What is the Cost of HIPAA Certification?
The cost of HIPAA certification can be divided into the direct cost of obtaining a certification (i.e., the cost of an audit or training course) and the indirect costs of implementing measures to be HIPAA compliant and/or removing members of the workforce “from the floor” to undergo HIPAA training. However, investing in a HIPAA compliance program that provides a certification at the end of the program can be worthwhile – both for businesses and for individuals.
An Internet search for HIPAA compliance invariably returns a number of results for HIPAA compliance programs that offer certifications of compliance at the end of the program. However, HHS´ Office for Civil Rights does not recognize certificates of HIPAA compliance. So, why do these programs exist? And are there any benefits in investing in these programs?
What are HIPAA Compliance Programs?
HIPAA compliance programs come in many shapes and sizes. Some are designed to help businesses comply with specific elements of HIPAA (i.e. security and awareness training), others cover the evaluation requirements of the Security Rule (§164.308(a)(8)), while the best HIPAA compliance programs are more comprehensive and include Privacy Rule compliance, Business Associate Agreements, and breach notification procedures.
HIPAA compliance programs can also be designed to help members of the workforce better understand their compliance obligations by providing foundation training. Foundation training courses do not replace “policy and procedure” training required by the Privacy Rule, but rather explain the basics of HIPAA by answering questions such as what is PHI, why should it be protected, and what rights do individuals have over their PHI?
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
How are they Beneficial to Businesses?
HIPAA compliance programs can be beneficial to businesses in several ways. Initially, they can find any issues that exist in HIPAA compliance via a series of audits. The programs then help businesses develop remediation plans to address the issues, and support workforce training on any new policies and procedures implemented as a result of the audits and remediation plans. Therefore, even without a certificate, a HIPAA compliance program helps businesses become more HIPAA compliant.
However, once the program is completed, the compliance organization issues the business a HIPAA certification that documents the gaps, the remediation plans, and workforce training. Although only a “point in time” certification of HIPAA compliance, the certificate can be used to demonstrate a “good faith” effort to comply with HIPAA in the event of a complaint against the business or a compliance review by HHS´ Office for Civil Rights.
How are they Beneficial to Employees?
A HIPAA certification that demonstrates an employee (or other member of the workforce) has completed a HIPAA compliance program also has multiple benefits. It can help employees perform their roles with a better understanding of the risks to PHI, a better understanding of individuals´ rights, and a better understanding of how HIPAA compliance can protect the privacy of PHI while enabling the flow of healthcare data between those who need it.
Because each covered entity and business associate should develop and train workforces on their own HIPAA compliance policies and procedures, a HIPAA certification for employees does not excuse them from further HIPAA training. However, demonstrating a strong knowledge of HIPAA – by acquiring a HIPAA certification – can help employees find better jobs or successfully apply for promotions with their current employer.
What is the Cost of HIPAA Certification?
The cost of HIPAA certification naturally varies according to the type of compliance program, the volume of issues identified in the initial series of audits, and the amount of work required to remediate the issues. The size of the business is also a factor – with the cost of HIPAA certification being much less for a single-location healthcare service with a limited number of employees than a multi-location Organized Health Care Arrangement covering multiple business types.
With regards to compliance training for employees, the cost of HIPAA training tends to be per employee. Training modules are provided to the business or the employee for use when and as often as required; and, once all the training modules are completed, the employee is awarded a HIPAA certification that can be used by the business to demonstrate a “good faith” effort to comply with HIPAA and by the employee to enhance their personal prospects.
What is the Cost of Non-Compliance with HIPAA?
There is an argument that the cost of HIPAA certification is not a good investment because most covered entities and business associates are generally compliant and the audits conducted at the beginning of a HIPAA compliance program may not find sufficient issues to justify the expense. It is also the case that the cost of HIPAA certification for employees can be hard to justify because foundation training does not replace the requirement to provide policy and procedure training.
These arguments are not valid when you compare the cost of HIPAA certification against the cost of non-compliance with HIPAA. Although HHS´ Office for Civil Rights does not issue as many financial penalties as it could (a situation that may change when the settlement sharing provision of HITECH is enacted), hundreds of covered entities and business associates each year are required to comply with Corrective Action Plans – some of which can last several years.
Depending on the requirements of a Corrective Action Plan, the cost to a non-compliant business can far outweigh the cost of HIPAA certification due to business disruption, reduced employee productivity (attributable to learning new procedures and additional training), and the cost of an end-of-plan audit to demonstrate to HHS´ Office for Civil Rights the business has complied with the Corrective Action Plan.
