What is a fractional HIPAA compliance officer?

Search for "fractional HIPAA compliance officer" and you will find a mix of boutique consulting firms, managed-service contracts, and healthcare IT vendors, all offering some version of outsourced compliance leadership. What you will not find is the phrase itself anywhere in the Health Insurance Portability and Accountability Act (HIPAA) or the Code of Federal Regulations (CFR). "Fractional HIPAA compliance officer" is an industry term, not a regulatory one — a shorthand for an arrangement that addresses a real regulatory requirement that small practices often underestimate until an investigation opens.

That requirement — two formal designations, one for privacy and one for security — applies to every covered entity, regardless of size. Understanding what the rule actually says, who fills this role in practice, and when an outside arrangement makes sense is worth getting right.

What the rule actually requires

HIPAA creates two separate designation obligations, each in a different rule.

The Privacy Official is required by 45 CFR § 164.530(a)(1)(i), part of the HIPAA Privacy Rule:¹

A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

The designation must be documented in writing under 45 CFR § 164.530(a)(2) and (j). The Privacy Official is also responsible for receiving complaints from patients under § 164.530(a)(1)(ii). There is no minimum credential requirement and no prescribed job title in the regulation.

The Security Official is required by 45 CFR § 164.308(a)(2), part of the HIPAA Security Rule, under the Administrative Safeguards:²

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

This is listed as a required implementation specification — not addressable, not optional. Like the Privacy Official designation, it requires no specific credential and carries no specified job title. What the regulation requires is a named individual and a written designation.

Both designations can be — and in small practices, almost always are — held by the same person. A solo practitioner, a dentist who owns the practice, or an office manager can simultaneously serve as both Privacy Official and Security Official. The HHS Summary of the Security Rule explicitly confirms this arrangement is appropriate at smaller organizations.³

What neither designation can be is informal, undocumented, or assumed.

Why "fractional" exists as a concept

Most hospital systems have dedicated compliance departments. A three-provider family practice does not. The realistic options for a small or mid-size covered entity fall into three categories.

Model 1: Owner or office manager fills both roles

This is the most common arrangement at practices with fewer than ten employees, and it is fully supported by the regulation. The owner, a senior clinician, or the office manager is designated in writing as both Privacy Official and Security Official. They receive whatever training they need to understand the responsibilities, and they carry out the core annual and ongoing tasks.

The word "fractional" sometimes gets applied to this arrangement to distinguish it from a dedicated full-time hire, but it is simply the small-practice norm. The time requirement is real but not overwhelming — typically a concentrated effort during the annual risk analysis cycle and shorter quarterly check-ins.

Model 2: External consultant designated or engaged

Some practices engage an outside HIPAA consultant, a fractional Chief Compliance Officer service, or a healthcare-focused managed-service provider to serve in the compliance leadership role. The arrangement can range from a named individual the practice designates in writing as its Privacy and Security Official, to a contracted service that performs the compliance work without formally holding the designation.

An important legal nuance: The Privacy Rule regulation does not explicitly require the Privacy Official to be an employee, and the same is true of the Security Official under the Security Rule. The Privacy Rule preamble, however, appears to assume the official will be a workforce member, and HHS has not issued definitive guidance settling whether a third-party contractor can formally hold the designation. Legal analysts reviewing the question have noted that a third-party arrangement is potentially supportable but not free of risk, and recommend that practices considering it seek qualified legal counsel before formalizing such a designation.⁴

In any event, the covered entity itself remains the legally responsible party. Designating or engaging an outside consultant does not transfer HIPAA liability. If an investigation opens, OCR looks to the covered entity.

Model 3: Software-guided self-service

A growing category of compliance platforms provides guided workflows, policy templates, and training modules that allow a practice owner or office manager to carry out the Privacy and Security Official responsibilities without specialized outside help. These platforms do not hold the officer designation — the practice owner still does — but they provide the structure and documentation support that makes self-service viable.

What the role actually involves

"Compliance officer" can sound like a credential or a title. In a small practice context, it describes a set of ongoing responsibilities tied to specific CFR obligations.

Annual risk analysis and risk management plan

The Security Official is responsible for ensuring the covered entity conducts an accurate and thorough assessment of the risks to electronic protected health information (ePHI) — every system that creates, receives, maintains, or transmits ePHI — under 45 CFR § 164.308(a)(1)(ii)(A). The matching Risk Management Plan under § 164.308(a)(1)(ii)(B) documents how identified risks will be reduced to a reasonable and appropriate level.

This is the most consequential obligation the Security Official owns. Every enforcement action under OCR's Risk Analysis Initiative — 16 settlements between October 2024 and early 2026 — traces back to a covered entity that could not produce a current, defensible risk analysis.⁵

Privacy policies and procedures

The Privacy Official is responsible for developing and maintaining the practice's written privacy policies and procedures: how protected health information (PHI) can be used and disclosed, how patient rights are handled (access, amendments, accounting of disclosures), and what the Notice of Privacy Practices says and when it is provided.

Workforce training

45 CFR § 164.530(b) requires training for all workforce members "as necessary and appropriate for them to carry out their functions." Training must be documented. In a small practice, this means annual awareness training and documentation that it occurred — not an enterprise learning management system, but not a verbal conversation that leaves no record either.

Business associate oversight

The Privacy and Security Official is responsible for ensuring every vendor with access to ePHI has a signed business associate agreement (BAA). This is an ongoing obligation — new vendors need BAAs, and existing BAAs need review when vendor services or the regulatory environment materially change.

Breach response coordination

If a security incident or privacy breach occurs, the Privacy Official and Security Official are the functional leads on the covered entity's response: conducting the four-factor breach determination, notifying affected individuals, and reporting to HHS as required under the Breach Notification Rule, 45 CFR §§ 164.400–414.

What happens when no one is designated

OCR does not maintain a registry of designated officers, so an undocumented or missing designation does not create immediate exposure on its own. What it creates is a vulnerability that compounds when something else goes wrong.

In 2022, OCR settled with Jacob & Associates, a psychiatric practice in California, for $28,000. The investigation opened after a patient complained about delayed records access. When OCR reviewed the practice's compliance posture, it found, among other issues, that the practice had never designated a Privacy Official — a separate violation cited alongside the right-of-access failure.⁶

Also in 2022, Northcutt Dental in Alabama settled for $62,500 after impermissibly disclosing patient information for a political campaign. OCR's investigation found the practice had not designated a Privacy Official until November 2017, well after the violations had begun.⁷

In both cases, the missing designation was one of multiple cited violations, not the sole basis for the settlement. That is the consistent pattern: OCR does not open investigations specifically to check officer designations. But once an investigation opens for any reason, foundational compliance gaps — including missing or undocumented designations — compound the exposure.

The cost landscape

For context on where the fractional-service market sits:

Arrangement	Typical cost	What it provides
Owner/office manager fills role	Staff time only	Designations, policies, training, risk analysis — all self-executed
Software-guided platform	~$99–$300/month	Guided workflows, templates, training modules; owner still holds designation
Full-service consultant engagement (small practice)	$5,000–$25,000/year	Risk analysis, policies, training, ongoing advisory; designation varies by contract
Dedicated fractional CCO service	$2,000–$10,000/month	Embedded compliance leadership; formal designation varies by arrangement
Full-time in-house compliance hire	$130,000–$180,000+/year (base salary)	Dedicated FTE; clear designation; high fixed cost

These ranges vary considerably by scope and market. The relevant comparison is that even the smallest OCR settlement under the Risk Analysis Initiative — $5,000 for Vision Upright MRI — equals several months of a software platform subscription. There is no longer a defensible cost argument for leaving the foundational designations and documentation undone.

What to do this month

If your practice has not formally documented the Privacy Official and Security Official designations, three steps are reasonable to take this week.

1. Confirm who is designated. In most small practices, this is the owner, lead clinician, or office manager. If there is an existing job description or employment agreement, add a line explicitly naming the HIPAA Privacy Official and Security Official responsibilities. If there is no formal document, create one — a dated, signed designation memo is sufficient.
2. Confirm the designation covers both roles. If the same person holds both, document both designations explicitly. The Privacy Rule and Security Rule are separate; a designation under one does not automatically create the other.
3. Connect the designation to the risk analysis cycle. The Security Official designation is the anchor for the annual risk analysis obligation. If the designation document exists but no current risk analysis does, that gap is the next item on the list.

The designation itself is two sentences and a signature. The work the designation obligates — the risk analysis, the policies, the training records — is the substantive project.

Sources

---

Sources current as of June 2, 2026. This article is educational and does not constitute legal advice. For legal questions about HIPAA compliance or officer designation arrangements specific to your practice, consult qualified legal counsel.

Footnotes

1. 45 CFR § 164.530(a)(1)(i) (Privacy Official designation) and § 164.530(a)(2) and (j) (documentation requirements). Current text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.530. Last verified June 2, 2026. ↩

2. 45 CFR § 164.308(a)(2) (Assigned security responsibility — required implementation specification). Current text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.308. Last verified June 2, 2026. ↩

3. U.S. Department of Health and Human Services, Office for Civil Rights, Summary of the HIPAA Security Rule. "At small organizations this may be the same person as the Privacy Officer." https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Last reviewed December 30, 2024. ↩

4. Thomson Reuters, EBIA, Can the HIPAA Privacy and Security Official Position be Held by a Third Party? Analysis concludes the CFR does not explicitly require an employee but the Privacy Rule preamble "seems to assume" the official will be a workforce member; recommends legal counsel for third-party arrangements. The covered entity remains legally responsible regardless of who holds the designation. https://tax.thomsonreuters.com/blog/can-the-hipaa-privacy-and-security-official-position-be-held-by-a-third-party/ ↩

5. U.S. Department of Health and Human Services, Office for Civil Rights. Resolution agreements under the Risk Analysis Initiative, October 2024–June 2026. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ ↩

6. U.S. Department of Health and Human Services, Office for Civil Rights, Jacob and Associates HIPAA Enforcement Action (2022). Settlement: $28,000 for Right of Access, non-compliant Notice of Privacy Practices, and failure to designate a Privacy Official. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jacob-associates/ ↩

7. U.S. Department of Health and Human Services, Office for Civil Rights, Northcutt Dental-Fairhope, LLC HIPAA Enforcement Action (2022). Settlement: $62,500 for impermissible PHI disclosure and failure to designate a Privacy Official until November 2017. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/northcutt/ ↩