In a perfect world, HIPAA certification would ensure that all aspects of HIPAA Rules are understood and being adhered to. If a third-party vendor such as a transcription company was HIPAA certified, it would make it much more simple for healthcare groups seeking for such as service to select an appropriate vendor.
Many companies state that they have been certified as HIPAA compliant or in some instances, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no authorized, legally recognized HIPAA compliance certification process or accreditation.
There is a good reason why this is so. HIPAA compliance is an constant process. An organization may be found to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point going forward.
If you consider a case where a healthcare provider hires a third-party HIPAA-compliance expert to review its policies, processes, and technology to ensure that HIPAA Rules have been followed to the letter. HIPAA certification would only mean that the group is in compliance at the point in time that the assessment took place. Evolution in technology, policies, procedures, staffing, changes to HIPAA Rules, and business practices could all easily render such a certification invalid.
Training and Certification for HIPAA
HIPAA does not ask employees to complete any particular training program and obtain HIPAA certification, only that workers must be trained on HIPAA Rules and must confirm, in writing, that they have received HIPAA training. For HIPAA covered entities and business associates this means training has been conducted “as necessary and appropriate for members of the workforce to carry out their functions.”
Since HIPAA Rules are complicated, HIPAA training companies are often in place. The companies hire HIPAA compliance experts who train healthcare employees on the aspects of HIPAA that are relevant to their role in the organization, such as the management of protected health information and allowable uses and sharing PHI.
HIPAA requires covered bodies to conduct a security awareness and training program for all members of the workforce, although employees must only confirm in writing that this has been put in place. HIPAA certification for security awareness training is also not an obligation.
Any ‘certification’ issued will outline that employees have been given training and potentially been tested on their knowledge of HIPAA Rules. That may be good when seeking employment, but it is not recognized by any federal agency.
HIPAA Compliance Confirmed by Third Party Audits
Potential business associates of HIPAA-covered entities often undergo audits by third party HIPAA compliance experts to confirm that their products, services, policies, and procedures are up to HIPAA standards. The audits are useful for reassurance as they confirm HIPAA compliance. However, there are no officially recognized private consultants, companies or official body that offer such services.
Even if HIPAA certifications are provided by external auditors and assessors they have no legal basis. Audits only confirm that technical, physical, and administrative security measure and company policies and procedures meet HIPAA requirements at the time that the audit took place.
If you have an OCR compliance audit you could provide HIPAA certifications as evidence that you have implemented a HIPAA compliance program, but OCR confirms on its website that “Certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”