Share this article on:
Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance?
What is HIPAA Certification?
In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor.
Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation.
There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in the future.
Imagine a healthcare provider contracts a third-party HIPAA-compliance expert to assess its policies, procedures, and technology to ensure that HIPAA Rules have been followed to the letter. HIPAA certification would only mean that the organization is in compliance at the point of assessment. Changes in technology, polices, procedures, staffing, updates to HIPAA Rules, and business practices could all easily render such a certification invalid.
HIPAA Training and Certification
HIPAA does not require employees to complete any specific training program and obtain HIPAA certification, only that employees must be trained on HIPAA Rules and must confirm, in writing, that they have received HIPAA training. For HIPAA covered entities and business associates that means training has been provided “as necessary and appropriate for members of the workforce to carry out their functions.”
Since HIPAA Rules are complex, HIPAA training companies are often used. The companies employ HIPAA compliance experts who teach healthcare employees the aspects of HIPAA that are relevant to their role in the organization, such as the handling of protected health information and allowable uses and disclosures of PHI.
HIPAA requires covered entities to implement a security awareness and training program for all members of the workforce, although employees must only confirm in writing that this has been provided. HIPAA certification for security awareness training is also not a requirement.
Any ‘certification’ issued will confirm that employees have completed training and potentially been tested on their knowledge of HIPAA Rules. That may be beneficial when seeking employment, but it is not recognized by any federal agency.
Third Party Audits Confirming HIPAA Compliance
It is common for potential business associates of HIPAA-covered entities to undergo audits by third party HIPAA compliance experts to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for peace of mind as they confirm HIPAA compliance. However, there are no officially recognized private consultants or companies that offer such services.
Even if HIPAA certifications are issued by external auditors and assessors they have no legal standing. Audits only confirm that technical, physical, and administrative safeguards and company policies and procedures meet HIPAA requirements at the time of the audit.
In the event of an OCR compliance audit you could provide HIPAA certifications as proof that you have implemented a HIPAA compliance program, but OCR states on its website that “Certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”