Any vendor that wants to provide goods or services to HIPAA-covered entities – healthcare providers, health plans, or healthcare clearinghouses – that requires access to protected health information (PHI) must comply with certain HIPAA provisions. HIPAA certification is an ideal way to demonstrate compliance with the HIPAA Rules, but what is HIPAA certification and how can it be obtained?
What is HIPAA Certification?
HIPAA certification is an accreditation or documentation that demonstrates an organization has implemented an effective HIPAA compliance program and is fully compliant with all appropriate provisions of the HIPAA Rules. The certificate is awarded by training companies and compliance vendors to organizations that have completed a HIPAA compliance or training program.
After these assessments, Covered Entities and Business Associates can claim they are ‘HIPAA Certified’ or that they provide a product or service that is ‘HIPAA compliant.’ Some compliance firms allow organizations to display a HIPAA compliant badge which may help attract business from healthcare clients and stand out from the competition.
Is Certification Officially Recognized?
Certification can have advantages, but there is a caveat. There is some confusion over which type of certificates are recognized by the main enforcer of HIPAA compliance – the Department of Health and Human Services’ Office for Civil Rights (OCR). With regards to the Security Rule, the Department of Health and Human Services notes:
“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule,” said OCR. “Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
The reason there is no officially recognized Security Rule certification is HIPAA compliance is an ongoing process. A respected third-party company may complete a comprehensive audit of a vendor and confirm they are fully compliant with the HIPAA Rules, but any HIPAA certification provided only demonstrates HIPAA compliance on the day of the audit. Over time, new technology will likely be implemented, business processes may change, or new staff may be recruited that are not fully trained, which could easily render any “point-in-time” certification invalid.
What are the Different Types of Certification?
The HIPAA certification for covered entities and business associates provided by compliance vendors usually involves an audit of administrative, technical, and physical safeguards of the HIPAA Security Rule, risk management policies and procedures, documentation, and business associate agreements. If any aspect of non-compliance is identified, it would need to be fully addressed before a certificate is awarded. Obtaining HIPAA certification can therefore be a time-consuming process.
HIPAA certification can also be provided to healthcare workers. This type of certification confirms that an individual, or a workforce, has been provided with HIPAA Privacy Rule and security awareness training to meet the training requirements of the HIPAA Privacy and Security Rules.
With workforce certification, each employee must attest that they have been provided with the appropriate training, that it has been understood, and that they are fully aware of their obligations under HIPAA. This form of certification can help to limit liability, as it acts as proof that an individual or the workforce has received the appropriate training. For individuals, having HIPAA certification can be an advantage when seeking employment in healthcare settings as it demonstrates to prospective employers that the individual is aware of their responsibilities under HIPAA.
HIPAA Certification FAQS
How frequently should businesses be evaluated?
Under the Administrative Safeguards of the Security Rule (45 CFR § 164.308), Covered Entities and Business Associates are required to “perform a periodic technical and non-technical evaluation […] that establishes the extent to which a Covered Entity´s or Business Associate´s security policies and procedures meet the requirements of the [other] Administrative Safeguards”.
Although the standard does not qualify “periodic”, it is a best practice to check annually whether environmental or operational changes have impacted the effectiveness of security policies and procedures. Many Covered Entities and Business Associates take advantage of services provided by external organizations to perform these checks – the external organization issuing a HIPAA certification when each evaluation is complete.
Does the HHS non-recognition of certifications apply to the Privacy Rule?
Although the statement relating to the non-recognition of certifications is directed at the Security Rule, it applies in many cases to the Privacy Rule as well. This is because any certification stating a Covered Entity is complying with the Privacy Rule is a point-in-time certification and demonstrates the Covered Entity was compliant at the time an evaluation took place.
However, despite the possibility it might not be recognized, any documentation relating to periodic evaluations (above), Privacy Rule compliance, or workforce training should be kept for a minimum of six years to comply with the HIPAA documentation requirements. This is especially important for workforce training as the majority of HIPAA violations are attributable to human error.
Under what circumstances might HIPAA certifications be recognized?
Although certifications issues by external organizations might not be recognized by the HHS, proof that a Covered Entity or Business Associate has completed a security evaluation, or documentation relating to staff training can be used as a mitigating factor in the event of an investigation, audit, or inspection by the HHS´ Office for Civil Rights.
Organizations that can show they have “exercised a reasonable amount of care” during an investigation into a HIPAA violation are likely to be treated more leniently than an organization that has “demonstrated willful neglect” depending on the nature of the violation, the number of patient records impacted by the violation, and the organization´s history of HIPAA compliance.
Are there any plans for HHS to issue HIPAA Certifications?
There was a proposal published in 2014 that would have required health plans to obtain HIPAA compliance certification. The proposal was withdrawn in 2017 due to the significant burden it would have placed on employer-funded health plans, but – at the time – the HHS said it was looking at other options “to show compliance with statutory requirements”. As yet, nothing has materialized.
If a new employee has HIPPA training certification, is it necessary to repeat the training?
In most cases, certificates issued for employee HIPAA training demonstrate the employee has an understanding of HIPAA. However, the HIPAA training standard requires Covered Entities to train members of the workforce on its policies and procedures relating to PHI. As each Covered Entity has different policies and procedures relating to PHI, any training the new employee has received in a previous role is unlikely to be sufficient to meet the HIPAA training requirements. Therefore, policy and procedure training must be provided to new employees regardless of existing certification.