Vendors offering their services to healthcare providers that would require access to protected health information need to ensure that they comply with HIPAA regulations. Being able to demonstrate HIPAA compliance, via HIPAA certification, would certainly help them to win business. But is it possible to obtain HIPAA certification?
HIPAA certification could serve as evidence that a vendor knows and follows all facets of HIPAA Rules. It would allow a company to easily demonstrate that they have met all requirements of HIPAA Rules and understands its responsibilities with respect to PHI.
However, there is no official HIPAA certification program and it is not possible for a company or a product to be certified as HIPAA-compliant. The reason why HIPAA certification is not available is HIPAA compliance does not end at a particular point. It’s a continuing process. A company may be regarded as HIPAA compliant today but not tomorrow or weeks and months later.
If a vendor was to be certified as HIPAA compliant, the only think that it would demonstrate is that at the point of the assessment, HIPAA Rules were followed to the letter and appropriate controls were in place to ensure the confidentiality, integrity, and availability of PHI. However, when changes occur to processes, procedures, or when new technology is introduced, HIPAA Rules could easily be violated.
Under HIPAA Rules, employees must receive training on HIPAA Rules and must sign a document to confirm that training has been provided. HIPAA covered entities and business associates must also provide security awareness training to their employees and similarly document that employees have received that training. Many vendors offer training courses covering both of these requirements of HIPAA Rules.
Their HIPAA compliance professionals teach employees the requirements of HIPAA, provide cybersecurity training, and teach employees the correct way of handling PHI and the permitted uses and disclosures allowed by the HIPAA Privacy Rule. While some firms may give ‘certification’ confirming that these training courses have been completed, no federal agency officially recognizes that certification.
HIPAA compliance professionals also perform audits of healthcare organizations and business associates of HIPAA-covered entities. These audits are extremely useful as they highlight any areas where HIPAA Rules are not being followed, allowing action to be taken to comply with all aspects of HIPAA Rules. These audits similarly have do not have any legal standing.
It is pointed out on OCR’s web page that certification of HIPAA compliance would have no legal standing and would not excuse covered entities from their legal responsibilities and any certification offered by an external organization doesn’t preclude HHS from discovering a HIPAA violation and issuing penalties for noncompliance.