Should Your Office Manager Be Your HIPAA Privacy Officer?

Quick answer

Yes, your office manager can be your HIPAA privacy officer, and for most small practices that is a fine choice. HIPAA requires every covered entity to designate a privacy official under 45 CFR 164.530(a)(1) and a security official under 45 CFR 164.308(a)(2), and one person can hold both roles. HIPAA does not require a specialist. The catch is that the role is real work: policies, training, complaints, vendor agreements, breach response, and the written Risk Analysis. The problem is never the office manager’s title. It is handing them the title without the time, training, or authority to actually do the job. OCR holds the practice liable either way.

If you run a small practice in Houston or anywhere else, you have probably already named a HIPAA privacy officer, and there is a good chance it is your office manager. That is not a mistake. It is the most common setup in small healthcare, and HIPAA allows it. The question worth asking is not whether the office manager can hold the title. It is whether the way you have set it up will actually hold up when OCR asks.

Does HIPAA require a privacy officer at all?

Yes, and there is no small-practice exemption. The Privacy Rule requires every covered entity to designate a privacy official who is responsible for developing and implementing the practice’s privacy policies and procedures, under 45 CFR 164.530(a)(1)(i). The same rule requires you to name a contact person or office to receive complaints, and to document the designation in writing under 164.530(j).

Separately, the Security Rule requires you to identify a security official responsible for your Security Rule policies, under 45 CFR 164.308(a)(2), the standard HHS calls “Assigned Security Responsibility.” There are no separate implementation specifications for it, which is HHS’s way of saying the requirement is simple: pick a person and make them accountable.

So a small practice has two roles to fill, not one. A privacy officer and a security officer. The good news is you do not need two people.

Can the office manager be the privacy officer?

Yes, on both counts. Nothing in HIPAA prohibits one person from holding the privacy official and the security official roles at the same time, and nothing requires that person to be a lawyer, a CISO, or an outside consultant. In a solo or small group practice, naming one trusted person to wear both hats is normal and accepted.

The office manager is often the logical choice. They already touch scheduling, billing, vendors, staff onboarding, and patient questions. Those are the same places PHI moves through the practice, so the person who runs the office already has a map of where the risk lives. On paper, it fits.

The trouble starts when “name the office manager” is treated as the finish line instead of the starting line.

What the job actually involves

Here is what you are actually assigning when you make someone the privacy and security officer. It is more than most owners realize:

Develop and implement the practice’s written privacy and security policies. Train every member of the workforce on those policies, which is its own requirement under 164.530(b). Apply sanctions when staff break the rules, under 164.530(e). Field patient complaints and rights requests, like access to records. Keep a signed Business Associate Agreement on file with every vendor that touches PHI, under 45 CFR 164.502(e). Run breach response when something goes wrong. And oversee the written Risk Analysis required under 45 CFR 164.308(a)(1)(ii)(A), which is the single document OCR asks for first.

That last one is where most small practices fall down, and it is not a paperwork footnote. Inadequate risk analysis shows up in roughly 90% of OCR’s Security Rule enforcement actions. In OCR’s own 2016 to 2017 audits, 86% of covered entities failed the risk-analysis requirement. Asking a full-time office manager to produce a thorough, organization-wide Risk Analysis on top of running the front desk is where the title and the reality come apart.

So where does it go wrong?

It goes wrong when the office manager has the title but not the time, the training, or the authority. The designation gets made, the form gets signed, and then nothing downstream actually happens. No documented Risk Analysis. Training that lapses. BAAs that were never collected. A breach plan that exists only in someone’s head.

And here is the part that matters most: OCR does not hold the office manager liable. It holds the practice liable. The covered entity is the regulated party. So when an investigation finds that the “privacy officer” never had the bandwidth to do the work, the settlement and the corrective action plan land on the practice, not on the person whose name was on the form.

The enforcement backdrop is not gentle. Since October 2024, OCR’s Risk Analysis Initiative has targeted practices that cannot produce an adequate analysis, and it has continued into 2026. In April 2026 alone, OCR settled four ransomware cases covering 427,000 patients for $1.165 million. In 2025, a behavioral health provider settled for $225,000 over a missing risk analysis. Civil penalties in 2026 run from $145 to $2,190,294 per violation under Federal Register 2026-01688, and small-practice settlements usually come with a two-to-three-year corrective action plan that is more painful than the check.

How to make it work

You do not need to take the title away from your office manager. You need to set them up so the title means something.

Designate them formally and put it in writing, including in your Notice of Privacy Practices, per 164.520. Then give them three things the role requires: time carved out of their week that is actually protected, real training so they know what the job is, and the authority to make staff follow the rules and to spend a little money when compliance needs it. A privacy officer who cannot tell a physician to change a habit is a privacy officer in name only.

For the technical pieces that genuinely sit outside an office manager’s training, the written Risk Analysis and the security controls, bring in outside help rather than pretending the front desk can do it alone. That is exactly what a fractional privacy officer is for: your office manager stays the internal owner and day-to-day contact, and a CIPP/US advisor handles the analysis, the policies, and the OCR-facing work. The combination is cheaper than a full-time hire and far cheaper than a settlement.

What to do next

Start with one honest question: if OCR asked tomorrow, could your office manager produce a current written Risk Analysis, training records for this year, and a signed BAA for every vendor? If the answer is no, the title is not the problem. The support is.

The fastest way to see where you stand is the $750 Privacy Exposure Review: 48 hours, your top three risks, no big commitment. It tells you exactly which parts of the job your office manager can keep owning and which parts need a hand. Keep the office manager as your privacy officer. Just do not leave them to carry it alone.

Last Updated: June 19, 2026