What is HIPAA Certification?

Share this article on:

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

HIPAA Certification FAQ

I understand why a business can´t be HIPAA certified, but what about software?

It is not possible for software to be certified as HIPAA compliant because, while it is possible for software to have HIPAA-compliant capabilities, the way the capabilities are used determine compliance. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.

Some sources claim there is such a thing as HIPAA certification. What does HHS say?

HHS states there is no requirement in HIPAA for a Covered Entity to be certified as compliant and warns Covered Entities to be aware of misleading marketing claims suggesting education providers or material is endorsed by HHS or OCR. Furthermore, while a certificate of competency demonstrates a knowledge of HIPAA, it does not absolve a Covered Entity of its compliance obligations.

Why might some Covered Entities claim to be HIPAA certified if there is no such thing?

Covered Entities might claim they are HIPAA certified if they – or their employees – have undergone HIPAA compliance training and received a certificate stating they have completed a training course. While certification of this nature shows the Covered Entity has fulfilled the HIPAA training requirements, it does not guarantee compliance with HIPAA.

What is the difference between a third party audit and an HHS audit?

A third party audit checks a Covered Entity´s HIPAA compliance and, if lapses in compliance are found, the Covered Entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the Covered Entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Consequently, the cost of a third party audit can be a sound investment.

What is the cost of a third party compliance audit?

This will depend on the size of a Covered Entity or Business Associate and the nature of operations. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On