How to Get HIPAA Certification

How Long Does it Take to Get HIPAA Certified?

How to get HIPAA certification depends on the purpose of the certification and whether the certification is being sought by an individual or an organization. There are many reasons why an individual or an organization may want to get HIPAA certification, and how to get certified may vary with each one. The reasons include, but are not limited to:

  • An individual to enhance their job prospects in the healthcare industry
  • A covered entity to show a good faith effort to comply with HIPAA
  • A business associate to demonstrate compliance to a covered entity
  • A marketing firm to demonstrate trustworthiness to customers
  • An employer to demonstrate the provision of HIPAA training
  • An individual to demonstrate the completion of training
  • An IT team to demonstrate readiness for the receipt of PHI

7 Reasons to Get HIPAA Certification

The above motives not only impact how to get HIPAA certification, but also the length of time it takes to get certified and the amount of effort involved. To demonstrate how these factors vary, we have expanded each of the seven reasons to get HIPAA certification below.

How to Get HIPAA Certification to Enhance Job Prospects

If an individual is looking for a job in the healthcare industry – or a promotion within the industry – it is necessary to have the appropriate professional qualifications. When two or more candidates for a position have similar professional qualifications, a certification demonstrating an understanding of HIPAA can be beneficial.

To get HIPAA certification in this scenario, an individual can subscribe to an online course provided by a third party certification company. The length of time and the amount of effort involved will depend on the content of the course, the individual’s existing HIPAA knowledge, and the amount of time they have available to complete the course modules.

How Certification Shows a Good Faith Effort to Comply with HIPAA

Since the passage of HIPAA, HHS’ Office for Civil Rights has applied a light touch to HIPAA enforcement – opting for voluntary compliance and corrective action plans wherever possible. However, a 2021 amendment to the HITECH Act now requires HHS’ Office for Civil Rights to consider recognized security practices when considering fines and other sanctions.

HHS has not yet published a definition of “recognized security practices”, so it is up to each covered entity and business associate to work out how best they can demonstrate a good faith effort to comply with HIPAA in the event of an investigation into a violation or data breach. Getting a certification of HIPAA compliance is a suitable option.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Why Certification can be Beneficial to Business Associates

As well as HIPAA certification being beneficial to business associates to show HHS’ Office for Civil Rights a good faith effort to comply with HIPAA, a HIPAA certification can also demonstrate to a covered entity that a business associate is complying with the terms of a Business Associate Agreement between the parties.

Under §164.316 of the Security Rule, covered entities are required to review documentation (including Business Associate Agreements) periodically. A business associate that has taken the trouble to get HIPAA certification can save time, reduce business disruption, and avoid the possible termination of a Business Associate Agreement.

How a HIPAA Certification can Demonstrate Trustworthiness

An organization does not necessarily have to be a covered entity to benefit from HIPAA certification, as a HIPAA certification demonstrates measures exist to respect the privacy and security of individually identifiable health information. Therefore, a HIPAA certification can be used by any organization to show they can be trusted with personal data.

The way to get a HIPAA certification does not vary if you are not a HIPAA covered entity. You simply apply to a third party certification company for an assessment; and, if the appropriate measures are in place, a certificate of compliance is issued. Naturally, it may take longer for an organization with no experience of HIPAA to be certified as HIPAA compliant.

Why Prove the Provision of HIPAA Training?

The provision of HIPAA training is a requirement of the Privacy Rule and the Security Rule. It is also necessary to document the nature of training provided and, in some states obtain an attestation of attendance. These factors in themselves prove nothing more than a member of the workforce has sat in a classroom for 30 minutes.

Training that awards a HIPAA certification when a member of the workforce passes a knowledge test shows that the training has been effective. If the certificate also lists what modules of HIPAA training have been passed, this can help organizations better prepare for future refresher training, material change training, or ongoing security awareness training.

Why Prove the Completion of HIPAA Training?

One of the most common workforce sanctions for HIPAA violations of a minor nature is re-training. However, many organizations do not have the resources to provide one-on-one training for every minor HIPAA violation, and either fail to enforce the sanction or provide a training module to the workforce member and tell them “to get on with it”.

Being able to get HIPAA certification for completing the training module enables members of the workforce who may have violated HIPAA inadvertently to demonstrate a good faith effort to comply with their employer’s policies and procedures. It may also mitigate the level of sanction if the workforce member subsequently violates HIPAA again.

The Importance of Confidence in Your IT Security Infrastructure

If a service provider or software vendor is considering entering the healthcare industry as a business associate, its business development team must have confidence in its IT security infrastructure and be able to demonstrate readiness for the receipt of PHI and IT security compliance with HIPAA thereafter.

To satisfy the needs of a business development team, an IT team can get HIPAA certification on just its IT security infrastructure without having to go through assessments for (for example) termination procedures, breach notification procedures, or Agreements with subcontractors. Consequently, IT security HIPAA certification should take less time and effort than a full HIPAA compliance assessment.

Find Out More about How to Get HIPAA Certification

Because of the different types of HIPAA certification and the different motives for achieving certification, there is no one-size-fits all way to get HIPAA certification. Individuals and organization who feel they may benefit from HIPAA certification should speak with an independent HIPAA compliance consultant to discuss their requirements and the best ways to satisfy them.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: