HIPAA Certification Explained
In a perfect world, HIPAA certification would prove that all parts of HIPAA Rules are understood and being complied with. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare groups seeking for such as service to select an appropriate vendor.
Most companies believe they have been certified as HIPAA compliant or in some instances, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ does not mean anything. There is no official, legally recognized HIPAA compliance certification process or accreditation.
This is because HIPAA compliance is an constant process. An group may be deemed HIPAA compliant today, but that does not mean that they will be tomorrow or at some point down the line.
For instance, a healthcare provider may hire a third-party HIPAA-compliance expert to review its policies, procedures, and technology to ensure that HIPAA Rules have been perfectly complied with. HIPAA certification would only mean that the group is in compliance at the precise point of assessment. Evolution in technology, polices, procedures, staffing, updates to HIPAA Rules, and business practices could all easily render such a certification as meaningless.
Training and Certification for HIPAA
HIPAA does not require workers to complete any particular training program and obtain HIPAA certification, only that employees must be trained on HIPAA Rules and must state, in writing, that they have received HIPAA training. For HIPAA covered groups and business associates that means training has been given “as necessary and appropriate for members of the workforce to carry out their functions.”
Since HIPAA Rules are complicated, HIPAA training companies are often hired. The companies contract HIPAA compliance experts who teach healthcare employees the aspects of HIPAA that are relevant to their role in the group, such as the handling of protected health information and allowable uses and sharing of PHI.
HIPAA requires covered groups to put in place a security awareness and training program for all their staff, although employees must only confirm in writing that this has been made provision for. HIPAA certification for security awareness training is also not needed.
Any ‘certification’ issued will confirm that employees have completed training and potentially been examined on their knowledge of HIPAA Rules. That may be an advantage when seeking employment, but it is not recognized by any federal agency.
Confirming HIPAA Compliance with Third Party Audits
It is typical for potential business associates of HIPAA-covered groups to have audits completed by third party HIPAA compliance experts to confirm that their products, services, policies, and procedures adhere with HIPAA standards. The audits are important for peace of mind as they confirm HIPAA compliance. However, there are no body that officially recognizes private consultants or companies that offer services such as these.
Even if HIPAA certifications are granted by external auditors and assessors they have no legal basis. Audits only show that technical, physical, and administrative safeguards and company policies and procedures adhere with HIPAA requirements at the time of the audit.
If you are subjected to an OCR compliance audit you could supply the HIPAA certifications as proof that you have put in place a HIPAA compliance program, but OCR states on its website that “Certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”