Government regulations do not limit who can serve as a privacy officer for HIPAA purposes. Pursuant to those regulations, "covered entities" must designate someone to be the privacy officer who will be responsible for developing and implementing HIPAA policies and procedures.

The regulations also require that "covered entities" designate a contact person (or office) who will be responsible for receiving HIPAA-related complaints and providing further information related to HIPAA notices. The privacy officer and the contact person may be, but need not be, the same person. The designations must be documented, and that documentation must be retained for at least six years. Best practice dictates that the designated individual(s) be properly trained in HIPAA's requirements.

Source: HHS Reg. §164.530(a)(1).