"A practical starting point for the person who has been asked to “handle HIPAA security.”
You are the HIPAA Security Officer. What does this mean? What are your responsibilities, and what have you actually been able to do about them? If your honest answer is, “I am not completely sure,” you are not alone. Many people assigned to this role are capable, responsible, and well-intentioned. The problem is that good intentions do not automatically create a HIPAA security program. People cannot act on responsibilities they have never been trained to understand.
If you are a manager, what does this mean as related to the HIPAA Security Officer and your organization? It means you should not assume that assigning a title is the same thing as building a program. A HIPAA Security Officer needs access to leadership, time to complete the work, authority to ask questions, and support when the assessment identifies uncomfortable gaps. Without that support, the Security Officer may become the person blamed for a program that no one gave them the tools to manage.
Why this information is important
The HIPAA Security Risk Assessment, often called an SRA or HIPAA Security Risk Analysis, is not just a document. It is the baseline for understanding how electronic protected health information, or ePHI, is created, received, maintained, and transmitted across your organization. The SRA should help answer basic but critical questions: Where is ePHI? Who can access it? What systems hold it? What could go wrong? What safeguards are already in place? What still needs to be fixed?
The HIPAA Security Officer is the person who helps turn those questions into an organized process. That does not mean the Security Officer must be an IT expert, attorney, or cybersecurity engineer. It does mean the person must understand enough about the HIPAA Security Rule to coordinate the work, keep records, involve the right people, and make sure findings are not ignored after the assessment is completed.
What is actually expected under this topic
At a practical level, the HIPAA Security Officer should help coordinate policies and procedures, workforce training, user access reviews, device and system oversight, vendor questions, incident response planning, and the security management plan. The role is also connected to documentation. If a risk is identified, there should be a record of who reviewed it, what decision was made, what action was assigned, and how progress will be tracked.
This is where many organizations struggle. A person may be listed as the HIPAA Security Officer, but no one has explained what that person should monitor each month, which policies should be reviewed, how to document tasks, or how to connect the SRA findings to real corrective action. When this happens, the organization may look organized on paper but remain exposed in practice.
EPI Compliance can help simplify these day-to-day responsibilities by giving the Security Officer and compliance team a practical place to work from. Instead of starting from a blank page, the console provides template policies, forms, and monthly task reminders that help the team document what it is doing. That structure matters because compliance often fails not because people do not care, but because no one has an organized system for keeping the work moving.
If you are an executive manager, ask these questions
Manager Questions
☐ Who is our HIPAA Security Officer, and is that designation documented in writing?
☐ Has this person received training specific to the HIPAA Security Officer role?
☐ Does this person have time, authority, and leadership access to perform the role?
☐ When was our last HIPAA Security Risk Assessment completed, and what did it identify?
☐ Are SRA findings being tracked through a security management roadmap?
☐ Do we have documentation showing monthly compliance tasks, policy reviews, security reminders, and follow-up?
What you can do now
The best first step is not to pretend everything is already under control. The better step is to create a clear baseline. Have at least one team member complete the Certified HIPAA Security Officer (CHSO) course and test so that someone inside the organization understands the role, the language, and the responsibilities. Then contact a qualified third party, such as Taino Consultants, to conduct the SRA process from the beginning. The SRA gives you the baseline. The CHSO training helps your team understand how to use that baseline. Together, they turn confusion into a roadmap.
Quick Checklist
☐ Identify the person responsible for HIPAA security in writing.
☐ Give that person leadership access, protected time, and real authority.
☐ Have at least one team member complete the CHSO course and test.
☐ Use EPI Compliance templates, forms, and monthly task reminders to organize ongoing work.
☐ Contact a third party, such as Taino Consultants, to conduct the SRA process from the beginning.
☐ Use the SRA results as the baseline for your security management roadmap.
“Clarity turns responsibility into action.”
If your HIPAA Security Officer has been trying to manage the role without a roadmap, this is a good time to support that person. EPI Compliance can help organize the monthly work, while Taino Consultants can help establish the SRA baseline your team needs to move forward with confidence.
About Dr. Jose I. Delgado
Dr. Jose I. Delgado is the founder and CEO of Taino Consultants, a veteran-owned, 8(a) graduate healthcare IT consulting firm based in St. Augustine, Florida. With over 30 years of experience in healthcare compliance and government contracting, Dr. Delgado has helped organizations navigate HIPAA, MACRA/MIPS, and federal IT security requirements.
Need help with healthcare compliance?
Taino Consultants provides HIPAA compliance consulting, MACRA/MIPS compliance support, and healthcare IT modernization services for government and private healthcare organizations.
Schedule a consultation
