Many business are seeking HIPAA certification to confirm they are fully compliant with HIPAA rules and understand all parts of the Health Insurance Portability and Accountability Act (HIPAA). Due to this many are asking is it possible to obtain HIPAA certification?
In a perfect world, HIPAA certification would confirm that all parts of HIPAA rules are understood and being complied with. If a third-party company such as a transcription company was HIPAA certified, it would make it more simple for healthcare groups looking for such as service to select an appropriate provider.
Many companies believe they have been certified as HIPAA compliant or in some instances, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misleading term. There is no registered, legally recognized HIPAA compliance certification process or accreditation.
The reason for this is easy to understand. HIPAA compliance is a constant process. A group may be determined to be in compliance with HIPAA Rules currently, but that does not mean that they will be at all points in the future.
HIPAA certification could only mean that the group is in compliance at the point of being assessed. Evolution in technology, polices, procedures, staffing, updates to HIPAA rules, and business practices could all make such a certification invalid.
Training and Certification for HIPAA
HIPAA does not obligate employees to complete any specific training program and be awarded HIPAA certification, only that they must be trained on HIPAA rules and must confirm, in writing, that they have been given HIPAA training. For HIPAA covered entities and business associates that means training has been given “as necessary and appropriate for members of the workforce to carry out their functions.”
Since HIPAA rules are complicated, HIPAA training companies are often hired. The companies contract HIPAA compliance experts who teach healthcare staff the aspects of HIPAA that are relevant to their role in the organization – such as the handling of protected health information and allowable uses and disclosures of PHI.
HIPAA requires covered entities to adopt a security awareness and training program for all members of the workforce, and employees must confirm in writing they have been through the training program. HIPAA certification for security awareness training is also not a requirement.
Any ‘certification’ awarded will confirm that employees have completed their training and possibly tested on their knowledge of HIPAA rules. The certification may be beneficial when seeking work, but it is not recognized by any federal agency.
HIPAA Compliance Confirmed by Third Party Audits?
Often potential business associates of HIPAA-covered bodies undergo audits by third party HIPAA compliance experts to prove that their products, services, policies, and procedures comply with HIPAA standards. The audits provide peace of mind as they demonstrate HIPAA compliance. However, there are no officially recognized private consultants or companies that are able to provide such services.
Even if HIPAA certifications are awarded by external auditors and assessors, they have no legal grounding. Audits only prove that technical, physical, and administrative security measures and company policies and processes meet HIPAA requirements at the time the audit was completed.