Any health information manager working for a HIPAA entity will be seeking to ensure that they are doing everything possible to prevent a HIPAA breach from occurring. HIPAA training forms a key part of this project but what sort of training is required? Is it sufficient to have staff complete a free HIPAA training course or is something more in-depth required that comes with a document providing HIPAA certification.
What is HIPAA certification?
What is referred to as HIPAA certification is accreditation or documentation that acts as evidence that a HIPAA entity has implemented a robust and effective HIPAA compliance regime which is 100% compliant with all the relevant provisions of the HIPAA legislation. There are many compliance training companies that can provide HIPAA certification to groups that have successfully completed a HIPAA compliance or training course and have had a review of their documentation, policies, and procedures completed.
Once this has taken place it is possible that these HIPAA entities can claim that they are officially ‘HIPAA Certified’ or that the services they offer are ‘HIPAA compliant’. In some instances this also comes with a badge/logo that can be displayed, for advertising/marketing purposes.
What Does HIPAA Certification Officially Mean?
The Department of Health and Human Services’ Office for Civil Rights (OCR), the main body that polices HIPAA compliance, does not officially recognize any HIPAA certification currently on offer.
This is due to the fact that HIPAA compliance is an ongoing process and the completion of any audit by any third-party company will only provide confirmation that the group was compliant at the time that the review took place. There is nothing to say that this is still the case and with changes in technology and communications it might not be l;ong before the HIPAA certification is outdated.
OCR states: “It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
However, even though HIPAA certification is not officially recognized or endorsed, it can act as proof that the group has done everything possible in order to ensure that private health information remains protected at all times. This is further strengthened when this compliance certification process is completed on an annual basis. In the unfortunate event of an unavoidable violation of HIPAA rules occurring it will also show those investigating the breach that you were taking compliance 100% seriously. This can make a massive difference when it comes to calculate potential penalties.
HIPAA Certification Types
A typical compliance vendor HIPAA certification process will include a review of administrative, technical, and physical security measures related to the HIPAA Security Rule, risk management policies and procedures, documentation, and business associate agreements. In the event that something is discovered which is not compliant, it must be remedied before the vendor will confirm HIPAA certification.
HIPAA certification for a healthcare worker will show that a person has completed HIPAA and security in line with the specific training requirements of the HIPAA Privacy and Security Rules. This is normally awarded following a training course in which the recipient confirms that they have a good understanding of their requirements under HIPAA and how it impacts their work.
Having employees who hold this HIPAA certification can be extremely valuable for companies as it can assist with limiting liability in the event of a HIPAA breach occurring. It can be valuable for healthcare workers as it makes them more attractive during the hiring process.
HIPAA Certification: FAQ
Does the Department for Health and Human Services recognize HIPAA certification?
No, at the time of writing, the DHHS does not recognize any form of HIPAA certification. Therefore, any certification services that purport to be DHHS- or OCR (Office for Civil Rights)-endorsed are making fraudulent claims.
Can individuals be HIPAA-certified?
Yes, individual employees can choose to become HIPAA certified. Again, this is not required by the DHHS, though can be helpful in showing potential employers a commitment to preventing HIPAA violations. In some circumstances, employees may be fired for HIPAA violations. The extra HIPAA awareness that is part of HIPAA certification may help to guard against such instances.
What are the benefits of HIPAA Certification?
Though HIPAA certification is not necessary for a CE to be HIPAA-compliant, it can still be a useful exercise. HIPAA certification requires that certain minimum standards are met, which reduces the probability of HIPAA violations occurring. These violations can have hefty fines, so should be avoided at all costs. It also shows that the CE is committed to ensuring that no HIPAA violations occur. The latter point can help to foster trust between a patient and their healthcare provider or health plan.
Can particular BAs be certified as HIPAA compliant?
Business Associates can also become HIPAA certified, but as with CEs, it is not a requirement of HIPAA. Similarly, individual services or products provided by BAs cannot be HIPAA-certified, even if they can be used in a HIPAA-compliant manner.