What is HIPAA Certification?

HIPAA certification has two meanings. It can either be a point in time accreditation demonstrating an organization has passed a HIPAA compliance audit, or a recognition that members of the organization´s workforce have achieved the level of HIPAA knowledge required to comply with the organization´s policies and procedures. Both are useful accreditations to have.

There are two things organizations and their workforces should be aware of before undertaking a HIPAA certification program. There are no requirements in HIPAA for organizations and/or their workforces to certify compliance, and certification is not a “get out of jail free card” that will absolve negligent parties from HIPAA violations. So why get certified?

Why Get Certified as being HIPAA Compliant?

The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading to a reduction in patient complaints and OCR investigations.

If – despite achieving an accreditation – a violation still occurs that results in an OCR investigation, a certificate of HIPAA compliance demonstrates “a reasonable amount of care to abide by the HIPAA Rules”. This can be the difference between a HIPAA violation being classified as a Tier 1 violation (minimum penalty per violation $120) and a Tier 2 violation (minimum penalty per violation $1.205).

Finally, for Business Associates, and Covered Entities that act as Business Associates for other Covered Entities, HIPAA certification demonstrates an intention to operate compliantly – making an organization´s services more attractive and reducing the amount of due diligence required before a Covered Entity and Business Associate enter into a Business Associate Agreement.

The Benefits of Workforce Certification

Certifying that an organization´s workforce is HIPAA compliant can have similar benefits to those mentioned above inasmuch as a compliant workforce is less likely to violate HIPAA or make mistakes that could result in data breaches. Similarly achieving workforce HIPAA certification demonstrates a reasonable amount of care to abide by the HIPAA Rules in the event of an OCR investigation or audit.

For individual members of the workforce, HIPAA certification can help foster patient trust, support applications for promotion, and increase prospects in the job market. However, it is what workforce members learn during a certification program that can have the biggest impact on their professional lives, as this can help prevent unintentional violations that can have significant consequences.

Unintentional violations of HIPAA can be attributable to a lack of knowledge, shortcuts being taken “to get the job done”, or because a cultural norm of noncompliance has been allowed to develop. Whatever the reason, violations of HIPAA can result in sanctions ranging from written warnings to loss of professional accreditation – sanctions that can be avoided by applying the information learned during a certification program.

HIPAA Certification Requirements for Covered Entities

In order for a Covered Entity to be certified as HIPAA compliant, third-party compliance experts will review seven areas of compliance:

  • Compliance with the administrative, technical, and physical safeguards of the HIPAA Security Rule. This includes (but is not limited to), an asset and device audit, an IT risk analysis questionnaire, a physical site audit, a security standards audit, a privacy standards audit, and HITECH Subtitle D privacy audit.
  • Remediation plans to address gaps identified in the above audits.
  • Policies and procedures to address HIPAA regulatory compliance and document a “good faith” effort towards compliance.
  • An employee training program that includes employee understanding of the above policies and procedures.
  • A documentation audit to ensure the documentation required by HIPAA is maintained and accessible.
  • Business Associate Agreement management and due diligence procedures.
  • Incident management procedures in the event of a data breach or reportable violation of HIPAA.

Because of the processes involved in auditing compliance with the HIPAA Security Rule, the HIPAA certification requirements cannot be fulfilled overnight. It is also impossible to put a timeframe on how long it may take to achieve HIPAA certification without knowing what gaps might be identified during the audit processes and the nature of the remediation plans required to address them.

HIPAA Certification Requirements for Business Associates

The HIPAA certification requirements for Business Associates are much the same as above but tailored to the nature of services provided for Covered Entities. One important point to note is that 45 CFR § 164.308 stipulates a security and awareness training program must be implemented for all members of the workforce – not just those involved in the provision of a service to a Covered Entity.

It is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance companies in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party HIPAA compliance company that not only offers HIPAA certification services, but also helps Business Associates implement effective HIPAA compliance programs.

HIPAA Certification for Healthcare Workers

HIPAA certification for healthcare workers demonstrates an understanding of HIPAA beyond that provided by “policy and procedure” training required by 45 CFR § 164.530. This is because the content of certification programs for healthcare workers fills the gaps created by resource-limited Covered Entities when HIPAA training is provided to new members of the workforce.

This means, rather than only learning about HIPAA in the context of a Covered Entity´s HIPAA policies and procedures “as necessary and appropriate for members of the workforce to carry out their functions”, healthcare workers obtain a deeper understanding of the Privacy and Security Rules, the reasons why the Rules exist, and what they can do to be HIPAA-compliant employees.

Consequently, all healthcare workers (and other members of the workforce when appropriate) receive a comprehensive education on frequently-violated HIPAA standards such as patients´ rights, the minimum necessary standard, and allowable uses and disclosures. This education ensures healthcare workers avoid unintentional violations of HIPAA due to a lack of knowledge.

HIPAA Certification FAQs

Why is HIPAA certification described as a “point in time” accreditation?

This is because HIPAA compliance is an on-going progress. A HIPAA certified organization may have passed a third-party company´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the organization will remain compliant in the future. Therefore, HIPAA certification should be considered an initial objective and then an ongoing task.

Can software be certified as HIPAA compliant?

It is not possible for software to be certified as HIPAA compliant because, while it is possible for software to have HIPAA-compliant capabilities, the way the capabilities are used determine compliance with the HIPAA Rules. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.

What does HHS say about HIPAA certification?

The Department of Health and Human Services (HHS) states there is no requirement in HIPAA for a Covered Entity or Business Associate or healthcare worker to be certified as compliant and warns organizations to be aware of misleading marketing claims suggesting compliance programs or material is endorsed by HHS or the Office for Civil Rights (OCR).

What is the difference between a third party audit and an HHS audit?

A third party audit checks a Covered Entity´s HIPAA compliance and, if lapses in compliance are found, the Covered Entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the Covered Entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Consequently, the cost of a third party audit can be a sound investment.

What is the cost of a third party compliance audit?

This will depend on the size of a Covered Entity or Business Associate and the nature of operations. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.

How long does HIPAA certification for Covered Entities and Business Associates last?

HIPAA certification indicates that a Covered Entity or Business Associate has passed a third-party company´s HIPAA compliance program and “at that point in time” was HIPAA compliant. As soon as that point in time has passed, a HIPAA certification is no guarantee of compliance. Therefore, HIPAA certification has no lifespan. Consequently, a best practice is to conduct regular audits.

How long does HIPAA certification for healthcare workers last?

This depends on whether the certification has been achieved independently or as part of an employer´s training program. If the former, the “point in time” principle applies. If the latter, the certification should be retained for six years in compliance with the HIPAA documentation requirements. It is also recommended refresher training is provided at least annually.

How does HIPPA certification help foster patient trust?

One of the most important elements of a patient/healthcare professional relationship is trust. When patients are confident their privacy is being respected, this will help foster trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in a more rewarding work experience.

Why might a healthcare professional lack knowledge of HIPAA?

Covered Entities are only required to provide training relevant to a healthcare professional´s role. When a healthcare professional transfers to a new role – or is asked to substitute for a colleague in a different role – they may not immediately have the level of HIPAA knowledge relevant to the role they are performing, potentially resulting in unintentional HIPAA violations.

How are cultural norms of noncompliance allowed to develop?

Many Covered Entities lack the resources to monitor HIPAA compliance 24/7 and it is not unusual for busy healthcare workers to take shortcuts with HIPAA compliance “to get the job done”. If shortcuts become a regular occurrence, they develop into a cultural norm of noncompliance. This is why it is important for Covered Entities to provide refresher HIPAA training at least annually.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.