This post still to be written: HIPAA certification is the process in which an independent third party organization audits a vendor to certify and confirm that the physical, technical, and administrative safeguards required for HIPAA compliance have been met, with the award of a formal document that signals the completion of a HIPAA compliance process.

Certifying that an organization’s workforce is HIPAA compliant can have similar benefits to those discussed above inasmuch as a compliant workforce is less likely to violate HIPAA or make mistakes that could result in data breaches. Similarly achieving workforce HIPAA certification demonstrates a reasonable amount of care to abide by the HIPAA Rules in the event of an OCR investigation or audit.

For individual members of the workforce, HIPAA certification can help foster patient trust, support applications for promotion, and increase prospects in the job market. However, it is what workforce members learn during a certification program that can have the biggest impact on their professional lives, as this can help prevent unintentional violations that can have significant consequences.

Unintentional violations of HIPAA can be attributable to a lack of knowledge, shortcuts being taken “to get the job done”, or because a cultural norm of noncompliance has been allowed to develop. Whatever the reason, violations of HIPAA can result in sanctions ranging from written warnings to loss of professional accreditation – sanctions that can be avoided by applying the information learned during a certification program.

HIPAA training is not optional and “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” as stated in §164.530(b)(1) of the HIPAA Privacy Rule. All HIPAA covered entities must  “implement a security awareness and training program for all members of its workforce including management” as stated in §164.308(a)(5) of the HIPAA Security Rule.

Why Organizations Get Certified As Being HIPAA Compliant?

The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading to a reduction in patient complaints and OCR investigations.

If – despite achieving an accreditation – a violation still occurs that results in an OCR investigation, a certificate of HIPAA compliance demonstrates “a reasonable amount of care to abide by the HIPAA Rules”. This can be the difference between a HIPAA violation being classified as a Tier 1 violation (minimum penalty per violation $141) and a Tier 2 violation (minimum penalty per violation $1.424).

For business associates, and covered entities that act as business associates for other covered entities, HIPAA certification demonstrates an intention to operate compliantly – making an organization’s services more attractive and reducing the amount of due diligence required before a covered entity and business associate enter into a Business Associate Agreement.

HIPAA Certification Requirements for Covered Entities

In order for a covered entity to be certified as HIPAA compliant, third-party compliance experts will review seven areas of compliance:

• Compliance with the administrative, technical, and physical safeguards of the HIPAA Security Rule. This includes (but is not limited to), an asset and device audit, an IT risk analysis questionnaire, a physical site audit, a security standards audit, a privacy standards audit, and HITECH Subtitle D privacy audit.
• Remediation plans to address gaps identified in the above audits.
• Policies and procedures to address HIPAA regulatory compliance and document a “good faith” effort towards compliance.
• An employee training program that includes employee understanding of the above policies and procedures.
• A documentation audit to ensure the documentation required by HIPAA is maintained and accessible.
• Business Associate Agreement management and due diligence procedures.
• Incident management procedures in the event of a data breach or reportable violation of HIPAA.

Because of the processes involved in auditing compliance with the HIPAA Security Rule, the HIPAA certification requirements cannot be fulfilled overnight. It is also impossible to put a timeframe on how long it may take to achieve HIPAA certification without knowing what gaps might be identified during the audit processes and the nature of the remediation plans required to address them.

HIPAA Certification Requirements for Business Associates

The HIPAA certification requirements for business associates are much the same as above but tailored to the nature of services provided for covered entities. One important point to note is that 45 CFR § 164.308 stipulates a security and awareness training program must be implemented for all members of the workforce – not just those involved in the provision of a service to a covered entity. It is common for potential business associates of HIPAA covered entities to undergo audits by third party HIPAA compliance companies in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for covered entities’ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for business associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party HIPAA compliance company that not only offers HIPAA certification services, but also helps business associates implement effective HIPAA compliance programs.

HIPAA Certification FAQs

Why is HIPAA certification described as a “point in time” accreditation?

HIPAA certification is described as a “point in time” accreditation because HIPAA compliance is an on-going progress. A HIPAA certified organization may have passed a third-party company’s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the organization will remain compliant in the future. HIPAA certification should be considered an initial objective and then an ongoing task.

Can software be certified as HIPAA compliant?

Software cannot be certified as HIPAA compliant because, while it is possible for software to have HIPAA compliant capabilities, the way the capabilities are used determines compliance with the HIPAA Rules. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.

What does HHS say about HIPAA certification?

What HHS says about HIPAA certification is that there is no requirement in HIPAA for a covered entity or business associate or healthcare worker to be certified as compliant. The Department warns organizations to be aware of misleading marketing claims suggesting compliance programs or material is endorsed by HHS or the Office for Civil Rights (OCR).

What is the difference between a third party audit and an HHS audit?

The difference between a third party audit and an HHS audit is that a third party audit checks a covered entity´s HIPAA compliance and, if lapses in compliance are found, the covered entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the covered entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Because of the risk of a financial penalty for non-compliance, the cost of a third party audit can be a sound investment.

What is the cost of a third party compliance audit?

The cost of a third party compliance audit depends on the size of the covered entity or business associate and the nature of activities. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.

How long does HIPAA certification for covered entities and business associates last?

HIPAA certification for covered entities and business associates does not “last”. A HIPAA certification indicates that a covered entity or business associate has passed a third-party company´s HIPAA compliance program and “at that point in time” was HIPAA compliant. As soon as that point in time has passed, a HIPAA certification is no guarantee of compliance. As a result, HIPAA certification has no lifespan and it is a best practice is to conduct regular compliance audits.

How long does HIPAA certification for healthcare workers last?

How long HIPAA certification for healthcare workers lasts depends on whether the certification has been achieved independently or as part of an employer’s training program. If the former, the “point in time” principle applies. If the latter, the certification should be retained for six years in compliance with the HIPAA documentation requirements. It is also recommended refresher training is provided at least annually.

How does HIPAA certification help foster patient trust?

HIPAA certification helps foster patient trust because one of the most important elements of a patient/healthcare professional relationship is trust. When patients are confident their privacy is being respected, this will help foster trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in more rewarding work experience.

Why might a healthcare professional lack knowledge of HIPAA?

A healthcare professional might lack knowledge of HIPAA because covered entities are only required to provide training relevant to a healthcare professional’s role. When a healthcare professional transfers to a new role – or is asked to substitute for a colleague in a different role – they may not immediately have the level of HIPAA knowledge relevant to the role they are performing, potentially resulting in unintentional HIPAA violations.

How are cultural norms of noncompliance allowed to develop?

Cultural norms of non-compliance are allowed to develop in the workplace because many covered entities lack the resources to monitor HIPAA compliance 24/7. It is not unusual for busy healthcare workers to take shortcuts with HIPAA compliance “to get the job done”; and, if the shortcuts become a regular occurrence, they develop into a cultural norm of noncompliance. This is why it is important for covered entities to provide refresher HIPAA training at least annually.

What does HIPAA certification signify?

HIPAA certification signifies that an organization has passed a HIPAA compliance audit. Although this may only be a point in time accreditation, the certification demonstrates the organization has effectively implemented HIPAA’s privacy provisions and security standards. Alternatively, a HIPAA certification for an individual can signify that a member of the workforce has achieved the level of HIPAA knowledge required to comply with the organization’s policies and procedures.

Is certification a requirement of HIPAA?

Certification is not a requirement of HIPAA. It is a voluntary process that organizations can undertake to validate their understanding and implementation of HIPAA’s regulations. Indeed, preparing for certification can help organizations fine-tune risk analyses to better identify gaps in compliance and make better informed decisions about how to fill the gaps.

What are the benefits of becoming HIPAA certified?

The benefits of becoming HIPAA certified include that the process of certification can help organizations adopt best privacy practices and implement the safeguards required by the HIPAA Security Rule. This can reduce the likelihood of HIPAA violations and data breaches. Also, if a violation does occur, certification may demonstrate “a reasonable amount of care” to abide by the rules, which could impact the severity of penalties.

How can HIPAA certification affect the penalties for HIPAA violations?

HIPAA certification can impact the penalties for HIPAA violations significantly if – for example – an organization that is certified experiences a HIPAA violation, and HHS’ Office for Civil Rights investigates the violation. A HIPAA certification demonstrates a good faith effort to comply with HIPAA. This could influence the decision about whether a violation is classified as a Tier 1 or Tier 2 violation, affecting the minimum penalty per violation – if a penalty is imposed at all.

Why might business associates find it beneficial to obtain HIPAA certification?

Business associates might find it beneficial to obtain HIPAA certification to demonstrate the intention to operate compliantly, making their services more appealing to prospective covered entities in a crowded marketplace. Also, if a business associate has achieved HIPAA certification, it may reduce the amount of due diligence required before a covered entity will enter into a Business Associate Agreement.

What are the key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant?

The key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant include adherence to the HIPAA Security Rule’s administrative, technical, and physical safeguards; remediation plans for gaps identified in audits; policies and procedures for regulatory compliance; employee training; documentation management; Business Associate Agreement management; and incident management procedures for data breaches or violations.

How do HIPAA certification requirements differ for business associates compared to covered entities?

HIPAA certification requirements differ for business associates compared to covered entities by being tailored to the services being offered to or on behalf of covered entities. A key point is that business associates must implement a security and awareness training program for all members of the workforce, not just those involved in services being offered to or on behalf of covered entities.

What are the benefits of HIPAA certification for healthcare workers?

The benefits of HIPAA certification for healthcare workers are that healthcare workers achieve a deeper understanding of HIPAA beyond the basic “policy and procedure” training provided by employers. This comprehensive education covers frequently violated standards like patients’ rights, the minimum necessary standard, and allowable uses and disclosures – helping to prevent unintentional violations due to lack of knowledge.

How long does it take to achieve HIPAA certification?

The length of time it takes to achieve HIPAA certification can vary widely and is difficult to predict without knowing the level of knowledge that each organization or individual is starting from, the gaps that might be identified during audit processes and the nature of the remediation plans required to address them. The process involves thorough several audits and tests, and cannot be completed overnight.

The post What is HIPAA Certification For Healthcare Vendors? appeared first on The HIPAA Journal.