What is HIPAA Certification?

What is HIPAA Certification?

Any vendor that wants to provide goods or services to HIPAA-covered entities – healthcare providers, health plans, or healthcare clearinghouses – that requires access to protected health information (PHI) must comply with certain HIPAA provisions. HIPAA certification is an ideal way to demonstrate compliance with the HIPAA Rules, but what is HIPAA certification and how can it be obtained?

What is HIPAA Certification?

HIPAA certification is an accreditation or documentation that proves an organization has implemented an effective HIPAA compliance program and is fully compliant with all appropriate provisions of the HIPAA Rules. HIPAA certification is provided by certain training companies and compliance vendors and is awarded to organizations that have completed their HIPAA compliance or training programs.

HIPAA certification for businesses is provided following the successful completion of the HIPAA compliance program after an assessment of documentation, policies, and procedures. If the assessment is passed, HIPAA certification is provided.

After these assessments, some companies may claim they are ‘HIPAA Certified’ or that they provide a product or service that is ‘HIPAA compliant.’ Some compliance firms will allow vendors to display a HIPAA compliant badge which will help them to attract business from healthcare clients and stand out from the competition.

Is HIPAA Certification Officially Recognized

HIPAA certification certainly has advantages, but there is a caveat. HIPAA certification is not officially recognized. The main enforcer of HIPAA compliance, the Department of Health and Human Services’ Office for Civil Rights (OCR), makes this quite clear.

“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule,” said OCR. “Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

The reason there is no officially recognized HIPAA certification is HIPAA compliance is an ongoing process. A respected third-party company may complete a comprehensive audit of a vendor and confirm they are fully compliant with the HIPAA Rules, but any HIPAA certification provided only demonstrates HIPAA compliance on the day of the audit. Over time, new technology will likely be implemented, business processes may change, or new staff may be recruited that are not fully trained, which could easily render any HIPAA certification invalid.

While it is not officially recognized, HIPAA certification does demonstrate a company is committed to HIPAA compliance and is taking its obligations seriously, especially if HIPAA certification is refreshed annually.

What are the Different Types of HIPAA Certification?

The HIPAA certification for covered entities and business associates provided by compliance vendors usually involves an audit of administrative, technical, and physical safeguards of the HIPAA Security Rule, risk management policies and procedures, documentation, and business associate agreements. If any aspect of non-compliance is identified, it would need to be fully addressed before HIPAA certification is awarded. Obtaining HIPAA certification can therefore be a time-consuming process.

HIPAA certification can also be provided to healthcare workers. This type of HIPAA certification confirms that an individual, or the workforce, has been provided with HIPAA and security awareness training to meet the training requirements of the HIPAA Privacy and Security Rules.

With employee HIPAA certification, each employee must attest that they have been provided with the appropriate training, that it has been understood, and that they are fully aware of their obligations under HIPAA. This form of HIPAA certification can help to limit liability, as it acts as proof that an individual or the workforce has received the appropriate training. For individuals, having HIPAA certification can be an advantage when seeking employment in healthcare settings as it demonstrates to prospective employers that the individual is aware of their responsibilities under HIPAA.