Share this article on:
A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.
What is HIPAA Certification?
Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.
Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.
Why there is No HHS-Endorsed HIPAA Certification
The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.
There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future. Therefore HIPAA certification should be considered an initial objective and then and ongoing task.
HIPAA Training and Certification
HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.
Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.
One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.
HIPAA Certification Requirements for Covered Entities
In order to be certified as HIPAA compliant, third-party compliance experts will review seven areas of compliance:
- Compliance with the administrative, technical, and physical safeguards of the HIPAA Security Rule. This includes (but is not limited to), an asset and device audit, an IT risk analysis questionnaire, a physical site audit, a security standards audit, a privacy standards audit, and HITECH Subtitle D privacy audit.
- Remediation plans to address gaps identified in the above audits.
- Policies and procedures to address HIPAA regulatory compliance and document a “good faith” effort towards compliance.
- An employee training program that includes employee understanding of the above policies and procedures.
- A documentation audit to ensure the documentation required by HIPAA is maintained and accessible.
- Business Associate Agreement management and due diligence procedures.
- Incident management procedures in the event of a data breach or reportable violation of HIPAA.
Because of the processes involved in auditing compliance with the HIPAA Security Rule, the HIPAA certification requirements cannot be fulfilled overnight. It is also impossible to put a timeframe on how long it may take to achieve HIPAA certification without knowing what gaps might be identified during the audit processes and the nature of the remediation plans required to address them.
HIPAA Certification for Healthcare Workers
HIPAA certification for healthcare workers and other Covered Entity employees is different from HIPAA certification for Covered Entities inasmuch as an individual´s certification means they have completed a HIPAA training course to the standards required by the HIPAA privacy and Security Rules.
Furthermore, HIPAA certification for healthcare workers is an attestation that employees have read and understood the training materials provided to them. In this respect, documented HIPAA certification for healthcare workers limits Covered Entity liability in the event of a HIPAA violation or data breach caused by employee misconduct or data breach
Engaging Video Training
HIPAA Certification for Staff
Flexible and Convenient Self-paced Learning
Full Access to
Third Party Audits Confirming HIPAA Compliance
With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.
However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.
HIPAA Certification FAQ
I understand why a business can´t be HIPAA certified, but what about software?
It is not possible for software to be certified as HIPAA compliant because, while it is possible for software to have HIPAA-compliant capabilities, the way the capabilities are used determine compliance. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.
Some sources claim there is such a thing as HIPAA certification. What does HHS say?
HHS states there is no requirement in HIPAA for a Covered Entity to be certified as compliant and warns Covered Entities to be aware of misleading marketing claims suggesting education providers or material is endorsed by HHS or OCR. Furthermore, while a certificate of competency demonstrates a knowledge of HIPAA, it does not absolve a Covered Entity of its compliance obligations.
Why might some Covered Entities claim to be HIPAA certified if there is no such thing?
Covered Entities might claim they are HIPAA certified if they – or their employees – have undergone HIPAA compliance training and received a certificate stating they have completed a training course. While certification of this nature shows the Covered Entity has fulfilled the HIPAA training requirements, it does not guarantee compliance with HIPAA.
What is the difference between a third party audit and an HHS audit?
A third party audit checks a Covered Entity´s HIPAA compliance and, if lapses in compliance are found, the Covered Entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the Covered Entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Consequently, the cost of a third party audit can be a sound investment.
What is the cost of a third party compliance audit?
This will depend on the size of a Covered Entity or Business Associate and the nature of operations. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.
How long does HIPAA certification last?
As mentioned above, HIPAA certification indicates that a Covered Entity has passed a third-party organization´s HIPAA compliance program and “at that point in time” was HIPAA compliant. As soon as that point in time has passed, HIPAA certification is no guarantee of compliance. Therefore, HIPAA certification has no lifespan.