The Compliance Bottleneck Every Growing Practice Hits
You started as the Company Admin because you had to be. Someone needed to own HIPAA for the practice, and that someone was you. Then the practice grew. Now you are training new hires, tracking certificates, reviewing patient complaints, chasing BAAs from vendors, and running risk assessments — and every one of those tasks still funnels through your account.
That bottleneck is the single most common reason compliance programs fall behind. Work piles up with one person, tasks slip past their due dates, and the practice ends up in a reactive posture instead of a proactive one.
The Middle Ground You've Been Missing
Until recently, HIPAA Security Suite offered two permission levels: Employee (can complete training and view their own records) and Company Admin (can do everything). That is a steep jump. Promoting a trusted office manager to Company Admin gives them access to billing, subscription settings, and every patient record in the system — even if all you really wanted was help managing training reminders.
The new Manager role closes that gap. A Manager sits between Employee and Company Admin and can be granted access to one or several specific workspace areas — and nothing else.
Eleven Areas You Can Delegate
When you promote a user to Manager, you choose exactly which of these eleven areas they are allowed to oversee:
- Users — add and edit employee records
- Training — assign lessons, send reminders, mark completions
- Documents & Policies — upload, review, and acknowledge policy documents
- Vendors & BAAs — manage business associate agreements and vendor risk
- Patients & Privacy — handle patient-facing privacy records
- Patient Complaints — triage and resolve complaint submissions
- Other Incidents — log and investigate internal incidents
- Risk Assessments — conduct and review periodic assessments
- Audit Findings & Compliance Gaps — track and close remediation items
- Network Security Scans — review agent and credential scan results
- Devices & Locations — inventory hardware and office locations
A Manager only sees the sections you enabled. Every other part of the sidebar is hidden, and direct-URL attempts to off-limits areas are blocked at the controller level.
Three Delegation Patterns That Work
The Training Specialist
Your office manager already handles onboarding. Grant them Users plus Training, and they can add new hires, assign the HIPAA curriculum, send reminders, and issue certificates — all without touching BAAs, risk assessments, or billing.
The Privacy Officer
In a larger practice, you may have a dedicated privacy officer. Grant them Patients & Privacy, Patient Complaints, and Other Incidents. They can investigate every report end-to-end while staying completely out of technical scanning and vendor management.
The IT Lead
If IT is in-house, give your IT lead Network Security Scans, Devices & Locations, and Audit Findings & Compliance Gaps. They get the visibility they need into vulnerabilities and remediation tickets without touching patient-facing workflows.
What You Keep Control Of
Only Global Admins and Company Admins can:
- Change another user's role or Manager Areas
- Access billing and subscription settings
- Modify company-wide configuration
- Promote a Manager to Company Admin or revoke the role entirely
The audit trail continues to record every action a Manager takes, so you can review who did what and when.
Why This Matters for Enforcement Posture
The OCR has consistently cited inadequate access controls as a factor in enforcement actions. Granting full admin rights to employees who only need to manage one or two areas increases your exposure and undermines the minimum necessary principle that runs through the HIPAA Security Rule. The Manager role brings the product in line with that principle: people see what they need to do their jobs, and nothing more.
How to Assign Your First Manager
Open the Users page, click Actions ▼ on the user you want to promote, and select Edit User. Change the Role dropdown to Manager, check the Manager Areas they should oversee, and save. Their access updates the next time they load a page.
Call to Action
See how HIPAA Security Suite can help you delegate compliance without compromising control.