HIPAA Privacy Officer: Required Duties + Job Description Template (2026)
9 min read · Last reviewed May 23, 2026
The HIPAA Privacy Officer is a designated official required by 45 CFR § 164.530(a)(1)(i), responsible for developing and implementing the practice's privacy policies and procedures, handling complaints, managing the Notice of Privacy Practices, overseeing training, supervising patient access and accounting of disclosures, and coordinating breach response. The role can be combined with the Security Officer at § 164.308(a)(2) and can be a part-time function in a small practice if the designation, authority, and time are documented.
What auditors actually want
In our analysis of 400+ d3rx client binders, the Privacy Officer artifacts that survive OCR scrutiny share four traits. First, a written designation signed by the practice owner naming the individual, the role, the reporting line, and the allocated authority. Second, a job description that enumerates the specific duties at § 164.530 (a)-(j). Third, a documented training history specific to the Privacy Officer role (not just general workforce training). Fourth, evidence of actual performance — meeting minutes, complaint logs, incident reviews, NPP revisions, training rosters signed off by the Privacy Officer.
OCR's Audit Protocol asks for the Privacy Officer designation as one of the first artifacts. The pattern that fails: a name on a policy document with no job description, no authority statement, and no evidence the named person actually performed Privacy Officer functions in the last 12 months.
The required entities to name in a credible Privacy Officer discussion: HHS Office for Civil Rights (OCR), the Privacy Rule at 45 CFR Part 164 Subpart E, the administrative-requirements section at § 164.530, the Security Officer requirement at § 164.308(a)(2), the breach notification rule at § 164.404, and the OCR Audit Protocol.
What the role actually requires
The Privacy Rule at § 164.530 names ten administrative requirements that, taken together, are the Privacy Officer's job description. Each maps to a duty:
| Requirement | Citation | Privacy Officer duty | |---|---|---| | Designation of Privacy Officer | § 164.530(a)(1)(i) | Maintain own designation; document successor | | Contact for complaints | § 164.530(a)(1)(ii) | Receive and resolve complaints; maintain complaint log | | Workforce training | § 164.530(b) | Develop, deliver, and document training | | Safeguards | § 164.530(c) | Maintain administrative, physical, and technical safeguards | | Complaints | § 164.530(d) | Process for receipt, investigation, response | | Sanctions | § 164.530(e) | Apply sanction policy to workforce violations | | Mitigation | § 164.530(f) | Mitigate harm from any known unauthorized disclosure | | No retaliation | § 164.530(g) | Anti-retaliation protections for complaints | | No waiver of rights | § 164.530(h) | Patients cannot be required to waive rights | | Policies and procedures | § 164.530(i) | Develop, implement, maintain P&P; update on material change | | Documentation retention | § 164.530(j) | Retain HIPAA-required documentation for 6 years |
Layer onto these the duties from other parts of the Privacy Rule the Privacy Officer typically owns: the Notice of Privacy Practices (NPP) at § 164.520, the patient right of access at § 164.524, accounting of disclosures at § 164.528, amendments at § 164.526, and breach notification at § 164.404.
The job description template
The template below is the copy-paste version for a small to mid-size practice. Replace the bracketed fields and have the practice's counsel review before adoption.
``` JOB DESCRIPTION — HIPAA PRIVACY OFFICER
Practice: [Legal entity name] Reporting line: Reports to [Practice owner / CEO / Practice Administrator] Status: [Part-time within combined Office Administrator role / Full-time / Combined Privacy and Security Officer role] Allocated time: Approximately [X] hours per month for Privacy Officer functions, with surge capacity for incident response and audit response. Authority: Authorized to access any record, system, or workforce member to investigate a privacy concern; authorized to halt any practice activity that creates an unresolved Privacy Rule risk pending review.
POSITION SUMMARY The HIPAA Privacy Officer is the designated official under 45 CFR § 164.530(a)(1)(i) responsible for the development, implementation, and ongoing maintenance of the practice's privacy program. The role is the named contact for patient complaints, the lead on breach assessment and notification, the owner of the Notice of Privacy Practices, the supervisor of workforce training, and the practice's primary point of contact with the HHS Office for Civil Rights for any audit, complaint, or investigation.
CORE DUTIES
- Designation and authority
- Maintain the written Privacy Officer designation and reporting line.
- Maintain documented authority to investigate, halt, and escalate.
- Notice of Privacy Practices (45 CFR § 164.520)
- Maintain the current NPP, available in print at the practice and
posted on the practice website.
- Obtain and retain signed NPP acknowledgements at first encounter.
- Revise the NPP when policies materially change, post the
revised notice at the practice and on the website, and make it available on request per 45 CFR § 164.520(c)(1)(v). (The 60-day redistribution rule applies to certain health plans under § 164.520(c)(1)(i)(C), not to direct-treatment providers.)
- Patient rights (§ 164.524, .526, .528)
- Respond to patient access requests within 30 days (15 days if
state law is stricter, e.g., California and Texas).
- Process amendment requests under § 164.526.
- Maintain the accounting-of-disclosures log per § 164.528.
- Support restriction requests under § 164.522.
- Workforce training (§ 164.530(b))
- Develop or adopt training appropriate to roles.
- Schedule training at hire and annually.
- Maintain the workforce training log with required columns.
- Trigger re-training on material change in policies or operations.
- Policies and procedures (§ 164.530(i))
- Develop and maintain written privacy and security P&P.
- Review at least annually and on material change.
- Document the date and scope of every revision.
- Complaints (§ 164.530(d))
- Be the named contact for patient and workforce complaints.
- Investigate and document every complaint.
- Respond to the complainant within a reasonable time.
- Maintain the complaint log; retain for six years.
- Breach assessment and response (§ 164.402, .404, .406, .408, .410)
- Receive every suspected-breach report from workforce or BAs.
- Perform the four-factor risk assessment.
- Coordinate notification of individuals, HHS, and (where required)
media within the statutory windows.
- Maintain the breach log and the annual HHS submission for
breaches affecting fewer than 500 individuals.
- Sanctions (§ 164.530(e))
- Apply the sanction policy to workforce violations.
- Maintain the sanction record.
- Coordinate with HR on employment-side actions.
- Mitigation (§ 164.530(f))
- Take reasonable steps to mitigate any known harmful effect of a
use or disclosure in violation of policies or law.
- Coordination with Security Officer (§ 164.308(a)(2))
- Coordinate or hold the combined role.
- Co-own the annual Security Risk Analysis and remediation tracker.
- Co-own vendor BAA inventory and exclusion screening.
- State-law coordination
- Apply state-specific Privacy and breach-notice rules in addition
to HIPAA (CMIA, HB 300, SHIELD, FIPA, MHMDA as applicable).
- Coordinate state-AG and state-DOH notifications where required.
- Regulator and audit response
- Serve as primary point of contact for OCR, state AG, and CMS
inquiries.
- Coordinate with outside counsel on any audit or investigation.
QUALIFICATIONS — MINIMUM
- Knowledge of HIPAA Privacy and Security Rules.
- Completed HIPAA Privacy Officer-level training (initial + annual).
- Demonstrated ability to maintain confidentiality.
- Demonstrated documentation and record-keeping discipline.
QUALIFICATIONS — PREFERRED
- Certification: CHPC, CHC, CIPP/US, or equivalent.
- Prior privacy or compliance experience.
- Familiarity with the practice's EHR and workflows.
TIME COMMITMENT
- Routine duties: approximately [X] hours per month.
- Annual: full P&P review, annual training rollout, SRA review.
- Surge: incident response and audit response as needed.
ACKNOWLEDGEMENT
- This designation is effective [Date].
- Signed by Privacy Officer: ________________________
- Signed by Practice Owner / CEO: ___________________
```
How to use this template
Step 1: Identify the person. In a small practice, this is typically the practice administrator, office manager, or in a single-physician practice, the physician owner themselves with a designated alternate. Document the choice and the rationale.
Step 2: Execute the designation. Both the Privacy Officer and the practice owner sign the document. File in the binder under "Designations." Distribute a copy to the workforce so every staff member knows the named contact.
Step 3: Allocate the time. Block the calendar — monthly Privacy Officer hours, quarterly review meeting with leadership, annual P&P review. A Privacy Officer with no calendar time is the most common failure mode.
Step 4: Document the training. The Privacy Officer needs Privacy Officer-level training, not just workforce baseline. Initial training when designated, annual refresh thereafter. File certificates in the binder.
Step 5: Build the operational artifacts. The Privacy Officer's work product — the complaint log, the breach log, the sanction record, the training roster, the NPP — lives in the binder. The role is judged by its artifacts.
What goes wrong
The five recurring defects in d3rx's review:
- Designation by policy, not by document. The P&P names "the Privacy Officer" without ever identifying who that is in writing.
- Successor not documented. The named Privacy Officer leaves the practice; no one is designated for 6-12 months.
- Job description absent. The role is named but the duties are not enumerated, so when something goes wrong no one knows whose responsibility it was.
- No allocated time. The Privacy Officer holds the title but has no calendar time, so cadence-dependent duties (monthly LEIE, quarterly access review, annual NPP refresh) drift.
- Combined-role authority muddled. The same person is Privacy and Security Officer but only the Privacy Officer designation exists in writing, so the Security Rule designation is technically absent.
Maintenance cadence
- At designation: signed document, training initiated, calendar time allocated.
- Monthly: complaint log review, exclusion screening, BAA tracker review.
- Quarterly: access reviews, patient-rights log review, sanction record review, leadership meeting.
- Annually: full P&P review, NPP review, training rollout, SRA leadership sign-off, designation reaffirmation.
- At succession: new designation signed before predecessor's departure; transition meeting with leadership and counsel.
State preemption note: California Health & Safety Code § 123110 imposes stricter patient-access turnaround — inspection within 5 working days and transmission of copies within 15 days. Texas HB 300 imposes a 90-day new-hire training window the Privacy Officer enforces. New York SHIELD requires reasonable safeguards the Privacy Officer documents. Florida FIPA imposes breach-notice obligations to the state Department of Legal Affairs. Layer these on the federal duties in the job description.
How d3rx fits
The d3rx compliance binder provides the operational scaffolding the Privacy Officer uses to do the job: complaint log, breach log, sanction record, training roster, NPP versioning, BAA tracker, SRA findings, and dated audit-ready evidence. It is an administrative documentation aid, not a substitute for the human Privacy Officer or for counsel. The practice remains responsible for designating, training, empowering, and supervising the role.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — HIPAA Privacy Officer: Required Duties + Job Description Template (2026). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Can my office manager also be the Privacy Officer in a small practice?
Yes. The Privacy Rule at [45 CFR § 164.530(a)(1)(i)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) requires a designated Privacy Officer but does not require a dedicated, full-time role. OCR has explicitly stated the role can be combined with other duties in a small practice. The combination most often seen and approved: practice administrator or office manager as Privacy Officer, with a documented job description, allocated time (often 5-10 hours per month), and the authority to escalate to ownership when needed.
Can the same person be both Privacy Officer and Security Officer?
Yes, and this is the most common arrangement in practices under 50 staff. The Privacy Rule at § 164.530(a) and the Security Rule at [45 CFR § 164.308(a)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) each require a designated official; nothing prohibits a single person from holding both designations. Document the combined role in writing — separate job-description sections for each function so the authority chain is auditable.
Does the Privacy Officer need a specific certification like CHPC or CIPP/US?
No. HIPAA does not require any specific credential for the Privacy Officer. OCR's enforcement record does not cite the absence of certification. What OCR does cite is the absence of training appropriate to the role, the absence of documented authority, and the absence of evidence the Privacy Officer actually performed the required functions. A credentialed Privacy Officer is a plus; an uncredentialed Privacy Officer with documented training and active duties is fine.
What happens if there is no designated Privacy Officer on the day of an OCR audit?
OCR's audit protocol asks for the written designation of the Privacy Officer as one of the first artifacts. Absence is a Privacy Rule violation under § 164.530(a)(1)(i) and is cited as an aggravating factor in CMP and Resolution Agreement determinations. North Memorial Health, Anchorage Community Mental Health, and Cancer Care Group each had Resolution Agreements where the missing or deficient Privacy Officer designation contributed to penalty escalation. Designation is a two-page document — the cost of getting this wrong is enormous relative to the cost of getting it right.
How much time does the Privacy Officer role actually take in a small practice?
In our analysis of 400+ d3rx client binders, the maintained Privacy Officer function runs 5-15 hours per month for a 1-5 provider practice, 15-30 hours per month for 5-20 providers, and a near-full-time role at 30+ providers. The biggest swings come from incident response (a single suspected breach can absorb 20-40 hours) and OCR audit response. Allocate the time formally — a Privacy Officer who only has 'extra time after other duties' fails on cadence-dependent tasks like quarterly access review and monthly exclusion screening.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.530(a)(1)(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
- Notice of Privacy Practices (NPP)https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html
- patient right of accesshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- SRAOCR Audit Protocol: What Small Practices Should ExpectHow the HHS Office for Civil Rights HIPAA Audit Protocol is structured, what OCR has publicly announced about the audit program restart, and how a small practice prepares its binder against the protocol's audited elements.
- GlossaryJoint Notice (Privacy Practices)A single Notice of Privacy Practices used by multiple legally-separate covered entities operating as an Organized Health Care Arrangement.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.