As a healthcare organization, you know you have to comply with the Health Insurance Portability and Accountability Act (HIPAA). But then you hear about organizations that become “HIPAA Certified” with a badge to show for it, and maybe you wonder, Does my organization need HIPAA certification?
Let’s answer a few common questions about HIPAA certification.
What is HIPAA Compliance Certification?
HIPAA certification means a healthcare organization has been found to meet the standards of the Privacy, Security, and Breach Notification Rules of HIPAA. Usually this means a third-party certification company conducts an audit of your organization to see if your practices match up with HIPAA requirements. If they find you in compliance, you can informally become “HIPAA Certified,” though there are some problems with this. Read on:
Do Healthcare Providers Need HIPAA Certification?
According to the U.S. Department of Health and Human Services (HHS), no. There isn’t any standard that requires you to certify your compliance.
You do, though, have to periodically evaluate the technical and non-technical aspects of your HIPAA security practices. You can do this in-house or with an external company that provides “certification.” But, as HHS notes:
“HHS does not endorse or otherwise recognize private organizations’ ‘certifications’ regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a ‘certification’ by an external organization does not preclude HHS from subsequently finding a security violation.”
Be careful that you don’t mistake certification for compliance. You need to be compliant. You don’t need to be certified.
A HIPAA certificate doesn’t help when your organization goes under the microscope (for example, during an Office for Civil Rights investigation). In an audit, you will need more than a piece of paper; you must demonstrate what you have done and are doing to comply with HIPAA rules in daily practice.
Are you prepared for a potential investigation? Download our checklist!
Don’t wait until the Office of Civil Rights (OCR) comes knocking. Use this checklist to prepare now for potential investigations and find the confidence that comes from knowing you can prove compliance.
Should Business Associates Be HIPAA Certified?
Though a certification badge on a vendor may bolster your confidence that the vendor is compliant and can be trusted with your data, it doesn’t mean they are following through. Therefore, don’t choose a vendor based on a “HIPAA Certified” status. Always conduct due diligence first to make sure they walk the walk.
So, neither covered entities nor their business associates need HIPAA certification. Likewise, individual employees don’t need to receive a HIPAA certification. Nonetheless, covered entities, business associates, and employees alike are responsible for complying with HIPAA rules.
What Does it Take to Become HIPAA Compliant?
There’s no official program for organizations to become compliant, receive a “HIPAA Certified” badge, and be done with it. HIPAA compliance is a process, not an end to be reached. Because HIPAA has so many requirements and healthcare organizations and technologies are constantly changing, you have to regularly evaluate and adjust your practices to meet the regulation.
A few important areas of HIPAA compliance include:
- Policies and procedures. Policies and procedures are the backbone of your HIPAA compliance program. They direct your entire team on how to carry out the standards of HIPAA. You must update your policies and procedures regularly.
- HIPAA training. You must train your team about how to comply with HIPAA and follow the policies and procedures. You must train new employees soon after they’re hired and other employees whose job role has changed. However, there’s no official training protocol you have to use; you’re free to develop your own training or outsource it.
- Security risk analysis. Risk analyses help you discover and manage risks to your data. You must conduct an accurate and thorough assessment of the risks and vulnerabilities to the patient information that your organization handles. There’s no set schedule for risk analyses; it could be yearly or as needed.
Should My Organization Also Become HIPAA Certified?
Though you can’t become “officially” HIPAA certified (that is, recognized by HHS), you can gain certification for other reasons. A third-party company can be useful for helping you complete HIPAA training and risk analyses. However, you don’t need a certification company to do this. There are many vendors who will perform these services.
Our cloud-based software, HIPAAtrek, helps healthcare organizations achieve and maintain HIPAA compliance. Our HIPAA experts will also help you develop your policies and procedures and conduct a risk analysis for you. Contact us for a personalized demo of HIPAAtrek or to learn about our other services.
