Vendors who offer their services to healthcare organizations understand the importance of being recognized as HIPAA compliant. Hence, many service providers often ask if it is possible to get a HIPAA certification?
Ideally, a HIPAA certification would serve as proof that a third-party vendor understands and follows all aspects of HIPAA rules. If for example a transcription company is HIPAA certified, healthcare organizations that need some transcription jobs done will have no problem selecting this HIPAA-certified transcription company for the job.
In reality, there is no HIPAA Certified company. It’s a misnomer. A HIPAA compliance certification process or accreditation does not exist. Therefore, no company can claim that it is certified as HIPAA compliant. There is a reason why HIPAA certification is not issued to companies. HIPAA compliance does not stop at a certain point, it’s an ongoing process. A covered entity may be HIPAA compliant today, but tomorrow or some time later, it may be not.
Imagine that a healthcare provider got a HIPAA Certification after following all HIPAA policies and procedures and implementing the required technology to ensure HIPAA compliance. It is recognized as compliant at that point of assessment. But then when changes take effect – whether in policies, procedures, technology, HIPAA rules or business practices, the certification logically becomes invalid.
As it is now, employees of HIPAA covered entities are not required to complete a specific training for HIPAA certification. The only requirement is to get training on HIPAA rules and write a confirmation of having received that training. HIPAA covered entities and business associates, on the other hand, only need to provide the appropriate security awareness training for members of their workforce so that they can do their functions correctly.
Because of the complexity of the HIPAA Rules, covered entities choose to employ HIPAA training companies. Their HIPAA compliance experts are the ones who teach employees what they need to know about HIPAA. In particular, they give training on the appropriate handling of PHI, its uses and disclosures. Should there be any certification issued, it will only confirm the training that the employees completed. But it is not officially recognized by any federal agency.
HIPAA compliance experts may also conduct audits of business associates in behalf of HIPAA-covered entities. This is only to confirm that the products, services, procedures and policies of business associates satisfy HIPAA requirements at the time of the audit. Any certification issued, in this instance has no legal standing.
It is stated on OCR’s website that “Certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”