What exactly is HIPAA certification?
The regulatory landscape of America’s health industry can be quite confusing, with thousands of pages of laws, hundreds of required forms, mandated training, and certification processes, figuring out all the necessary steps to compliance may be overwhelming. The point of much of this confusion is “HIPAA certification,” offered by dozens of private security and health companies across the country.
HIPAA certification should not be confused with legally recognized (and oftentimes, required) forms of certification for health professionals. There are indeed a multitude of certifications that health professionals must complete to comply with federal laws. One example of legally mandated certification is the Security Awareness and Training program, a compliance requirement that 100% of Department of Health and Human Resources employees and contractors must complete on an annual basis.
This is entirely separate requirement from HIPAA’s stipulations however, and only applies to a small subset of healthcare professionals. HIPAA certifications are an entirely different affair.
So, what is HIPAA certification, which entities should get certified, and is it required? These are some of the questions we will address in this article.
What is HIPAA Certification?
Provided by a myriad of private companies in the health sector, HIPAA certification comes in many shapes and sizes. At its most basic, HIPAA “certification” is a third-party process meant to aid your organization’s HIPAA compliance. It may be an evaluation of your organization’s HIPAA compliance, as per the Security Rule found in section 164 of the Act, or it may be a “boot camp” training seminar for individuals within your workforce. There is also specialized Army HIPAA training.
Despite sounding quite official, HIPAA certification is not a legally recognized process by the United States government, and does not absolve your organization from any of the HIPAA requirements found in the Privacy and Security Rules.
According to the HHS website: …there is no standard or implementation specification that requires a covered entity to ‘certify’ compliance. Source: HHS
In short, your organization is not required to receive any HIPAA “certification.”
As per the Security Rule of HIPAA’s section 164, covered entities are required to conduct periodic assessments of their compliance and effectiveness of security measures. Because it is not a requirement for all of these assessments to be conducted internally, covered entities may choose to hire an external organization to conduct these assessments.
Another requirement of the Security Rule is compliance training for all employees and subcontractors. Once more, while this can be conducted internally, your organization may choose to outsource training by “certifying” its employees and contractors.
Should My Organization Become HIPAA “Certified?”
This decision is entirely up to your organization. Once again, there is no requirement to do so, and it does not absolve your organization of any of its responsibilities in accordance to HIPAA.
Many healthcare professionals have spoken out against these for-profit certification processes. One of the main criticisms leveled at HIPAA “certification” companies is that no single person can completely address all parts of HIPAA for your organization.
Security experts suggest a more wholesome approach, which includes outsourcing security needs to reputable technology companies, building the necessary internal infrastructure for ensuring compliance, and keeping up-to-date with latest developments by attending conferences and seminars.
There are, however, several reasons why your organization may want to receive a third-party certification for HIPAA.
Reasons for receiving a HIPAA Certification
Whether you are an established organization that has been conducting compliance assessments for some time, or a brand new organization exploring its options, it may be beneficial to use the services of a certification company to aid your efforts. The following is a short list of possible reasons why you may want to use a third-party HIPAA certification.
Outsourcing Compliance Reports
One of HIPAA’s Security Rule requirements is the periodic assessment of your organization’s compliance. This assessment must be documented and kept on file in the case of an audit.
In certain situations, it may make more sense to hire a third-party entity to conduct an assessment of your HIPAA compliance, especially if your organization does not have the internal infrastructure for conducting wholesome periodic reports.
It must be noted once more, however, these certifications do not decrease your organization’s liability, and they do not preclude the possibility of a privacy violation being discovered in an audit. As such, your organization must conduct proper due diligence to ensure that the compliance assessments are wholesome and cover all the requirements outlined in the Privacy and Security Rules of HIPAA.
Outsourcing Employee Training
While individual HIPAA certification does not replace the need for training on internal policies and regulations, it may satisfy the Security Training and Awareness requirement of HIPAA. Once again, proper due diligence must be done to ensure that individual certification meets your compliance requirements.
Ensuring Effectiveness of Internal Measures
Another reason that your organization may choose to certify is to ensure that its own infrastructure for conducting periodic assessments is up to the industry standard. In this scenario, you would be receiving a certification not as a replacement for your periodic security assessments, but rather as a third-party audit of your organization’s established practices.
If for example, your compliance reporting has been conducted internally for several years, it may be beneficial for a “fresh set of eyes” to look into your privacy practices.
Furthermore, third-party certification services are more likely to be informed of the latest developments in health privacy and security than your internal team, and can aid you’ your internal compliance process to ensure all of your practices are up-to-date and effective.
Depending on the sort of organization you are a part of, it may be beneficial to receive a third-party HIPAA certification for marketing purposes.
If you are a medical or healthcare professional looking for employment, certification may bolster your resume.
Patients concerned about privacy may have their stresses allayed if your organization can show that it has taken additional steps to ensure the safety of their PHI.
If your organization is a software vendor that aids in the transmission or storage of ePHI, covered entities may be more comfortable conducting business with you if you have received third-party certifications. Note, however, many experts in the IT field have spoken against the need to certify specifically for HIPAA. Since HIPAA is more of a general guideline than a list of specific practices, software vendors are recommended to focus on more specific, technical security certifications.
If you are a clearinghouse or health service bureau looking to gain the business of health care professionals, a third-party certification will look more impressive than an unsubstantiated claim about HIPAA compliance.
Final thoughts on HIPAA certification
Many healthcare professionals would try to dissuade your organization from paying for HIPAA “certification.” Their criticisms of these for-profit ventures are not unfounded, but they are overblown. There are several good reasons for receiving a third-party HIPAA certification, even if it is not necessary.