If you have done any research about HIPAA compliance for your practice, you have likely come across many sites offering how to become HIPAA certified. This may create confusion as you seek answers on how to become HIPAA certified. Who can be HIPAA certified and what is involved in becoming HIPAA certified?
In this post, we will clear up the confusion that has been created by many vendors concerning HIPAA certification. We will also discuss what certification is and isn’t as it relates to the small practice.
Strap your seat belts on as we dive into what is sure to make a lot of vendors unhappy.
How to become HIPAA certified
Let’s start with the source of HIPAA regulations, the Department of Health and Human Services (HHS).
“there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, the performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
Source: HHS website
HHS doesn’t recognize ANY HIPAA certification of any type for a Covered Entity or Business Associates’s compliance.
But wait, that can’t be right, can it? I see vendors online offering to certify me for HIPAA.
If they are offering to certify your practice’s HIPAA compliance, then this isn’t valid and should be avoided. It will give you a false sense of compliance. In addition, if you choose to become certified from one of these vendors, it does not absolve you of your legal responsibility under HIPAA regulations.
Is HIPAA certification required by law?
No, while HIPAA regulations to require that training for staff be performed, there are no requirements that a Covered Entity or Business Associate be HIPAA certified. Be careful with any vendor that uses this as a tactic to push their services.
Are there any “real” HIPAA certifications?
Yes, there are training certifications. In the IT field, there are many certifications for every service or product and HIPAA is no exception. Several vendors offer healthcare security and healthcare privacy certifications. In addition, vendors may offer training on HIPAA regulations that will certify a person as having taken their training and passed a test. However, do not be confused that having any of these certifications in any way helps your practice with its own HIPAA compliance. It simply certifies that a person understood the material to pass an exam to receive the certification.
Are there any good reasons for receiving HIPAA certifications?
Due to the complexity of HIPAA laws, many practices find it helpful to outsource some of their compliance to third parties. This is often quicker and more efficient for practices, especially those who don’t have the necessary personnel or expertise to perform everything in the house.
Performing a Risk Assessment can be technically challenging for practices. This is especially true since the assessment must be objective to be effective. It’s easy for practices to ignore areas of their own practice when performing an assessment. This is why many practices often outsource Risk Assessment to third parties who have the expertise to find the areas that need to be addressed.
Threats, such as phishing, are always evolving and training must be kept current to reflect those changes. Canned HIPAA training that hasn’t been updated wouldn’t be able to address these new or evolving threats. That’s why practices will often outsource their training to vendors who specialize in making sure practices are kept up to date.
HIPAA compliance reports
Showing proof of HIPAA compliance requires quite a bit of documentation. Each time a change is made on the network, such as a new computer or changing your internet service provider, must be documented. When a new employee is hired or terminated and when they receive training, this must also be documented in the practice’s HIPAA documentation. These and many other documents are why many practices outsource their HIPAA compliance reporting.
Don’t be fooled by third-party vendors who promise to certify your practice’s HIPAA compliance. While certifications do exist that a service or training was performed, no vendor can certify that your practice is HIPAA compliant. HHS does not recognize any third party certifications.