Can Healthcare Vendors Get HIPAA Certification?
Healthcare vendors cannot get HIPAA certification at present but can get other types of certification that demonstrate compliance with voluntary standards closely aligned to HIPAA. Where these other types of HIPAA certifications for healthcare vendors are not appropriate for vendors’ products or services, the option exists to become HIPAA verified.
There are some healthcare vendors that claim to be HIPAA certified, but how can healthcare vendors get HIPAA certification when no federally recognized certification exists? The answer is that voluntary standards exist that closely match the requirements of HIPAA, and to achieve a certification of compliance with these standards is almost equivalent to HIPAA certification.
Why is it Not Possible to Get HIPAA Certification for Healthcare Vendors?
The reason it is not possible to get HIPAA certification for healthcare vendors is that HIPAA compliance is not a point in time “achievement” but an ongoing process. If such a certification existed, all it would prove is that at the time healthcare vendors get HIPAA certification, they – or their products or services – are HIPAA compliant. There is no guarantee of future compliance.
While such a certification could give vendors a competitive edge because it would save HIPAA covered entities having to conduct due diligence on vendors’ compliance programs, it might only take one change in operations, one change in software design, or one non-compliant event to invalidate a certification – a risk that most covered entities should not be prepared to take.
In addition, with most healthcare products or services it is not whether the product or service is “HIPAA compliant” that determines compliance, but how the product or service is used. For example, if a communications platform is certified as supporting HIPAA compliance, but is misused and PHI is disclosed impermissibly, the HIPAA certification would be meaningless.
How Can Healthcare Vendors Get HIPAA Certification (Almost)?
Rather than healthcare vendors get HIPAA certification, it is possible to get certified with voluntary standards that closely match the requirements of HIPAA. To achieve certification with many voluntary standards, it is necessary to demonstrate ongoing compliance- rather than point-in-time compliance – making these types of certification credible alternatives to HIPAA certification.
Potential voluntary standards to consider include, but are not limited to:
- ISO 27001
- NIST CSF 2.0
- HITRUST CSF r2
- SOC 2 Type 2
It is also worth bearing in mind that the Department of Health and Human Services (HHS) recently published its voluntary Cybersecurity Performance Goals (CPGs). It has been proposed by HHS to integrate the CPGs into the Security Rule and make compliance with them a condition of participation in Medicare. If these proposals become a reality, it may be possible in the future for healthcare vendors to get HIPAA certification directly.
HIPAA Verification as an Option for Healthcare Vendors
Because healthcare vendors (as business associates) only have to comply with the applicable standards and implementation specifications of HIPAA, pursuing a certification of compliance with a voluntary standard in its entirety may be more than is necessary for a specific product or service. In these cases, it may be more appropriate to pursue HIPAA verification.
HIPAA verification involves completing a custom compliance program limited to the applicable standards and implementation specifications. The benefit of HIPAA verification is that achieving verification is simpler, quicker, and less expensive than when healthcare vendors get HIPAA certification, but it still demonstrates a good faith effort to be HIPAA compliant.
It is often possible to take advantage of free trials of software that guide healthcare vendors through the certification or verification process. However, it is also possible to spend a lot of time evaluating unsuitable solutions. Therefore, healthcare vendors unsure about which option may be best for their business are advised to speak with a HIPAA compliance professional.