HIPAA Compliance News

Is it a HIPAA Violation to Email Patient Names?

Posted by HIPAA Journal

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information.

Is it a HIPAA Violation to Email Patient Names?

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.

HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data.

It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected with encryption in transit, message headers – which include the subject line and to and from fields – are often not encrypted and could potentially be intercepted and viewed.

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.

Must all Emails Containing PHI be Encrypted?

HIPAA does not require the use of encryption. Encryption is only an addressable standard. However, if, following a risk assessment, the decision is taken not to use encryption, an alternative and equivalent security measure must be used in its place.

In the case of internal emails, it would not be necessary for messages containing ePHI to be encrypted provided the messages are only sent via an internal email system and do not leave the protection of a firewall. Access controls would also need to be in place to prevent messages from being opened by individuals not authorized to receive the information.

If emails containing PHI are sent outside the protection of an internal network there is considerable potential for PHI to be viewed by unauthorized individuals. This is not a problem when emailing patients, provided consent to use email to send PHI has been obtained from the patient in advance. The patient must have been made aware of the risks of sending PHI via unencrypted email and must have given authorization to use such a potentially insecure method of communication.

Emailing ePHI to all other individuals using unencrypted email is a risky strategy. While HIPAA encryption requirements are somewhat vague, in the event of a HIPAA audit or data breach investigation, it would be hard to argue that ePHI sent via unencrypted mail was reasonably protected, especially when there are many secure methods of data sharing available – Dropbox, Google Drive, Box etc.

The post Is it a HIPAA Violation to Email Patient Names? appeared first on HIPAA Journal.

2018 HIPAA Changes and Enforcement Outlook

Posted by HIPAA Journal

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown.

Are Major 2018 HIPAA Changes Likely?

The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.”

While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced.

Therefore, there are unlikely to be major 2018 HIPAA changes, at lease not in terms of increased regulation. What is more likely is an easing of the administrative burden on healthcare organizations in 2018.

OCR is currently reviewing existing HIPAA regulations to determine whether all aspects of HIPAA Rules are still relevant and if there are any areas where the administrative burden on healthcare organizations can be eased. OCR is looking at the benefit of various provisions of HIPAA and whether those benefits outweigh the costs.

The HHS has said its goals are “reducing the burden of compliance” and “streamlining its regulations,” while promoting “meaningful information sharing”.

2018 HIPAA changes could make life simpler for many healthcare organizations as the HHS attempts to minimize duplication and burdensome requirements and eliminate outdated restrictions and obsolete regulations.

HIPAA Enforcement in 2018

In 2016 there was a significant increase in HIPAA enforcement activities by OCR with more settlements reached with covered entities and business associates than any other year since the HIPAA Enforcement Rule was signed into law. In 2016 there were 12 settlements and one civil monetary penalty issued and 2017 HIPAA settlements were well above average levels, with 9 settlements and one civil monetary penalty. So, what can we expect for HIPAA enforcement in 2018?

At HIMSS 2018, Roger Severino gave a presentation on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights and made it clear OCR will continue to pursue settlements with HIPAA covered entities for egregious violations of HIPAA Rules. Severino said OCR still has the same enforcement mindset and that there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases.” That does not necessarily mean large healthcare organizations. OCR treats potential HIPAA violations on a case by case basis, and smaller healthcare organizations may similarly be punished if they are discovered to have violated HIPAA Rules.

Severino said OCR does not want to fine healthcare organizations for violating HIPAA Rules and wants the settlements to reduce, but for that to happen, healthcare organizations must improve their compliance programs. 2018 HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.  Already, 2018 has seen two settlements announced. A $100,000 penalty for Filefax, Inc., and a $3,500,000 settlement with Fresenius Medical Care North America. Time will tell if this was a blip or if that pace will be maintained throughout the year.

OCR is not the only enforcer of HIPAA Rules. State attorneys general can also issue fines for HIPAA violations, and the New York AG has been active in this area in recent weeks, fining EmblemHealth $575,000 in March and Aetna $1,150,000 in January. Further financial settlements are likely to be pursued in NY and other states to resolve HIPAA violations and privacy and security-related breaches of state laws.

The post 2018 HIPAA Changes and Enforcement Outlook appeared first on HIPAA Journal.

Is Zoho HIPAA Compliant?

Posted by HIPAA Journal

Many healthcare organizations would like to use Zoho tools and applications, but is Zoho HIPAA compliant? Can its tools and applications be used by U.S. healthcare organizations in conjunction with protected health information? In this post we explore whether Zoho supports HIPAA compliance for any of its cloud-based services.

What is Zoho?

Zoho is a Pleasanton, CA-based developer of cloud applications and web-based tools that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management platform (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping service (Zoho Books), app integration platform (Zoho Flow), and an IoT management platform (WebNMS).

The company is focused on providing innovative cloud-based solutions for businesses and has been developing applications since 1996. Many of its solutions are broadly comparable to those provided by Google (G Suite) and Microsoft (Office 365). Its apps have been developed to integrate with both suites of products.

Can HIPAA-Covered Entities Obtain a Zoho Business Associate Agreement?

There has been considerable interest in Zoho from healthcare organizations in the United States who are keen to use its cloud-based services, although there is little information about business associate agreements on the Zoho website. Zoho forums suggest a Zoho HIPAA compliance program has been in development for some time, but as of yet, a Zoho HIPAA compliant service is not being offered.

We have contacted Zoho for clarification on business associate agreements and the current state of the Zoho HIPAA compliance program and are awaiting a reply; however, at present it would appear that Zoho will not enter into a BAA with HIPAA-covered entities.

Is Zoho HIPAA Compliant?

While Zoho is focused on providing solutions for businesses, there are several issues that need to be resolved before the platform can be used by U.S. healthcare organizations.

Zoho services have not been developed for the healthcare industry in the United States, and while the company complies with ISO/IEC 27001 and SOC 2 for security, crucially the company will not sign a business associate with HIPAA-covered entities.

So, is Zoho HIPAA compliant? At present, Zoho does not fully support HIPAA compliance and should therefore be avoided by HIPAA-covered entities and their business associates who are seeking HIPAA-compliant solutions. Zoho applications and tools should not be used in conjunction with any electronic protected health information.

The post Is Zoho HIPAA Compliant? appeared first on HIPAA Journal.

Is Office 365 HIPAA Compliant?

Posted by HIPAA Journal

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules?

What is Office 365?

Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.

Office 365 for Healthcare

Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform.

Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact will be notified of a breach by Microsoft.

While there are companies that offer HIPAA certification to confirm that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal agencies. However, Microsoft has undergone independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all necessary privacy and security controls to comply with HIPAA Rules.

Office 365 Security

All data uploaded to or stored on Microsoft servers is protected by encryption and any data transferred outside of Microsoft facilities is similarly encrypted.  However, packet headers and message headers are not encrypted.

Provided ePHI is not entered into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used securely.

Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are maintained. Reports on access logs can be obtained from Microsoft on request.

Microsoft offers 2-factor authentication to prevent Office 365 and Outlook email accounts from being accessed if a password is compromised and an unfamiliar device attempts to log into an account.

Is Microsoft Office 365 HIPAA Compliant?

So, is Microsoft Office 365 HIPAA compliant? Provided a HIPAA-covered entity has entered into a business associate agreement with Microsoft, Office 365 can be used in a manner compliant with HIPAA Rules.

While all appropriate privacy and security controls have been implemented by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while remaining compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been obtained from Microsoft.

It is the responsibility of covered entities to ensure access controls are configured correctly, administrator access tracking is turned on, Microsoft Dynamics CRM Online for supported devices is turned off, access control reports are obtained and checked regularly, and all users are trained how to use Office 365 in a manner compliant with HIPAA Rules.

The post Is Office 365 HIPAA Compliant? appeared first on HIPAA Journal.

When Was HIPAA Enacted?

Posted by HIPAA Journal

How long has compliance with the Health Insurance Portability and Accountability Act (HIPAA) been necessary? When was HIPAA enacted and what were the compliance dates for the original act and its subsequent amendments?

When was HIPAA Enacted?

HIPAA was enacted on August 21, 1996 when President Bill Clinton added his signature and signed the legislation into law. One of the key aims of the legislation was to improve the portability and accountability of health insurance coverage – Ensuring employees retained health insurance coverage when between jobs.

HIPAA combatted wastage in healthcare and helped to prevent fraud and abuse in healthcare delivery and health insurance. HIPAA also simplified the administration of healthcare.

HIPAA was enacted and signed into law in 1996, but there have been major updates to HIPAA legislation over the years, notably the introduction of the HIPAA Privacy Rule, The HIPAA Security Rule, the incorporation of HITECH Act requirements and the HIPAA Omnibus Rule.

These updates added many new provisions to HIPAA legislation and helped to ensure that patient privacy was protected, healthcare data was appropriately secured, patients and plan members were notified in the event of a breach of their protected health information, and business associates of HIPAA covered entities also had to comply with HIPAA Rules.

The introduction of the HIPAA Enforcement Rule in 2006 gave the Department of Health and Human Services’ Office for Civil Rights the power to enforce HIPAA. Since then, it has been possible for the HHS to pursue financial penalties for non-compliance with HIPAA Rules.

When was the HIPAA Privacy Rule Introduced?

The HIPAA Privacy Rule was first proposed on November 3, 1999 with the HIPAA Final Privacy Rule of HIPAA enacted on December 20, 2000, although corrections were made almost immediately. The most important date is April 14, 2003 when HIPAA-covered entities were required to comply with the HIPAA Privacy Rule.

The HIPAA Privacy Rule defined Protected Health Information (PHI) and regulated the use of PHI by HIPAA covered entities, stipulating to whom the information could be disclosed and under what circumstances.  The HIPAA Privacy Rule requires appropriate safeguards to be implemented to protect the privacy of patients. Patients were also given the right to obtain copies of the PHI held by HIPAA-covered entities.

When was the HIPAA Security Rule Introduced?

The HIPAA Security Rule was first proposed on August 12, 1998, with the final Security Rule of HIPAA enacted on February 20, 2003. Compliance with the HIPAA Security Rule became mandatory on April 21, 2006.

The HIPAA Security Rule is primarily concerned with the establishment of national standards for security to protect electronic protected health information. The HIPAA Security Rule requires administrative, physical, and technical safeguards to be implemented to ensure the confidentiality, integrity, and availability of PHI.  The HIPAA Security Rule also requires covered entities to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of PHI and to manage those risks and reduce them to a reasonable level.

When was the HITECH Act Incorporated into HIPAA?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. Certain elements of HITECH became effective the same month, such as increased penalties for violations of HIPAA Rules. Most of the provisions of the HITECH Act became effective and were enforceable from February 27, 2010.

The HITECH Act’s incorporation into HIPAA resulted in the creation of the HIPAA Breach Notification Rule which requires covered entities to notify individuals when PHI is exposed or compromised. HITECH also required business associates of HIPAA-covered entities to comply with HIPAA Rules and made them directly accountable for HIPAA violations.

The HIPAA Omnibus Rule of 2013 finalized and incorporated many provisions of the HITECH Act into HIPAA with the the HIPAA Omnibus Rule of HIPAA enacted on January 17, 2013. The compliance deadline was September 23, 2013.

Important Dates in the History of HIPAA

  • August 21, 1996 – HIPAA signed into law
  • December 20, 2000 – HIPAA Final Privacy Rule issued
  • February 20, 2003 – HIPAA Final Security Rule issued
  • April 14, 2003 – HIPAA Privacy Rule compliance deadline
  • April 21, 2006 – HIPAA Security Rule compliance deadline
  • March 16, 2006 – HIPAA Enforcement Rule becomes effective
  • February 17, 2009 – HITECH Act signed into law
  • February 27, 2010 – HITECH Act compliance deadline
  • January 17, 2013 – HIPAA Omnibus Final Rule issued
  • September 23, 2013 – Omnibus Rule compliance deadline

Further information on HIPAA

You can find out more about HIPAA compliance here, and for further information on landmarks in HIPAA take a look at our HIPAA history page and infographic.

The post When Was HIPAA Enacted? appeared first on HIPAA Journal.

Is a HIPAA Violation Grounds for Termination?

Posted by HIPAA Journal

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules?

Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy?

Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination?

Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations.

When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for patients whose privacy has been violated, potential legal issues arising from the violation and possible action by regulators. Healthcare organizations will be keen to take action to ensure that similar violations are prevented in the future.

When an employee is discovered to have knowingly or unknowingly violated HIPAA Rules there are likely to be repercussions for the individual concerned.

An unintentional acquisition, access, or use of protected health information by a workforce member in which the acquisition, access, or use was made in good faith and within the scope of authority would not be a reportable breach and may not necessarily result in disciplinary action.

Some healthcare organizations have strict rules on violations of HIPAA Rules and regularly terminate employees for HIPAA violations. Others have a policy of dealing with minor HIPAA violations internally. Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

Ultimately the repercussions for a HIPAA violation will depend on the polices in place at an organization and the severity of the violation. A violation of the Minimum Necessary Information Standard may, depending on the circumstances, be considered a matter for internal disciplinary action and not termination. Viewing the medical records of any patient without authorization is likely to result in termination unless the incident is reported quickly, no harm was caused to the patient, and access was accidental or made in good faith.

Recent Cases Where Healthcare Providers Deemed a HIPAA Violation Grounds for Termination

Criminal Penalties for HIPAA Violations

Termination may not be the worst that can happen when HIPAA Rules are violated by employees. Healthcare employees may be found criminally liable for HIPAA violations and cases can be referred to the Department of Justice for prosecution.

Criminal violations of HIPAA Rules can result in financial penalties and jail time for healthcare employees. A fine of up to $50,000 and one year in jail is possible when PHI is knowingly obtained and impermissibly disclosed. A fine of up to $100,000 and five years in jail is possible for violations involving false pretenses, and a fine of up to $250,000 and up to 10 years in jail is possible when HIPAA Rules have been violated for malicious reasons or for personal gain. A further 2 years can be added onto the sentence for aggravated identity theft.

The post Is a HIPAA Violation Grounds for Termination? appeared first on HIPAA Journal.

Is Google Calendar HIPAA Compliant?

Posted by HIPAA Journal

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.