[Transcript] Episode 432: Decisions Around Designating Your Security Officer

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right, at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas

Hello and welcome to Episode 432: Decisions Around Designating Your Security Officer.

 

Liath Dalton 

This is a really important role, and the decisions around designating a security officer are significant and impactful, and ones that we get a lot of questions around. So we thought it would be helpful to kind of parse through it and identify what the primary factors to consider are and help you be equipped to make the best decision around designating this role in your practice as possible. So, first and foremost, what is a security officer? 

 

Evan Dumas

Yeah.

 

Liath Dalton

Yeah. So, Evan, what would you be your little, in a nutshell, description of the security officer role?

 

Evan Dumas

Yeah. A security officer is your point person for HIPAA compliance and HIPAA security, and pretty much, you know, the security rule for HIPAA. But, if the person that you, as leadership, go to, for knowing what decisions to make, also the person your workforce go to when they’ve got questions around how to do HIPAA compliance and what that entails, and they’re the one who take on that responsibility.

 

Liath Dalton  

Exactly. So the way to think of it is that they are the administrator of the HIPAA security compliance program and risk management activities within your practice. 

 

Liath Dalton 

Now, the security officer role is required to be designated for all HIPAA covered entities. You need to have a privacy officer as well. The privacy officer’s role is the Privacy Rule compliance aspects of HIPAA, but it is not atypical for a practice to have the same person wearing the security officer hat and the privacy officer hat, in which case they’re just the HIPAA officer. 

 

Evan Dumas

Mhm.

 

Liath Dalton 

But in some instances, folks want to split that role, which is totally feasible. But what we’re going to be focusing on today is the security officer role. Basically, the Privacy Rule of HIPAA defines what must be kept private. And then the Security Rule and all of its standards are the logistics, the mechanisms,

 

Evan Dumas

Yeah, the how-to.

 

Liath Dalton 

through which the information that has to be kept private is kept private. So the security officer role entails managing and overseeing how the technical, administrative and physical safeguards are implemented and adhered to within the practice, and doing some ongoing tasks related to complying with the requirements of the security rule, like audit logs and usage log reviews, overseeing the granting and revocation of access to PHI, that sort of thing. 

 

Liath Dalton

Now, essentially, some of the main questions and concerns that we get around the security officer role are, one, does this need to be filled by the practice owner directly? Two, if not, does it have to be a clinician or can it be an admin? And whomever is filling that role, whether it be leadership, clinician or admin, do they need to be an IT expert and a health information systems security expert? Because that sure doesn’t seem like anything that anyone within, you know, 99.99% of practices have as a primary skill set or background.

 

Evan Dumas

Not at all.

 

Liath Dalton  

So to answer those questions, one, the security officer role does not have to be filled by the practice owner. Typically what we will recommend is that it initially is filled by the practice owner, though, because the practice owner should have an intimate knowledge of each of the sort of details and components of your security compliance program, and be the initial decision maker for the decisions that get reflected in the practice’s security policies and procedures. 

 

Liath Dalton

Now it’s, long term for most group practices, not a role that should be worn by the practice owner. Because typically there are going to be more worthwhile utilizations of your time, capacity and skill set. And so being able to delegate this role is something we really want to work towards and be intentional about from the outset. And if you have a team member who, long term, you would want to be delegating the role to, but you’re going to wear that hat initially, what makes sense is to designate the eventual holder of that role as your deputy security officer. 

 

Evan Dumas

Uh-huh. Yep.

 

Liath Dalton

And in that way they can be knowledgeable of what the program contents are, what the role is going to entail, what it takes to fulfill those responsibilities, and then that makes for a more seamless transition when you are ready to officially hand over the security officer role to them. 

 

Evan Dumas

Yeah. It’s not a big surprise, right? 

 

Liath Dalton

And it’s also ideal that once the practice owner is no longer wearing the official security officer hat, that they still have a deputy security officer within the practice. You know, if you’re a really small group practice, you might not have the personnel to facilitate that, but if you do, it is ideal to have a deputy security officer, so that there can be backup, right, in the event that unforeseen circumstances arise, or there are kind of emergent needs, and the primary security officer is unavailable. 

 

Liath Dalton

Having another team member who understands what needs to be done and can do some of that lifting just helps for continuity and efficiency and effectiveness, honestly. 

 

Evan Dumas

Yeah.

 

Liath Dalton

So what, the next considerations are, are really who amongst your team is best suited to that role? 

 

Evan Dumas

Mhm.

 

Liath Dalton

And it does not need to be a clinician. 

 

Evan Dumas

No.

 

Liath Dalton

It can be an admin or practice manager. The primary requirements for what are going to make a good security officer are, I mean, having a degree of tech comfortability is very useful.

 

Evan Dumas 

Yeah.

 

Liath Dalton  

It doesn’t have to be expertise, 

 

Evan Dumas

Oh, no.

 

Liath Dalton

but comfortability is really helpful. And then, that they have a leadership position. And by that I mean that they have, or you are, as the practice owner, comfortable in bestowing upon them authority and decision making power sufficient to the level that’s necessary for them to be the security officer. 

 

Evan Dumas

Mhm.

 

Liath Dalton

And that they have the appropriate levels of access, like admin access, to each of the systems that they need to be administering and having oversight of as the security officer. And then really another factor to consider is the kind of dynamic between that team member and other team members in the practice. The security officer needs to be someone that the team respects. And, you know, we’re all kind of avoidant of hierarchical systems and imposing authority. 

 

Evan Dumas

Mhm.

 

Liath Dalton

But the reality is, when it comes to HIPAA compliance and risk management, you do need an authority figure, do need that hierarchy, in place. And so selecting someone who will be comfortable in that role and whom the rest of the team will respect in that role is another thing to consider. 

 

Evan Dumas

Yeah.

 

Liath Dalton

Now, who’s going to be best suited to that is going to vary practice to practice. But hopefully those kind of key points to consider are helpful in determining who amongst your team would be the right fit for that. Or if you’re in a growth and expansion phase, you might start to think of, as you are hiring and onboarding new team members, having some of the qualities related to this role be something that you look for when you’re evaluating candidates. 

 

Liath Dalton

Now, another really significant question that we get around designating the security officer role is how much time does this role take, how much needs to be allocated? 

 

Evan Dumas

Yeah.

 

Liath Dalton

Like, is it a full time role? Can it be a fractional role? And then, adjacent to that, is it a role that I can outsource?

 

Evan Dumas

Ah, yeah. 

 

Liath Dalton

That I can just hire someone else, like a firm, to be my practice’s HIPAA security officer? So we’ll work backwards from there. And the answer is no. The security officer role cannot be outsourced. 

 

Evan Dumas

No.

 

Liath Dalton

It must be fulfilled by a workforce member of the HIPAA covered entity organization, and that’s for very practical and reasonable reasons, right?

 

Evan Dumas

Mhm.

 

Liath Dalton

The security officer needs to have detailed knowledge and familiarity with the day to day operations of the practice. How PHI is coming in, how it’s being handled within the practice, and then how it flows out of the practice. Needs to have access to all the PHI containing systems and ability to oversee them. And part of the security officer’s role is responding to emergent situations where a security, a potential security incident, has occurred and needs to be investigated to determine if it rises to the level of a breach and breach response protocols need to be engaged, or determining that, no, it was not a breach. But, you know, going through the process to contain whatever the incident was. And to be able to do that, it must be someone who is within the practice. 

 

Liath Dalton

So the role itself can’t be outsourced, but the security officer can be very supported in their role by outside expertise and resource. And availing themselves of those available resources and experts and consultation. 

 

Evan Dumas

Yeah.

 

And what the need for that looks like can vary practice to practice and security officer to security officer. But that is one area where PCT plays a very supportive role to the practices and their security officers that we work with. Because we do, you know, Evan, what would you list as some of the key examples of ways where we’re doing some of the heavy lifting and playing a key supportive role for security officers?

 

Evan Dumas

Oh, yeah. Well, apart from the consultation, when they encounter a strange thing and ask us questions and we do the research for them, we will do things like, oh, you have a training requirement? Here, we have trainings, you can assign it to folks who will provide education. Or here, you have to get people’s devices up to Safe Harbor standards, and you don’t know what Safe Harbor standards are, much less how to get up to them: We’ve got trainings on that. We’ve got documentation that people will fill out because documentation wasn’t done. We’ve got policies, even, if you need help with those. So we’ve got a lot of the paperwork-y, help-y, fiddly bits that security officers can really benefit from outsourcing, from getting, like getting from someone else, and then implementing themselves.

 

Liath Dalton  

Yes, and agreed on each of those points. I would add in as well that, one of the hats that you wear, Evan, as our chief risk analysis and risk mitigation planning, 

 

Evan Dumas

True, I do that thing.

 

Liath Dalton

performer. 

 

Evan Dumas

Yeah.

 

Liath Dalton

That’s actually one of the areas where we can do the most significant heavy lifting.

 

Evan Dumas 

Definitely, yeah. It is a full look. In fact, I did one this morning, a full look at your practice’s HIPAA compliance, where you stand in this moment, and it’s an annual thing. And we look at both behaviors and policy. And you know, it’s, yes, no, I don’t know. And it’s a really good, like, expose your unknown unknowns, so that you can get to work on them afterwards.

 

Liath Dalton  

Exactly. And the way that we do that is, initially, it is done as a consultant performed service, and then you also receive ownership of our risk analysis tool.

 

Evan Dumas

Exactly.

 

Liath Dalton

Which was specifically created for mental health group practices, and then you are able to utilize that to self perform future risk analyses as wanted and needed. 

 

Evan Dumas

Mhm. It’s really easy.

 

Liath Dalton

So one way that a security officer is supported is that we do that initial big risk analysis for them, for your practice, and then having gone through that process and having the literal tool, they then are able to very easily continue on with maintaining the meeting of the risk analysis requirement. 

 

Liath Dalton

That’s just a little, side of how the kind of full weight and responsibilities and the biggest time demand factors for a security officer can be significantly lessened by utilizing good support sources. 

 

Liath Dalton

Now getting back to, with all that said, as you’re looking to designate this role and evaluating the time commitment that it’s going to entail, because that’s also certainly going to inform who is able to fulfill that role. 

 

Liath Dalton

We get the question so frequently of how much time does it take? And of course there is a big continuum for what the amount of time the security officer role entails. 

 

Evan Dumas

Yeah, oh yeah. 

 

Liath Dalton

It’s going to be based on practice size and complexity, and, kind of how close to formal compliance you are, or aren’t, when starting the process. So the typical answer that we will give is if a practice is working with us, using the PCT resources and support for group practices, and using our customizable template materials and project plan and so on, that the initial establishment of the security compliance program in a practice is going to take kind of an average of 3 months, if the security officer has 1 to 2 hours to devote to the tasks related to that process each week. 

 

Evan Dumas

Yeah.

 

Liath Dalton

Now, we’ve had some practices do it in a more compressed time frame. 

 

Evan Dumas

Yep.

 

Liath Dalton

and some take longer. 

 

Evan Dumas

Yep.

 

Liath Dalton

But that’s kind of a good point, to give a sense of what’s reasonable. And we like that timeframe in terms of kind of pacing and cadence, because it’s not too disruptive and onerous. It leaves space for the change management components that go along with it as well. And then once you have full formal compliance in place, meaning have adopted and implemented policies and procedures which address each of the Security Rule standards and are, by implemented, we mean you’re following those in practice, and have your team trained on those as needed, then it’s a matter of maintenance. 

 

Evan Dumas

Mhm.

 

Liath Dalton

And generally, the maintenance tasks can be kind of estimated to be not more than about an hour per week on average. So not too onerous, very much a fractional role, right? 

 

Evan Dumas

Mhm, yeah.

Liath Dalton

Now, of course, we need to also take into account that there can be time periods where there’s going to be a bit of a burst, in that amount of time. That’s why it’s an average. Like, if there is a security incident that occurs and you need to do investigation and containment and response and all of that, there will be a burst. So you do want to, as you’re kind of forecasting capacity and resource allocation and such, take into account that there may be situations where that kind of burst is necessary. And have, either the security officer or deputy security officer, have the ability to be responsive in those emergent situations, be factored in.

 

Evan Dumas

Yeah, definitely. 

 

Liath Dalton  

Right. and those, those really are the main pieces around making a well thought out decision on designating the security officer.

 

Evan Dumas

Yeah.

 

Liath Dalton 

Is there anything else you would add, Evan?

 

Evan Dumas

Hmm. I think, also inquire if there’s interest. Because compliance isn’t everyone’s bag. But if you have someone who very much likes that rigidity, likes rules, likes juggling a few things, and putting things into writing, and being the sort of go to person for these how to’s, even that interest can be really vital in the process. Because if someone just bawks and just eyes glaze over, no. Ah, not a good thing. They may have skills elsewhere, which is great, but probably not a good fit for a security officer.

 

Liath Dalton 

Right. That’s a very, very good point. And just because someone is tech comfortable doesn’t mean that the more detailed pieces of what this role entails are going to be a fit. 

 

Evan Dumas

Yeah, exactly.

 

So ideally, we want that paired with tech comfortability and, someone who is, I think, a useful quality as well, is someone who’s kind of grounded in the, in the face of challenges or emergent situations, and is not the highest anxiety level team member on your team.

 

Evan Dumas

No, you don’t want a reactive person. No.

 

Liath Dalton 

Yes. Someone who gets really jazzed about being able to be proactive rather than reactive. would be, would be a good candidate for the role. Of course, reactivity is part of it. But the idea being that if you’re proactive, then you’ve got the peace of mind in place that when something goes awry, you want to know exactly what to do and be equipped to do it, and then you’re good to go.

 

Evan Dumas

Mhm. Yeah, exactly.

 

Liath Dalton 

And last but not least, I should mention that one of the role-based trainings that we provide is our Security Officer Endorsement Training Program, which basically goes over the conceptual framework of HIPAA, and the ethics standards that relate to HIPAA security compliance and the security officer role. And then looks in very practical terms, at what fulfilling the security officer role and administering the security compliance program in a group practice entails and the sort of day to day and ongoing pieces of that. So once you’ve decided who is going to be wearing the security officer role, that resource is available to help equip them to thrive in it.

 

Evan Dumas

Yeah. Yeah. Yeah.

 

Liath Dalton 

Well, thanks for joining us. We hope you found this helpful and stay tuned for our next chat.

 

Evan Dumas

Yeah, talk to you next time, everybody.

 

Liath Dalton  

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.