Can Healthcare Vendors Get HIPAA Certification?
Healthcare vendors can get HIPAA certification, but it is important for organizations to be aware that a HIPAA certification for healthcare vendors is a point-in-time accreditation. Organizations subscribing to a HIPAA certified service are still required to conduct due diligence and monitor the vendor for continued HIPAA compliance.
Being HIPAA certified can give vendors a competitive edge in the healthcare industry. This is because a HIPAA certification implies a vendor is aware of all applicable HIPAA requirements and that its service or product has been designed to comply with these requirements. However, because HIPAA certification is a point-in-time accreditation, it does not guarantee continued HIPAA compliance.
It might only take one change in operations, one change in software design, or one non-compliant event to invalidate a HIPAA certification and a Business Associate Agreement that has been executed on the bases that a healthcare vendor has got HIPAA certification. For this reason, it can be beneficial to look at alternatives to HIPAA certification โ especially those that require ongoing compliance.
How Can Healthcare Vendors Get HIPAA Certification (Almost)?
Rather than healthcare vendors get HIPAA certification, it is possible to get certified with voluntary standards that closely match the requirements of HIPAA. To achieve certification with many voluntary standards, it is necessary to demonstrate ongoing compliance- rather than point-in-time compliance – making these types of certification credible alternatives to HIPAA certification.
Potential voluntary standards to consider include, but are not limited to:
- ISO 27001
- NIST CSF 2.0
- HITRUST CSF r2
- SOC 2 Type 2
It is also worth bearing in mind that the Department of Health and Human Services (HHS) recently published its voluntary Cybersecurity Performance Goals (CPGs). It has been proposed by HHS to integrate the CPGs into the Security Rule and make compliance with them a condition of participation in Medicare. If these proposals become a reality, it may be possible in the future that healthcare vendors get HIPAA certification directly from HHS.
HIPAA Verification as an Option for Healthcare Vendors
Because healthcare vendors (as business associates) only have to comply with the applicable standards and implementation specifications of HIPAA, pursuing a certification of compliance with a voluntary standard in its entirety may be more than is necessary for a specific product or service. In these cases, it may be more appropriate to pursue HIPAA verification.
HIPAA verification involves completing a custom compliance program limited to the applicable standards and implementation specifications. The benefit of HIPAA verification is that achieving verification is simpler, quicker, and less expensive than when healthcare vendors get HIPAA certification, but it still demonstrates a good faith effort to be HIPAA compliant.
It is often possible to take advantage of free trials of software that guide healthcare vendors through the certification or verification process. However, it is also possible to spend a lot of time evaluating unsuitable solutions. Therefore, healthcare vendors unsure about which option may be best for their business are advised to speak with a HIPAA compliance professional.