HIPAA compliance responsibilities for office managers

In most small practices, the office manager is the de facto Privacy and Security Official. Here is what that means — the specific CFR obligations, the annual cycle, and what documentation needs to exist.

By CoreFolio

Published June 2, 2026Verified June 2, 202610-minute read

In a large hospital system, HIPAA compliance is the job of a dedicated team: a Privacy Officer, a Chief Information Security Officer, a compliance director, and supporting staff. In a small or mid-size practice, that same responsibility lands on whoever manages operations — most often the office manager.

This is not unofficial. In practices with fewer than twenty staff, the Health Insurance Portability and Accountability Act (HIPAA) regulations are typically satisfied by designating the office manager (or the practice owner, or both sharing the role) as the Privacy Official and Security Official. The designation is formal and carries real obligations. What it does not carry is a mandate for a full-time workload — the annual cycle is concentrated and manageable if it is organized.

What follows is a plain-English account of what HIPAA actually requires of whoever holds this role in a small practice: the specific regulations, the tasks they create, the annual cadence, and the documentation that needs to exist.

The two designations you are likely already holding

Two designations are required for every covered entity — every healthcare provider that transmits health information electronically in connection with covered transactions.

Privacy Official (45 CFR § 164.530(a)(1)(i))¹

Responsible for developing and implementing the practice's privacy policies and procedures, serving as the contact point for patient privacy complaints, and overseeing compliance with the Privacy Rule's use-and-disclosure framework. The designation must be documented in writing.

Security Official (45 CFR § 164.308(a)(2))²

Responsible for developing and implementing the security policies and procedures required by the Security Rule — covering the administrative, physical, and technical safeguards that protect electronic protected health information (ePHI). Also must be documented in writing.

In a small practice, both designations are typically held by the same individual. If no one has ever explicitly written down who holds these roles, the designation is incomplete — and OCR has cited missing or undocumented officer designations in enforcement actions when other issues brought a practice under investigation. Jacob & Associates, a California psychiatric practice, had the absence of a designated Privacy Official cited as a violation in a 2022 resolution agreement opened after a patient records complaint.³

The annual compliance cycle

HIPAA compliance is not primarily a daily task — it is an annual cycle with event-triggered additions. Here is what the cycle looks like for a small practice.

Annual: security risk analysis

The most consequential obligation in the Security Official's portfolio is the annual security risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

The regulation requires an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability" of ePHI. For an office manager, this means reviewing every system the practice uses that touches patient data — the EHR, email, billing platform, imaging systems, cloud backups, patient portal, and any portable devices — and asking systematically: what could go wrong with this, how likely is it, and how serious would the consequences be?

The result must be a written document with a date and a documented methodology. A mental exercise that leaves no written record is not a risk analysis under this regulation.

OCR's Risk Analysis Initiative, active since late 2024, has produced 16 settlements as of June 2026. Every single one involved a covered entity that could not produce a defensible, current risk analysis when OCR came looking.⁴ Settlement amounts have ranged from $5,000 to $375,000.

Annual: workforce training

45 CFR § 164.530(b)(1) requires training for all workforce members on the practice's privacy and security policies "as necessary and appropriate for them to carry out their functions." Annual training with documentation satisfies this standard in a small practice.

The record that needs to exist: a dated sign-in sheet or attendance log, a brief description of what was covered, and — where the training is delivered via a platform or written materials — a record of completion for each participant.

New staff members must receive training within a "reasonable period" of joining the practice. The regulation does not define that period, but OCR's consistent position is that new employees should complete orientation training promptly after hire.

Annual: policy review

Privacy and security policies should be reviewed annually and updated when the practice changes in ways that affect them: a new EHR system, a new vendor, a change in how patient communications are handled, a material change in the types of services offered.

This does not require a full rewrite each year. It requires a documented review — a notation on the policy document or a separate memo — confirming that the policy was reviewed and remains current, or was updated as needed.

Annual: business associate agreement audit

Every vendor with access to ePHI is a business associate and must have a signed BAA under 45 CFR § 164.308(b)(1). The office manager's responsibility is ensuring that BAA inventory is current — that every vendor on the ePHI system list has a signed agreement, and that agreements are reviewed when vendor services materially change.

Missing BAAs are among the most consistently cited findings in OCR investigations. The common failure pattern is not that practices refuse to sign BAAs — it is that they add new vendors without recognizing they have ePHI access, and the BAA list falls out of date.

Event-triggered responsibilities

Beyond the annual cycle, several HIPAA obligations are triggered by specific events.

Patient records requests

Under 45 CFR § 164.524, patients have the right to access their records within 30 days of a request (extendable to 60 days with written notice). Denying or significantly delaying access is one of the most common sources of OCR investigations — OCR has brought more than 50 enforcement actions in its Right of Access Initiative since 2019.

The office manager's responsibility: when a records request arrives, log it with the date, and confirm the practice delivers the records within the regulatory window. The fee the practice charges cannot exceed cost-based rates for copying; it cannot be set as a deterrent.⁵

Privacy complaints from patients

45 CFR § 164.530(d) requires covered entities to provide a process for patients to make privacy complaints and to document all complaints received and their disposition. The Privacy Official is the designated contact for this process.

Most complaints in small practices involve perceived misuse of PHI — a disclosure a patient did not authorize, a perceived sharing of information with a family member without consent, a confusion about who received records. The documentation requirement applies regardless of whether the complaint has merit.

Breach incidents

If a security incident involving ePHI occurs, the Security Official leads the practice's response. The first step is the four-factor risk assessment under 45 CFR § 164.402 to determine whether the incident constitutes a reportable breach. If it does, notification to affected individuals is required within 60 days, and HHS must be notified on the applicable schedule.

For practices with fewer than 500 affected individuals per incident, breaches are reported to HHS annually in a log submitted within 60 days after year-end. For incidents affecting 500 or more individuals, OCR notification and (in some cases) media notification are required within 60 days.

Workforce violations

45 CFR § 164.530(e) requires covered entities to have a sanction policy for workforce members who violate privacy policies, and to document sanctions that are applied. In a small practice, this matters most when a staff member improperly accesses, shares, or loses patient records. The documentation requirement applies even if no sanction is ultimately imposed.

What the documentation needs to look like

OCR investigations routinely come down to documentation. A practice can perform compliant work for years and face severe exposure in an investigation if it cannot produce evidence of what it did. The minimum documentation set:

On file at all times:

Written Privacy Official and Security Official designations (dated, signed)
Current risk analysis report with date and documented methodology
Current risk management plan tracking remediation of identified risks
Written privacy and security policies and procedures
BAA inventory with copies of executed agreements
Training records for each workforce member

Created when events occur:

Records requests log with dates received and fulfilled
Privacy complaints log with dates and disposition notes
Security incident and breach log with four-factor analysis for each incident
Sanctions records when sanctions are applied

The retention requirement for all HIPAA documentation is six years from the date of creation or the date it was last in effect, whichever is later, under 45 CFR § 164.530(j)(2).

What the role does not require

A few things worth being explicit about:

No specific credential is required. HIPAA does not mandate a CHPC, a CIPP, a CISSP, or any other certification for the Privacy or Security Official. Understanding the requirements and executing the responsibilities is what the regulation requires, not a credential.

No dedicated IT background is required for the Security Official role. The Security Official in a small practice is not expected to configure firewalls or conduct penetration tests. They are expected to understand what systems touch ePHI, to oversee the risk analysis process, and to ensure the practice's security policies reflect actual practice. Technical questions can be escalated to IT support. The oversight responsibility stays with the designated official.

No legal background is required. The Privacy Official's job is to develop and implement policies, not to serve as legal counsel. When specific questions arise — whether a particular disclosure is permissible, how to respond to a legal request for records, how to interpret an unusual situation — qualified legal counsel is the appropriate resource. The Privacy Official is not a substitute for that.

Starting points if you are new to this role

If you have recently taken on — or recently realized you hold — the Privacy and Security Official role in your practice, here is a practical sequence:

Confirm your designation is documented. A dated, signed memo is sufficient. If there is no document, write one today.
Find the most recent risk analysis. If it exists, check the date. If it is more than twelve months old, it needs an update. If it does not exist, it needs to be produced.
Audit BAA coverage. List every vendor the practice uses that touches ePHI. Confirm a signed BAA exists for each.
Check training records. Confirm when training last occurred and that documentation exists.
Review the breach log. If none exists, create it and date the creation.

None of these steps is bureaucratic for its own sake. Each one closes a gap that OCR investigators have specifically cited in enforcement actions against small practices that look very much like yours.

Sources

Sources current as of June 2, 2026. This article is educational and does not constitute legal advice.

45 CFR § 164.530(a)(1)(i) and § 164.530(a)(2), (j). Full text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.530. Last verified June 2, 2026. ↩
45 CFR § 164.308(a)(2). Full text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.308. Last verified June 2, 2026. ↩
U.S. Department of Health and Human Services, Office for Civil Rights, Jacob and Associates HIPAA Enforcement Action (2022). Resolution cited failure to designate a Privacy Official alongside right-of-access and notice-of-privacy-practices violations. Settlement: $28,000. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jacob-associates/ ↩
U.S. Department of Health and Human Services, Office for Civil Rights. Resolution agreements under the Risk Analysis Initiative, October 2024–June 2026. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ ↩
45 CFR § 164.524. The regulation prohibits charging fees that deter patients from requesting their records. OCR's position is that fees must not exceed the actual cost of copying, labor, and supplies. ↩

FAQ

Common questions

Is the office manager responsible for HIPAA compliance?

In most small medical and dental practices, yes — by default. HIPAA requires every covered entity to designate a Privacy Official and a Security Official in writing. At practices with no dedicated compliance staff, the office manager typically holds both designations. That responsibility is real regardless of whether it has been formally documented.

What HIPAA tasks does an office manager handle day to day?

Most HIPAA work for an office manager is not daily — it is concentrated in annual events (the risk analysis, workforce training) and triggered by circumstances (a vendor change, a breach, a patient complaint). Ongoing responsibilities include maintaining the business associate agreement inventory, responding to patient records requests within the 30-day window, and documenting any incidents or complaints as they arise.

What is the annual HIPAA risk analysis, and who is responsible for it?

The risk analysis is a written assessment of every system in the practice that creates, receives, maintains, or transmits electronic protected health information — identifying what could go wrong, how likely it is, and how serious the consequences would be. It is required by 45 CFR § 164.308(a)(1)(ii)(A). The Security Official (usually the office manager or owner) is responsible for ensuring it is conducted, documented, and current.

What happens if a practice fails a HIPAA audit or investigation?

OCR's standard enforcement process involves an investigation, a compliance review, and if violations are found, a resolution agreement with a financial settlement and a corrective action plan. For small practices, settlements typically run from $5,000 to hundreds of thousands of dollars depending on scope and duration of the violations. Missing documentation — undated risk analyses, absent training records, no designated Privacy Official — consistently compounds the exposure.

Keep learning

How-to
What is a fractional HIPAA compliance officer?
HIPAA requires every covered entity to designate a Privacy Official and Security Official. Here is what that means, who typically fills the role in small practices, and when an outside consultant can serve in it.
June 2, 202610-minute read
How-to
HIPAA compliance without a dedicated compliance officer: a small practice guide
HIPAA requires designated Privacy and Security Officials — not a full-time hire. Here is what the role involves, who typically holds it, and what a defensible documentation baseline looks like.
June 2, 20269-minute read
How-to
HIPAA workforce training: what the rule requires and what actually works
HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.
May 4, 20266-minute read