Healthcare Compliance Certification
Healthcare compliance certification can mean different things to different people. For individuals, healthcare compliance certification can mean they have completed a course that provides an overview of healthcare regulations in the U.S. For healthcare providers, a certificate of compliance can mean they comply with regulations and standards such as:
- The Health Insurance Portability and Accountability Act (HIPAA)
- Medicare Conditions for Participation (including LEIE screening)
- The Occupational Safety and Health Regulations for Healthcare
- The Texas Health and Safety Code (as amended by HB 300)
- The Service Organization Controls 2 (SOC 2) Type 2
There are many more regulations and standards that healthcare providers may be required to comply with depending on their location and the nature of their activities. This article focuses on the above five sets of regulations and standards, and explains what healthcare compliance certification means in the context of each.
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 primarily to reform the health insurance industry. To prevent the costs of the reforms being passed onto employers and workers, Congress introduced measures to save health insurers money by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.
These measures led to the development of the HIPAA Administrative Simplification Regulations, which apply to healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. Healthcare providers that qualify as HIPAA covered entities are required to comply with all applicable HIPAA regulations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Also required to comply with all applicable HIPAA regulations are business associates that provide a service for or on behalf of covered entities when the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Workforces of both covered entities and business associates are required to comply with HIPAA via their employers’ policies and procedures.
HIPAA Compliance Certification for Healthcare Organizations
Although HHS does not endorse HIPAA compliance certifications, the Department acknowledges that covered entities and business associates are required to conduct periodic technical and non-technical evaluations (§164.308). HHS does not object to outsourcing the requirement to external certification services, but notes a HIPAA compliance certification does not guarantee HIPAA compliance.
The reason HIPAA compliance certification does not guarantee HIPAA compliance is because a certification is a “point-in-time” accreditation that a covered entity or business associate complies with all applicable HIPAA regulations at the time the certification is issued. HIPAA compliance is ongoing, and any point-in-time accreditation only guarantees compliance at the point in time.
Nonetheless, there are good reasons for healthcare providers to consider HIPAA certification. Although a point-in-time accreditation, HIPAA compliance certification demonstrates a good faith effort to comply with the applicable HIPAA standards – which could prove valuable if a provider is investigated for an alleged violation of HIPAA or sanctioned for a breach of unsecured PHI.
HIPAA Compliance Certification for Individuals
It was mentioned in the introduction to this article that healthcare compliance certification can mean individuals have completed a course that provides an overview of healthcare regulations in the U.S. Often the overview includes HIPAA, but not in any great depth because of the number of other regulations that also have to covered in the certification course.
Conversely, the HIPAA policy and procedure training provided by a covered entity may go into certain areas of HIPAA in great depth when these areas of HIPAA are relevant to an individual’s role for the covered entity. However, without a holistic understanding of HIPAA, employer training can often be confusing when provided out of context of HIPAA as a whole.
HIPAA compliance certification for individuals is an accreditation issued to members of a workforce who have completed a HIPAA training course. In some cases, the courses are foundation courses provided by covered entities as a prelude to HIPAA policy and procedure training; but most often they are online courses an individual has subscribed to in order to improve their knowledge.
Medicare Conditions for Participation (including LEIE screening)
The Medicare Conditions for Participation cover a large section of the Public Health Code and there are multiple areas in which healthcare compliance certification is advisable. Furthermore, a certification of compliance should not be difficult because many Conditions for Participation align with measures healthcare organizations would need to put in place to be HIPAA compliant.
For example, under the Conditions of Participations for Hospitals (Part 482), healthcare providers are required to provide each patient with a Notice of Rights similar to the Notice of Privacy Practices required by the HIPAA Privacy Rule. There are also regulations similar to HIPAA governing the security of medical records, workforce training, and emergency preparedness.
Additionally, many Medicare Conditions for Participation align with the measures required for OSHA healthcare compliance (covered in a later section). Therefore, by achieving HIPAA healthcare compliance certification and OSHA healthcare compliance certification, many healthcare providers are well on the way to meeting the Medicare Conditions for Participation.
EMTALA Compliance Certification for Healthcare Providers
One area of the Medicare Conditions for Participation that do not overlap with other healthcare regulations is the Emergency Medical Treatment and Labor Act (EMTALA). Although the provisions of EMTALA apply to all hospitals with emergency departments, it is important that healthcare providers comply with all the provisions to avoid financial penalties and exclusion from Medicare.
This means that hospitals with emergency departments must provide a medical screening examination to any individual who comes to the emergency department and requests such an examination. The Act also prohibits hospitals with emergency departments from refusing to examine or treat individuals with an emergency medical condition, including women in labor.
Individuals who are denied emergency medical treatment (or their personal representatives) can file a complaint with CMS. If the complaint is upheld, healthcare providers can be fined up to $50,000 per violation and excluded from Medicare for repeat violations. However, the impact of EMTALA violations may be mitigated if a provider holds an EMTALA compliance certification.
State and Federal OIG Exclusions (LEIE Screening)
Another Medicare Condition for Participation that applies to all healthcare providers is LEIE screening. LEIE screening is when a new hire or contractor is checked against a List of Excluded Individuals and Entities published by a state or federal Office of Inspector General. (Medicare Advantage also requires screening against the System for Award Management (SAM) database.)
The most well-known List of Excluded Individuals and Entities (LEIE) is the HHS OIG Exclusion List. This database lists all individuals and organizations that have been convicted of violating a clause of §1128 of the Social Security Act, plus individuals and organizations that have been reported by state Medicare Fraud Control Units, state licensing authorities, and law enforcement agencies.
If a healthcare provider engages the services of an individual or organization that appears on the LEIE list, it can result in significant financial penalties. These penalties can be mitigated if the healthcare provider can demonstrate compliance with the LEIE screening requirements via a relevant healthcare compliance certification and provide documentation indicating regular LEIE screening checks.
The Occupational Safety and Health Regulations for Healthcare
The occupational safety and health regulations for healthcare are the standards published by the federal Occupational Safety and Health Administration (OSHA) and – where applicable – by state plans. Most healthcare providers are required to comply with all relevant standards in the General Industry category plus the General Duty clause for non-specific hazards.
This means that, in addition to complying with specific standards relating to (for example) bloodborne pathogens, ionization radiation, and hazard communication, employers in the healthcare industry also have a general duty to protect members of the workforce against foreseeable risks to safety and health attributable to (for example) patient handling and workplace violence.
It is also important for employers to be aware of the OSHA training requirements. Many standards have mandatory training provisions that not only apply when a new employee joins the workforce, but annually thereafter. However, mandatory refresher OSHA training can often be integrated with the training requirements of other regulations – for example, CMS’ Emergency Preparedness Rule.
OSHA Compliance Certification
OSHA has a network of “Training Institute Education Centers” which offer certification and degree courses for individuals. The most practical OSHA course for compliance officers in the healthcare industry is the Health and Safety Fundamentals Certificate Program for General Industry because this course allows a degree of flexibility about what modules participants take to achieve a certification.
However, despite offering an on-site consultation program and compliance assistance specialists, OSHA does not have any type of compliance certification for businesses. This does seem a little unfair considering that employers have to post citations when they have done something wrong (and can be fined if they don’t), but cannot get officially recognized for doing something right!
Consequently, if a business wants to achieve an OSHA compliance certification, it is necessary to undergo a compliance audit by a third-party organization. As with the HIPAA compliance certification, an OSHA compliance certification is a point-in-time accreditation that demonstrates a good faith effort to comply with federal and – where applicable – state safety and health regulations.
The Benefits of OSHA Compliance Certification
OSHA compliance certification does not absolve an employer of its safety and health responsibilities nor limit its liability in the event of a foreseeable and avoidable workplace accident. However, the effort a business puts into achieving OSHA compliance certification should increase workplace safety and reduce the risks of work-related accidents, injuries, and illnesses.
A reduction in work-related accidents, injuries, and illnesses is not only good for workplace morale, employee retention, and professional reputation, but it can also prove financially beneficial. The lack of OSHA fines is an often-cited financial benefit of OSHA compliance, but businesses will also benefit from lower insurance premiums and other workforce-related costs.
One workforce-related cost of particular relevance to the healthcare industry at present is the cost of recruitment. Many healthcare providers are struggling to fill vacancies due to a nationwide shortage of healthcare professionals. Being recognized as an OSHA compliant employer can help support recruitment efforts, attract candidates, and reduce the cost of recruitment.
The Texas Health and Safety Code (as amended by HB 300)
The reason for the Texas Health and Safety Code being included in this list of regulations is that some areas of the Code apply beyond state borders. For example, if a hospital in New York treats a citizen of Texas, the hospital has to comply with Texas’ limitations on uses and disclosures of the citizen’s PHI rather than the uses and disclosure of PHI permitted by the HIPAA Privacy Rule.
The limitations on uses and disclosures of PHI are not the only difference between HIPAA and the Texas Health and Safety Code as amended by HB 300. There are also different requirements for patient authorizations and patient access to PHI, plus a different definition of what constitutes a data breach and less time in which to notify affected individuals and the Texas Attorney General.
Consequently, because the Texas Health and Safety Code applies to all citizens of Texas regardless of where they are when their PHI is assembled, collected, analyzed, used, evaluated, stored, or transmitted, it is important for healthcare providers throughout the country to be aware of the Texas Health and Safety Code (and the regulations of other states in which a similar scenario might occur).
What does HB 300 Compliance Consist Of?
HB 300 compliance consists of identifying all relevant differences between HIPAA and the Texas Health and Safety Code, developing policies and procedures that account for the differences, and training members of the workforce on the policies and procedures – and, if a healthcare provider is situated outside Texas – explaining when the policies and procedures are effective.
For healthcare providers situated outside of Texas, having one set of policies for “local” patients and another set of policies for citizens of Texas may seem excessive, but it is a situation that is becoming increasingly common in healthcare. For example, Part 2 SUD health data is already treated differently from non-SUD health data, and new regulations may soon be applied to reproductive health data.
Additionally, healthcare providers that do not qualify as covered entities under HIPAA (because they do not conduct covered transactions electronically) do qualify as covered entities for the purposes of HB 300 compliance. Therefore, although it may not be necessary for these healthcare providers to comply with HIPAA, it will still be necessary to comply with the Texas Health and Safety Code.
The Penalties for Non-Compliance
The penalties for non-compliance with any of the regulations discussed so far can be significant. Although in most cases the Department of Health & Human Services, Occupational Safety and Health Administration, and Texas Attorney General will attempt to resolve non-compliance via voluntary measures and corrective action plans, each has the authority to issue civil monetary penalties.
The Penalties for violations of HIPAA can go up to $63,973 per violation (2023) when a violation is attributable to willful neglect, while failing to check an individual is not on the LEIE exclusion list can attract penalties of $20,000 per claim plus up to three times the amount claimed from Medicare. CMS also has the authority to expel healthcare providers from Medicare and Medicaid.
All State Attorneys General have the authority to issue civil monetary penalties on non-compliant healthcare providers after a data breach. In Texas, the penalties can go up to $250,000 per HB 300 violation (capped at $1.5 million per year) and will be applied on top of any civil monetary penalties imposed by HHS’ Office for Civil Rights for the same violation.
The Service Organization Controls 2 (SOC 2) Type 2
The Service Organization Controls 2 (SOC 2) are not regulations, but rather standards that – when complied with – demonstrate a healthcare provider has the right tools and procedures to safeguard sensitive information (Type 1 compliance) or is using the right tools and procedures to safeguard sensitive information (Type 2 compliance). Type 2 compliance is the only certification that matters.
Most healthcare providers that comply with the Security Rule should have no difficulty achieving SOC 2 Type 2 certification. Others may have to extend their “Security” safeguards to include tools such as web application firewalls, intrusion detection software, and two-factor authentication on administrator accounts. (It is important these tools are used, rather than just installed).
With regards to the remaining Trust Services Criteria (“Availability”, “Processing Integrity”, “Confidentiality” and “Privacy”), most HIPAA-compliant healthcare providers with CMS-compliant Emergency Preparedness Plans will have minimal work to do to achieve SOC 2 Type 2 certification unless significant changes are required to comply with the SOC 2 Privacy Management Framework.
Why Get SOC 2 Compliance Certification?
There are several good reasons why a healthcare provider might want to get SOC 2 compliance certification. The first is that implementing the controls required for SOC 2 compliance helps an organization identify and mitigate risks related to security, availability, processing integrity, confidentiality, and privacy – much like a HIPAA risk assessment.
The second good reason is that having the controls in place required for SOC 2 compliance certification means an organization is better prepared to respond to and recover from security incidents. The controls can also lead to cost savings by preventing data breaches and other security incidents, or by reducing the time required to audit other controls.
On the subject of cost savings, although HHS Office for Civil Rights has not yet finalized the requirements for a “recognized security framework” under the HITECH Safe Harbor amendment, the agency is required to take into account good faith efforts – such as SOC 2 compliance certification – to comply with the HIPAA Security Rule when calculating the amount of a civil monetary penalty.
SOC 2 Compliance Certification for Business Associates
For business associates, SOC 2 compliance certification demonstrates to covered entities and other business associates that the organization has robust controls in place to manage and protect their data. In certain circumstances, SOC 2 compliance certification can set one organization apart from its market rivals – giving the organization a competitive advantage.
Having a SOC 2 compliance certification not only reduces the need for covered entities and other business associates to conduct due diligence on an organization before engaging it as a business associate. Because SOC 2 accreditation requires regular third party audits, a certificate of compliance assures potential customers that compliance is ongoing, rather than a point-in-time achievement.
In some cases, SOC 2 accreditation can also be a condition of entering into a business relationship with a healthcare provider. If the organization already has SOC 2 compliance certification, this can save a lot of time and money. Therefore, SOC 2 compliance certification can be more than a “badge of honor” for many organizations in the healthcare industry.
The Benefits of Healthcare Compliance Certification
Several of the benefits of healthcare compliance certification have already been mentioned. Organizations that comply with healthcare regulations and standards are more likely to avoid data breaches and other security incidents; and, when these events occur, a certificate of compliance demonstrates a good faith effort to protect the privacy and security of health information.
In addition to the avoidance or mitigation of regulatory penalties, complying with regulations and standards for the healthcare industry can lower costs, improve reputations, and support workforce recruitment and retention. Compliance programs can also help healthcare providers identify and resolve risks quicker, streamline operations, and improve operational efficiency.
One of the most important benefits of healthcare compliance certification relates to patients. When patients are confident health information will remain confidential, they are more willing to share information with healthcare professionals. With better information, healthcare professionals can make better diagnoses and treatment plans, resulting in better patient outcomes.
The Challenges of Healthcare Compliance
As well as there being many benefits of healthcare compliance, there are also many challenges. Most of these are “human challenges” inasmuch as patients may not wish to cooperate with procedures introduced to support compliance, workforces may have a cultural resistance to change, and key employees may lack the skillsets to manage complex technologies.
Keeping up to date with rapidly evolving healthcare regulations and standards can be a challenge in itself. Healthcare providers with limited resources may find it hard to change working practices and train members of the workforce ahead of compliance deadlines, or integrate new healthcare regulations and standards with new treatments, technologies, and care models.
Additionally, balancing the compliance requirements of multiple regulations and standards with the need to provide quality patient care can be delicate. While the failure to fully comply with healthcare regulations can result in violations and penalties, an overemphasis on compliance can interrupt the flow of information and interfere with clinical practices.
The Importance of Training in Healthcare Compliance
Training in healthcare compliance is important due to the intricate and rapidly changing landscape of healthcare regulations and standards. Without proper training, healthcare professionals and other members of the workforce may inadvertently violate rules or breach ethical guidelines, leading to legal penalties, reputational damage, and potential harm to patients.
Comprehensive compliance training and training certification educates healthcare workforces about the latest regulations and how they apply to specific roles and responsibilities within the organization. This helps in ensuring that all members of the workforce – including management – are on the same page and reduces the likelihood of misunderstandings or oversights.
With regards to overcoming the challenges of healthcare compliance, a trained and certified workforce can enhance patient trust and foster a culture of integrity and accountability. Furthermore, through continuous education, healthcare professionals can stay abreast of the latest changes in regulations, enabling them to adapt and respond proactively and quickly.
The Future of Healthcare Compliance
The future of healthcare compliance is likely going to be a repeat of what has happened in the last twenty-five years. Advances in technology will raise new privacy and security concerns, which will be met by more regulations and standards – only because of the speed at which technology is advancing, it will be hard for regulatory authorities to keep up.
The future of healthcare compliance will include AI, blockchain, and biometric technologies; and, as healthcare moves towards more personalized treatments, like gene therapy, new categories of data will be created and new levels of security applied to them similar to the current proposals for reproductive health data and “attested” uses and disclosures.
To keep up with these changes, healthcare providers will need to be proactive, flexible, and always ready to adapt to new regulations and technologies. This might involve investment in technology and resources, training for staff, and the development of a strong culture of compliance. The individuals responsible for healthcare compliance certainly have a busy time ahead!
Getting Help with Healthcare Compliance Certification
The individuals responsible for healthcare compliance may have different job titles (e.g., Privacy Officer, Security Officer, “employer”, “governing body”, etc.), but they effectively perform similar roles with similar objectives. In the case of smaller organizations, one individual member of the workforce may be responsible for all of an organization’s compliance activities.
Regardless of the compliance structure, it is very difficult to develop policies and procedures for every applicable regulation and standard, train members of the workforce on those that apply to their roles, and monitor compliance with the policies and procedures – amending them and retraining the workforce when material, technology, or regulatory changes occur.
Consequently, it can be beneficial to outsource some compliance obligations to a third party organization that specializes in healthcare. A third party organization has the advantage of being able to take a holistic view of the organization’s activities and guide the those with the responsibility for compliance through the complexities – awarding a healthcare compliance certification when specific targets have been met, and providing organizations with the tools to maintain compliance thereafter.
Healthcare Compliance Certification FAQs
What is the primary purpose of the Health Insurance Portability and Accountability Act (HIPAA)?
The primary purpose of the Health Insurance Portability and Accountability Act was to reform the health insurance industry. Measures were added in Title II of HIPAA to prevent the cost of the reforms being passed onto employers and workers. The measures led to the creation of the HIPAA Administrative Simplification Regulations, which contain the privacy, Security, and Breach Notification Rules.
What are HIPAA covered entities?
HIPAA covered entities are health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. These entities must comply with all applicable regulations, standards, and implementation specifications in the HIPAA Administrative Simplification Regulations.
Why might healthcare providers consider obtaining HIPAA compliance certification?
Healthcare providers might consider obtaining HIPAA compliance certification as certification demonstrates a good faith effort to comply with applicable HIPAA standards. In this respect, HIPAA compliance certification can prove valuable if a provider is investigated for an alleged HIPAA violation or sanctioned for a breach of unsecured Protected Health Information (PHI).
How do Medicare Conditions for Participation relate to HIPAA standards?
Many Medicare Conditions for Participation align with HIPAA standards. For example, the requirement for patients to receive a Notice of Rights under Medicare is similar to the HIPAA standard relating to the Notice of Privacy Practices. Other conditions governing medical records’ security, workforce training, and emergency preparedness are also similar to HIPAA standards.
What is LEIE screening, and why is it significant for healthcare providers?
LEIE screening involves checking new and existing employees and/or contractors against the List of Excluded Individuals and Entities published by a state or federal Office of Inspector General. If a healthcare provider engages services from individuals or entities on a LEIE list, the healthcare provider can be subject to significant penalties plus risk exclusion from Medicare.
How do HIPAA training courses for individuals contribute to an understanding of HIPAA as a whole?
HIPAA training courses for individuals offer greater depth of knowledge than “catch-all” compliance courses and a more holistic perspective of HIPAA compared to employer training. HIPAA training courses for individuals can supplement foundational courses provided by covered entities, enhancing overall knowledge and application of HIPAA regulations.
What standards does OSHA require healthcare providers to comply with?
The standards OSHA requires healthcare providers to comply with include the specific standards relating to bloodborne pathogens, ionization radiation, and hazard communication. It is also important healthcare employers consider the OSHA General Duty clause and protect members of the workforce against foreseeable risks such as unsafe patient handling and workplace violence.
How can a business achieve OSHA compliance certification since OSHA does not provide one?
A business can achieve OSHA compliance certification by undergoing a compliance audit conducted by a third-party organization. The certification is a point-in-time accreditation, demonstrating a good faith effort to comply with federal and state safety and health regulations.
What are the benefits of OSHA compliance certification?
The benefits of OSHA compliance certification include a reduced risk of accidents, injuries, and illnesses, financial benefits (for example, lower insurance premiums) and fewer OSHA inspections. Additionally, being recognized as an OSHA-compliant employer can enhance recruitment efforts and reduce recruitment costs in an industry facing professional shortages.
What does HB 300 compliance consist of, especially for healthcare providers outside Texas?
HB 300 compliance consists of identifying differences between HIPAA and the Texas Health and Safety Code, developing policies and procedures that account for those differences, and training staff accordingly. For providers outside Texas, different policies might be needed for Texas citizens to account for the fewer permitted uses and disclosures and different breach notification rules.
What are the benefits of healthcare compliance certification for organizations?
The benefits of healthcare compliance certification for organizations include reducing the likelihood of data breaches and other security incidents; and, when these incidents do occur, a certificate of compliance shows a good faith effort to protect health information.
How does healthcare compliance certification impact patient confidence?
Healthcare compliance certification can positively impact patient confidence by assuring patients health information will remain confidential. When patients trust that their information is secure, they are more willing to share details with healthcare professionals. This openness allows healthcare professionals to make better diagnoses and treatment plans, resulting in improved patient outcomes.
What are some human challenges in healthcare compliance?
Human challenges in healthcare compliance include resistance from patients to cooperating with compliance-supporting procedures, cultural resistance to change within workforces, and a lack of skills among key employees to manage complex technologies. These challenges highlight the need for proper training and a supportive organizational culture to ensure compliance.
Why is keeping up with rapidly evolving healthcare regulations a challenge?
Keeping up with the quickly evolving healthcare regulations is a challenge because the constant changes require organizations to adapt working practices continually. Healthcare providers, especially those with limited resources, may find it difficult to train workforce members ahead of compliance deadlines or integrate regulations with new treatments, technologies, and care models.
How does overemphasis on compliance affect patient care?
An overemphasis on compliance can interrupt the flow of information and interfere with clinical processes. While it’s essential to comply with healthcare regulations to avoid violations and penalties, a delicate balance must be maintained. Too much focus on compliance might hinder the quality of patient care, demonstrating the need for a well-balanced approach.
How might individuals responsible for healthcare compliance adapt to future challenges?
Individuals responsible for healthcare compliance will need to be proactive, flexible, and prepared to adapt to new regulations and technologies. Future challenges may require investment in technology and resources, continuous staff training, and a strong culture of compliance. For organizations unable to adapt to future challenges quickly, it may be necessary to outsource some compliance activities.
How do compliance programs streamline operations within healthcare organizations?
Compliance programs streamline operations within healthcare organizations by creating a structured framework for adhering to regulations and standards. By identifying and resolving risks quickly, they allow for more efficient workflow and decision-making. The proactive approach helps prevent potential issues before they deteriorate into something more serious, ensuring that the organization operates smoothly and complies with all relevant healthcare regulations.
