News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
Beginnerpractice managerprovider

Do we need a Privacy Officer?

Yes, someone must own HIPAA privacy for your organization. At a small practice, that can be a part-time role.

TL;DR

HIPAA requires a privacy official responsible for policies, training coordination, and complaints. In small practices, the practice manager often wears this hat alongside other duties.

Updated 2026-04-21

HIPAA expects every covered entity to have a Privacy Official (sometimes called a privacy officer). That person is the named leader for privacy policies, workforce training, patient rights processes, and complaint handling.

Does it have to be a full-time job?

No. Many solo and small practices combine the role with office management. What matters is that someone is accountable, documented, and reachable when staff have questions or incidents happen.

What do they actually do?

Day-to-day, a privacy officer often:

  • Keeps Notices of Privacy Practices up to date and available.
  • Makes sure training happens for new hires and refreshers.
  • Reviews vendor BAAs and tracks where data lives.
  • Leads investigations when something goes wrong.
  • Serves as the contact point for patient complaints about privacy.

How do we "designate" someone?

Put it in writing, job description addendum, policy page, or organizational chart note. Train that person enough that they know when to call counsel or a HIPAA consultant.

Pair with security leadership

Larger organizations often split privacy and security roles. Small sites may combine them, but still document who owns technical safeguards like backups and access reviews.

Keep reading

Next in your reading path → Do we need to sign anything? Business Associate Agreements explained simply

Not legal advice. Educational overview only; consult qualified counsel for your situation.