HIPAA Compliance Certification – Really?

HIPAA Compliance Certification Certificate

HIPAA compliance certification … what is it, who provides it, and who gets it?  The “author” of a HIPAA compliance certificate is always a “private” party or organization.  In that sense, it is never “official!”   The Office of Civil Rights (OCR) is clear that they do not endorse any HIPAA certifications, nor does having one prevent you from being audited.

Question: Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. (HHS)

The security and confidentiality of medical records are of the utmost importance to both patients and healthcare organizations, so it is imperative to ensure your organization is HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPAA) is a law that provides data privacy and security for keeping medical records secure. HIPAA compliance is required for covered entities and business associates. Within the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has the responsibility of enforcing HIPAA regulations.

You may have heard of HIPAA compliance certification, and you may wonder whether it can be beneficial for your organization. However, you should be wary of firms promising certification to protect you from audits.

Although nothing can prevent a healthcare organization from an audit, there are steps you can take to be sure your organization is HIPAA compliant and has the documentation to prove it. You may want to start by reviewing this HIPAA compliance checklist.


Why doesn’t the OCR endorse HIPAA certification?

It would be ideal if a healthcare organization or business associate could obtain a HIPAA certification endorsed by the government that ensures permanent HIPAA compliance. Unfortunately, it’s not so simple. The rules of HIPAA are complex and often updated, and the organization itself can make changes requiring new procedures to be implemented in order to ensure continual compliance.

This is because HIPAA compliance is an ongoing process. You can’t complete certification on a given day and assume you are finished. HIPAA compliance requires constant checks to be sure healthcare providers and business associates are continually compliant.

An organization may be found to be compliant initially, but this does not mean it will continue to be in the future. Let’s say you have been found compliant and received your certification from a vendor offering HIPAA Risk Analysis compliance services or assessments. This only guarantees you were compliant up to that date. Once there are any changes to staffing or new software, updates to the HIPAA rule, or new procedures, your organization is once again in need of a new assessment.


Are third-party HIPAA compliance certifications beneficial?

Third-party certification as a result of an audit may be useful for organizations to demonstrate that they are taking concrete steps toward the goal of continually meeting HIPAA standards. However, these audits only confirm that the organization met the regulations on the day of the audit. Any certificates awarded from a third-party audit are not legally binding and will not prove you have maintained HIPAA compliance after the audit.


What can you do to be HIPAA compliant?

First, you should be familiar with the five main HIPAA administrative rules and the HITECH Act. The HITECH Act deals with the privacy of electronic health records (EHR) and the patients’ rights to obtain them. The HIPAA rules include the following:

  • Privacy rule.
  • Transactions and code set rule.
  • Security rule.
  • Unique identifiers rule.
  • Enforcement rule.

Second, you can work with a trusted consulting firm that has expertise in the area of HIPAA Risk Assessments and compliance. HIPAA regulations are complex and updated frequently. It’s best to work with subject matter experts that can be sure your organization is doing all that it can to follow the regulations.  We recommend a third-party audit to complete a HIPAA risk assessment.

It’s more important than ever to ensure you are meeting HIPAA regulations. In 2018, the OCR collected $28,683,400 in fines. It represents a 22% increase over the fines collected in 2017. Make sure you are not on this list this year!

When you need proven expertise and performance