Does HHS certify healthcare providers as HIPAA compliant? Are their third-party firms that provide HIPAA certification? Can a healthcare provider declare itself as HIPAA compliant?
Several companies claim that their products are HIPAA certified. But, there are no companies or products that have been certified or endorsed by the HHS.
There is no official HIPAA certification.
Is HIPAA compliance important?
If your organization is covered under HIPAA, then you need to follow the three HIPAA rules. These rules define the standards for handling protected health information. Failure to follow these standards can have severe consequences. Health and Human Services (HHS) can penalize your organization heavily if you fail to follow HIPAA. Criminal violations can even result in jail time.
So, if you are a covered entity under HIPAA, you must consider HIPAA compliance as the most important task on your list. Again, every healthcare provider who uses, shares or stores protected health information must ensure that it follows the three HIPPA rules.
How to comply with the three HIPAA rules?
The three HIPAA rules include, HIPAA Privacy Rule, Security Rule, and the Breach Notification Rule.
To comply with these rules, covered entities must conduct a risk analysis of their organization. Then they must put in place a security management plan. An information access management system should also be put in place for ensuring minimum exposure of patient information. Moreover, the organization must document their entire compliance process. This would help prove that the management has taken all necessary steps for protecting patient information.
In short, you must ensure that you comply with every ‘standard’ of the three HIPAA Rules.
You’d also need to assess your policies and procedures periodically for ensuring that they meet the standards set by the Security rule. And you must train your employees about your security policies and procedures.
There is no other alternative to this process.
When the HHS Office of Civil Rights (OCR) decides to audit your organization, you should be able to show that you went through the entire process as mentioned above. And that you have been doing so since the past six years.
Even passing a HIPAA audit, does not entail that you have become HIPAA compliant. Tomorrow, if HHS announces changes to HIPAA rules, and if you fail to update your systems to account for those changes, the OCR can charge you with HIPAA non-compliance.
HIPAA Compliance is an ongoing task. You must update your policies and procedures regularly, and ensure that your systems meet the HIPAA standards.
This can be difficult. Especially, if you are a new organization, or a large entity covered under HIPAA. You may choose to use third-party firms to help you with your HIPAA compliance efforts. Specifically –
- Administrative safeguards under the Security rule require that covered entities conduct a risk assessment of their system, and implement security measures to reduce the risk.
- It’s a difficult task, if yours is a small practice, and if you do not have the setup necessary for such a task.
- Generally, such practices hire third-party services for carrying out risk assessment of their system and developing a security management plan for their practice.
- Similarly, covered entities need to access their security policies and procedures periodically for ensuring that they meet the standards set by the security rule.
- Again, if a practice does not possess the resources for carrying out such an assessment, then they can take help from third-party auditors for conducting the assessment.
- The security rule also requires covered entities to train their employees on security policies and procedures. You can use training vendors for conducting HIPAA training for your employees.
- Select a HIPAA training company that offers HIPAA training at a level that meets your expectations. You can also go for vendors who offer tracking and reporting of your training efforts. They could help you track if all your employees have been trained in their HIPAA responsibilities.
Third-party HIPAA certification
Beware, the certificates of compliance issued by third-parties do not absolve you of your duties under HIPAA. The OCR is not bound to accept third party evaluation of your system. Nor do they accept training certificates from HIPAA training vendors. In fact, HHS and OCR do not endorse any seminars, material or systems. There are no products that have been certified as HIPAA compliant by the HHS. There is no official HIPAA certification.
When the OCR audits your organization, it would check your policies and procedures for compliance with the three HIPAA rules, it would check if your employees are aware of them, and it would confirm if your systems comply with the three HIPAA rules.
Third party certifications act only as confirmation that the necessary policies and procedures are in place; your documentation is accurate; and your employees have been trained properly. So, ensure that you create a documentary trail, if you use a third-party vendor to assist with your HIPAA compliance efforts. Rather than certificates, care more for reports. Rather than cost, care more for the content of the training that you buy.
Remember, even if you have certification from a third-party vendor, you can still get penalized, if the OCR audit finds gaps between your security setup and the expectations set by the three HIPAA rules.
You can share your queries about HIPAA certification by emailing us at firstname.lastname@example.org. It would be our pleasure to assist you. You can also leave comments in the section below.