HIPAA Security Officer: Required Duties + Job Description Template
7 min read · Last reviewed May 23, 2026
A HIPAA Security Officer is a workforce member that a covered entity designates in writing to be responsible for developing and implementing its security policies and procedures, as required by 45 CFR § 164.308(a)(2). The role is a required administrative safeguard, owns the annual risk analysis, and is the single point of contact for OCR.
What HIPAA actually requires
The Security Officer designation lives at 45 CFR § 164.308(a)(2) — a required implementation specification, not addressable. The rule reads short: identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule. There is no minimum credential, no minimum FTE, and no carve-out for small practices.
What is implied but not spelled out in that one sentence is the duty cluster. The Security Officer is the named owner of every other administrative safeguard in § 164.308: the risk analysis at (a)(1)(ii)(A), the risk management process at (a)(1)(ii)(B), the workforce sanction policy at (a)(1)(ii)(C), the information system activity review at (a)(1)(ii)(D), workforce training at (a)(5), contingency planning at (a)(7), and the security incident procedures at (a)(6). The Privacy Officer designation under 45 CFR § 164.530(a) is a parallel-but-separate appointment under the Privacy Rule.
The HHS Office for Civil Rights audit protocol — the OCR Audit Protocol last refreshed for the 2024-2025 audit cycle — asks for the written designation, the date it was made, and evidence of the duties being performed. The protocol does not ask for a job description, but most practices that fail this audit element fail because they cannot produce a current, dated document.
Template — Security Officer job description (copy-ready)
The duties block below maps line-for-line to the administrative safeguards in § 164.308 and is the version we file in client binders.
``` HIPAA SECURITY OFFICER Job Description — Effective [DATE]
REPORTS TO: [Practice Owner / Executive Director / Board] FLSA STATUS: [Exempt / Non-exempt] ROLE TYPE: [Full-time / Part-time / Fractional / Contracted]
POSITION SUMMARY The HIPAA Security Officer is the workforce member designated under 45 CFR § 164.308(a)(2) to develop, implement, and maintain the practice's electronic protected health information (ePHI) security program in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C).
CORE DUTIES
- Risk analysis and risk management
- Conduct the Security Risk Analysis required by
§ 164.308(a)(1)(ii)(A); refresh on a periodic cadence and whenever the environment, technology, or workforce materially changes (annual refresh is the recommended working cadence).
- Maintain the risk management plan per § 164.308(a)(1)(ii)(B).
- Document remediation, retest, and residual risk acceptance.
- Policies, procedures, and documentation
- Author and maintain Security Rule policies per § 164.316.
- Retain documentation for at least six years from the later of
creation date or last effective date (§ 164.316(b)(2)(i)).
- Workforce security
- Define authorization, clearance, and termination procedures
per § 164.308(a)(3).
- Own access management and access establishment/modification
procedures per § 164.308(a)(4).
- Training and sanctions
- Deliver and document workforce security awareness training
per § 164.308(a)(5).
- Apply the workforce sanction policy per § 164.308(a)(1)(ii)(C).
- Security incident procedures
- Maintain the incident response plan per § 164.308(a)(6).
- Serve as the named contact for incident detection, response,
mitigation, and reporting.
- Contingency planning
- Maintain the data backup, disaster recovery, and emergency mode
operation plans per § 164.308(a)(7).
- Run an annual test of the contingency plan.
- Information system activity review
- Implement audit log review per § 164.308(a)(1)(ii)(D) and the
audit controls standard at § 164.312(b).
- Business associate management
- Maintain the Business Associate Agreement inventory per
§ 164.308(b) and § 164.314(a).
- Breach assessment and notification
- Lead the four-factor breach risk assessment per
45 CFR § 164.402 and coordinate notification under §§ 164.404, 164.406, and 164.408.
- Evaluation
- Perform the periodic technical and non-technical evaluation
required by § 164.308(a)(8) — periodic and in response to environmental or operational changes. We recommend an annual reaffirmation as the working cadence; HIPAA itself does not mandate annual evaluation by date.
AUTHORITY The Security Officer has authority to: enforce Security Rule policies across the workforce; require remediation of identified vulnerabilities; sign Business Associate Agreements on behalf of the practice; engage outside counsel, forensic, or breach-coaching support; and recommend workforce sanctions to the appropriate manager.
QUALIFICATIONS (Recommended, Not Required by HIPAA)
- Familiarity with the HIPAA Security Rule (45 CFR Part 164, Subpart C)
- Familiarity with NIST SP 800-66 r2 and NIST SP 800-30
- Experience with healthcare IT operations or compliance
- Recommended credentials: CISSP, HCISPP, CHPS, CHPC, or equivalent
TIME ALLOCATION The role requires sufficient allocated time to perform the duties above. For a sub-15-workforce-member practice the typical allocation is 0.10–0.25 FTE; for a 15–50-workforce-member practice 0.25–0.50 FTE.
DESIGNATION This individual is the official designated under 45 CFR § 164.308(a)(2). This designation is reviewed annually and reaffirmed in writing.
Designated: ___________________________ ___________________________ Security Officer (signature) Practice Owner / Executive
Date: __________________ ```
How to deploy
In our experience filing this designation in client binders, the deployment sequence that actually holds up to an OCR data request is short. First, paste the template into the practice's HR document set and tailor the time-allocation line to the practice size. Second, have the designated individual and the practice owner co-sign the bottom of the document on the same date. Third, file the signed PDF in the compliance binder under "Administrative Safeguards — Designations." Fourth, add a line to the annual review checklist that reads "Reaffirm Security Officer designation and re-sign if unchanged." Fifth, name the individual by name (not by title) in the corresponding Notice of Privacy Practices and on the workforce communication that goes out announcing the role.
The Privacy Officer designation under § 164.530(a) is a parallel document. Many small practices file them on a single page with two signature blocks.
Common gaps
What we see fail in practice is the role getting bolted onto the office manager's desk without authority, without time, and without a written designation. The five most common gaps:
- No written designation. The duties are happening (someone is running antivirus updates and reading the OCR newsletter) but the designation itself is verbal. OCR will ask for the document. If it does not exist, the practice gets cited on the easiest possible audit element.
- Designation is years out of date. The original Security Officer left the practice in 2019, the designation was never updated, and the binder still names them.
- No allocated time. A full-time front-desk lead is named as Security Officer with zero schedule allocation. The risk analysis, training, and incident response duties cannot be performed in the gaps between patient check-ins.
- No authority to enforce. The Security Officer has the title but cannot require the practice owner's spouse — also a workforce member — to enable MFA.
- No Business Associate Agreement with the fractional officer. A contracted Security Officer who touches ePHI without a signed BAA creates an avoidable exposure.
Maintenance cadence
Reaffirm the designation in writing every year as a recommended cadence; § 164.308(a)(8) itself requires periodic evaluation and updates after any environmental or operational change, not annual evaluation by date. Re-sign immediately when the designated individual changes. Update the role description if any duty above is reassigned. Keep the previous signed designation in the binder for at least six years per the retention requirement at § 164.316(b)(2)(i).
The Security Officer is the single name OCR will ask for first. A dated, signed, current designation in a binder is the cheapest audit-readiness move in the entire Security Rule.
How d3rx fits
The d3rx compliance binder generates the Security Officer designation, the Privacy Officer designation, the Security Rule policy set, the workforce sanction policy, the incident response plan, and the contingency plan in one pass, with the CFR citations inline and dated for the annual review. It does not replace the officer's judgment, and it does not certify the practice — the designated individual remains responsible for adopting, signing, and maintaining the program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — HIPAA Security Officer: Required Duties + Job Description Template. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Can the Privacy Officer and Security Officer be the same person at a small practice?
Yes. HIPAA names both roles in separate provisions ([45 CFR § 164.530(a)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) for Privacy, [§ 164.308(a)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) for Security) but does not prohibit one workforce member from holding both. In a sub-15-person practice the dual role is common and defensible if the designation is written, the duties are documented, and the person actually has the authority and time to perform them.
Does the Security Officer have to be an employee, or can it be a contractor?
OCR does not require the Security Officer to be a W-2 employee. A contracted CISO or fractional officer is acceptable if the role is documented, the contract scope includes the duties listed in [45 CFR § 164.308(a)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308), and the contractor has authority to direct workforce members on security matters. Get a Business Associate Agreement signed before they touch ePHI.
Does the Security Officer need a CISSP or HCISPP?
No. HIPAA names no certification requirement. A formal credential helps with defensibility, but what OCR investigators ask for is evidence the designated individual ran the risk analysis, owned the remediation plan, signed off on policies, and ran the annual review. Function over credential.
How often does the Security Officer designation need to be reaffirmed?
At least annually as part of the program review, and immediately whenever the designated person leaves or changes role. We recommend a dated, signed designation letter filed in the binder so an OCR data request can be answered in a single page.
What is the personal liability of a HIPAA Security Officer?
Civil Monetary Penalties under [45 CFR § 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404) attach to the covered entity, not the individual officer. Criminal exposure under 42 USC § 1320d-6 attaches to individuals who knowingly obtain or disclose PHI in violation of HIPAA. The Security Officer designation does not, by itself, create personal liability for organizational non-compliance.
Does a one-doctor practice still need a designated Security Officer?
Yes. The administrative safeguard at [45 CFR § 164.308(a)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308) is a required standard with no small-entity exception. In a solo practice the owner is typically the Security Officer. The designation must still be written and dated, and the duties must still be performed.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.308(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 45 CFR § 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- § 164.316(b)(2)(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- ComplianceHIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- GlossaryHIPAA Security OfficerThe workforce member designated under 45 CFR 164.308(a)(2) to be responsible for the development and implementation of HIPAA security policies.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.