All entities and individuals included under the definition of HIPAA-covered entity or business associate are required to comply with HIPAA Rules, which leads many to search for companies that offer HIPAA compliance certification.
If HIPAA-covered entities have implemented compliance programs and want to ensure that those programs have covered all aspects of HIPAA Rules, HIPAA compliance certification can be of great benefit. Certification provides covered entities and business associates with reassurances that they have achieved the minimum necessary standards for data security, are adequately protecting patient privacy, and have developed the necessary policies and procedures to avoid penalties for noncompliance with HIPAA Rules.
HIPAA compliance certification will provide reassurances that an individual or organization is compliant with HIPAA Rules today, but it offers no guarantee that HIPAA will not be violated tomorrow. Furthermore, there is no officially recognized HIPAA compliance certification course or accreditation. HIPAA compliance certification therefore differs from PCI compliance certification in that respect, as the latter is officially recognized.
The Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA Rules, does not recognize or endorse any compliance certification program offered by private companies and there is no official government certification program for HIPAA.
Texas does offer formal certification for compliance with Texas HB300, which covers the provisions of the HIPAA Privacy and Security Rules. Texas was one of the first states to implement legislation that requires individuals and entities to go above and beyond the requirements of HIPAA for protecting medical records.
Even so, while completing the certification program will demonstrate compliance with Texas HB300 and show the minimum standards for privacy and security required by HIPAA have been met and exceeded, even this compliance certification is not federally recognized.
HIPAA certification is akin to an internal audit of policies, procedures, documentation, and security controls, which is a requirement of the HIPAA Security Rule.
Section 45 CFR § 164.308(a)(8) of the Administrative Safeguards of the HIPAA Security Rule requires HIPAA-covered entities to periodically evaluate their compliance program. A technical and non-technical evaluation must be performed to ensure all HIPAA standards are being met or exceeded. Further evaluations are required in response to “environmental or operational changes affecting the security of electronic protected health information.”
Many HIPAA compliance certification programs offered by private companies involve HIPAA training for staff followed by audits and testing. Even when an organization has been certified to be compliance with HIPAA, organizations and individuals are still legally bound to continue to comply with HIPAA Rules.
Any HIPAA compliance certification program only demonstrates that an individual or organization is compliant with HIPAA Rules at a set period in time – when the assessment is completed and certification is provided. It is no guarantee that all employees within that organization will always comply with HIPAA Rules and neither that security and privacy protections will remain compliant.
Becoming compliant with HIPAA Rules means ensuring that policies and procedures are developed and administrative, technical, and physical controls are implemented to ensure the security, confidentiality, and availability of PHI. Whenever there is a change in business processes or updates to technology, an organization could quite easily stop being compliant with HIPAA Rules. HIPAA compliance must therefore be viewed as an ongoing process.
If OCR or state attorneys general investigate complaints about potential HIPAA violations or assess compliance following a data breach or security incident, the fact that an organization or individual has been certified as being compliant with HIPAA Rules will not prevent legal actions or fines if HIPAA violations are discovered. Financial penalties may be deemed appropriate despite an organization’s previous efforts to comply with HIPAA and regardless of the training provided or certifications received.
Any individual considering employment as a HIPAA privacy and security officer will need to demonstrate a thorough understanding of HIPAA Rules. Many training companies offer courses that include certifications to demonstrate understanding of all HIPAA Rules or specific areas of HIPAA regulations such as privacy and security.
Completing and passing one of these training courses does not mean an individual is certified for life. These certifications are usually only valid for a finite period of time and will need to be renewed, especially following any updates to HIPAA regulations.
Some of the most common training courses for HIPAA privacy and security officers are:
Completion of these courses, especially when accompanied by compliance experience in the workplace, can improve job prospects and opportunities for career development.