI Safeguards Includes Training, Policies, Procedures

Regarding the treatment of protected health information, Covered Entities shall use all appropriate safeguards to prevent use or disclosure of Protected Health Information received from, or created or received on behalf of, the Covered Entity other than as provided for in the Business Associate Agreement or as required by law.

Appropriate PHI Safeguards Includes Training and Policies, Procedures
  1. These safeguards will include, but not be limited to: Training
    • Providing annual training to relevant employees, contractors and subcontractors on how to prevent the improper use or disclosure of Protected Health Information;
    • Update and repeat training on a regular basis;
  2. Administrative Safeguards
    • Adopting policies and procedures regarding the safeguarding of Protected Health Information;
    • Enforcing those policies and procedures, including sanctions for anyone found not in compliance
  3. Technical and Physical Safeguards
    • Implementing appropriate technical safeguards to protect Protected Health Information, including access controls, authentication and transmission security; and
    • Implementing appropriate physical safeguards to protect Protected Health Information, including workstation security and device and media controls.