HIPAA Compliance Officer — Role & Requirements (2026)

HIPAA requires every covered entity to designate two roles: a Privacy Officer under the Privacy Rule (§164.530(a)(1)) and a Security Officer under the Security Rule (§164.308(a)(2)). These can be — and frequently are — the same person. For independent healthcare practices, the practice owner or office manager typically fills both roles. There is no requirement for a dedicated full-time position, no minimum credential, and no specific job title mandated by the regulation. What HIPAA requires is a named individual who is responsible. That matters, because the most common OCR finding in enforcement actions is that no one was ever formally designated at all.

What the Privacy Officer Does

The Privacy Officer owns the development, implementation, and enforcement of the practice's privacy policies under the HIPAA Privacy Rule. This is not a ceremonial title. Core responsibilities include:

Policy development and maintenance. Written privacy policies that reflect how your specific practice collects, uses, discloses, and safeguards PHI. These must be practice-specific — not generic templates.

Patient access requests. Managing requests for medical records, copies of PHI, or accountings of disclosures. The Privacy Rule gives you 30 days to respond, with one 30-day extension if needed.

Complaint management. A documented process for receiving, investigating, and resolving patient complaints about PHI handling — with protections against retaliation.

Workforce training. Ensuring every workforce member who handles PHI receives privacy training at hire and at regular intervals, with documented completion.

Notice of Privacy Practices. Maintaining the practice's NPP, distributing it to patients, and updating it when privacy practices change.

What the Security Officer Does

The Security Officer owns the practice's security policies under the HIPAA Security Rule. Where the Privacy Officer focuses on how PHI is used and disclosed, the Security Officer focuses on how ePHI is protected from unauthorized access, alteration, and destruction.

Risk assessments. The single most important responsibility — and the most cited deficiency in OCR enforcement actions. The Security Officer must ensure that a thorough assessment of risks and vulnerabilities to ePHI is conducted, documented, and updated at least annually.

Security safeguards. Implementing the administrative, physical, and technical safeguards required by the Security Rule — access controls, audit logging, encryption, workstation security, device management, and facility access controls.

Access controls. Determining who accesses what ePHI, enforcing minimum-necessary standards, and ensuring access is revoked immediately upon termination or role change.

Incident response. Maintaining a documented incident response plan, leading investigations when security incidents occur, and managing breach notification within the required 60-day window.

Technical compliance. Ensuring systems, software, and devices meet Security Rule requirements — encryption at rest and in transit, unique user identification, automatic logoff, transmission security.

Can One Person Do Both?

Yes. And for independent practices with fewer than ten employees, one person almost always does both. HIPAA does not require separate individuals. It requires separate designations — meaning you must formally document that a specific person is responsible for privacy and that a specific person is responsible for security, even if both designations point to the same name.

For solo practitioners, this means designating yourself. That may feel redundant, but the regulation is clear: the designation must exist and be documented. A solo dentist who never formally designates a Privacy and Security Officer is technically noncompliant, even if they personally handle every aspect of compliance.

For small group practices, the office manager is the most common choice. They already manage workflows, vendor relationships, and staff operations — compliance oversight is a natural extension.

What this looks like in practice: a written document stating the name, title, date of appointment, and scope of responsibilities for the Privacy Officer and the Security Officer. Keep it in your compliance documentation. Update it when the designated person changes.

HIPAA Compliance Officer Certification

There is no government-required certification for HIPAA compliance officers. The HIPAA Privacy Rule and Security Rule do not mandate any specific credential, degree, or training program for the designated officer. Anyone can serve in the role. What matters is that they understand the requirements and can demonstrate compliance.

That said, professional certifications exist and can be valuable for demonstrating competence:

CHPC (Certified HIPAA Privacy Consultant) — Demonstrates expertise in HIPAA Privacy Rule requirements, patient rights, and privacy policy development. Issued by the National Association for HIPAA Compliance (NAHC).

CHSE (Certified HIPAA Security Expert) — Demonstrates expertise in HIPAA Security Rule requirements, risk assessment methodology, and technical safeguards implementation. Also issued by NAHC.

CHC (Certified in Healthcare Compliance) — A broader healthcare compliance credential issued by the Health Care Compliance Association (HCCA). Covers HIPAA along with fraud, abuse, and other regulatory domains.

These are professional development credentials. They certify the knowledge of an individual — not the compliance status of a practice. They can be useful for office managers who want structured training or for consultants serving multiple practices. But they are not required by law, and holding a certification does not make a practice compliant.

For most independent practices, the better investment is a compliance platform that guides the designated officer through the actual requirements rather than a credential that certifies theoretical knowledge without operational follow-through.

Common Mistakes for Small Practices

These are the errors OCR identifies most frequently in enforcement actions involving compliance officer designations:

Never formally designating a Privacy or Security Officer. The number one finding. Practices assume that because someone informally handles compliance, the requirement is met. It is not. The designation must be formal and documented.

Assuming the EHR vendor handles this role. Your EHR vendor is not your Security Officer. They may provide a platform that supports compliance, but the regulatory responsibility belongs to a named individual at your practice.

Not documenting the appointment. Verbal designations do not satisfy the requirement. OCR asks for evidence. If there is no written record, there is no way to demonstrate compliance during an investigation.

Not training the designated officer. Appointing someone is necessary but not sufficient. The designated individual must understand what HIPAA requires — the Privacy Rule, the Security Rule, breach notification obligations. An untrained officer is a liability, not a safeguard.

Not updating the designation when staff changes. When the designated officer leaves, the designation does not transfer automatically. You must formally appoint the new officer and document the change.

How Patient Protect Handles the Operational Burden

Designating a HIPAA compliance officer is a regulatory requirement that no platform can eliminate. Someone at your practice must be named. But the operational burden that falls on that person — the risk assessments, policy maintenance, training tracking, BAA management, incident response coordination — is exactly what Patient Protect automates.

Risk assessments. Guided security risk assessments mapped to every Security Rule requirement. Your officer clicks through the assessment rather than building one from scratch.

Policy generation. Practice-specific HIPAA policies generated based on your actual workflows and technology. Your officer reviews and approves — not drafts from a blank page.

Training tracking. Automated assignment and tracking of workforce HIPAA training with documented proof of completion ready for any audit.

BAA management. Centralized tracking of every business associate agreement — status, expiration, coverage.

Incident response workflows. Guided procedures that walk your officer through detection, investigation, containment, and notification when a security incident occurs.

The officer still needs to be designated. The work still needs to happen. But the infrastructure — systems, tracking, documentation, evidence — is handled by the platform. Starting at $39/month with no long-term contract.

Frequently Asked Questions

Does HIPAA require a compliance officer?

Yes. The Privacy Rule (§164.530(a)(1)) requires a designated Privacy Officer, and the Security Rule (§164.308(a)(2)) requires a designated Security Officer. These are mandatory. However, HIPAA does not require a dedicated full-time position — the role can be assigned to any workforce member, including the practice owner.

Can the practice owner be the HIPAA compliance officer?

Yes. There is no restriction on who can serve as the Privacy Officer or Security Officer. Practice owners, office managers, clinical directors, and lead administrators all commonly serve in these roles at independent practices. The only requirement is that the designation is formal and documented.

What certification does a HIPAA compliance officer need?

None, legally. HIPAA does not require any specific certification, credential, or degree. Professional certifications like CHPC, CHSE, and CHC exist and can demonstrate competence, but they are not mandated by the regulation. What matters is that the designated individual understands the requirements and can operationalize them.

What is the HIPAA compliance officer salary?

For independent practices, the compliance officer role is almost never a standalone paid position. It is an additional responsibility assigned to an existing workforce member — typically the office manager or owner. At larger organizations where the role is dedicated full-time, salaries range from $60,000 to $120,000 depending on size, location, and scope. For independent practices, the relevant cost is not a salary — it is the time and tools required for the designated person to manage compliance effectively.

What happens if we do not designate a compliance officer?

Failure to designate a Privacy Officer or Security Officer is itself a HIPAA violation and one of the most common OCR enforcement findings. Without a designated officer, there is no individual accountability for privacy and security policies, no clear ownership of risk assessments and incident response, and no documentation trail. If OCR investigates and finds no formal designation, it signals systemic noncompliance and increases the likelihood of corrective action plans and financial penalties.