Do I need HIPAA Certification?

Any health information manager working for a HIPAA entity will be seeking to ensure that they are doing everything possible to prevent a HIPAA breach from occurring. HIPAA training forms a key part of this project but what sort of training is required? Is it sufficient to have staff complete a free HIPAA training course or is something more in-depth required that comes with a document providing HIPAA certification. 

What is HIPAA certification?

What is referred to as HIPAA certification is accreditation or documentation that acts as evidence that a HIPAA entity has implemented a robust and effective HIPAA compliance regime which is 100% compliant with all the relevant provisions of the HIPAA legislation. There are many compliance training companies that can provide HIPAA certification to groups that have successfully completed a HIPAA compliance or training course and have had a review of their documentation, policies, and procedures completed.

Once this has taken place it is possible that these HIPAA entities can claim that they are officially ‘HIPAA Certified’ or that the services they offer are ‘HIPAA compliant’. In some instances this also comes with a badge/logo that can be displayed, for advertising/marketing purposes.

What Does HIPAA Certification Officially Mean?

The Department of Health and Human Services’ Office for Civil Rights (OCR), the main body that polices HIPAA compliance, does not officially recognize any HIPAA certification currently on offer. 

This is due to the fact that HIPAA compliance is an ongoing process and the completion of any audit by any third-party company will only provide confirmation that the group was compliant at the time that the review took place. There is nothing to say that this is still the case and with changes in technology and communications it might not be l;ong before the HIPAA certification is outdated.

OCR states: “It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

However, even though HIPAA certification is not officially recognized or endorsed, it can act as proof that the group has done everything possible in order to ensure that private health information remains protected at all times. This is further strengthened when this compliance certification process is completed on an annual basis. In the unfortunate event of an unavoidable violation of HIPAA rules occurring it will also show those investigating the breach that you were taking compliance 100% seriously. This can make a massive difference when it comes to calculate potential penalties.

HIPAA Certification Types

A typical compliance vendor HIPAA certification process will include a review of administrative, technical, and physical security measures related to the HIPAA Security Rule, risk management policies and procedures, documentation, and business associate agreements. In the event that something is discovered which is not compliant, it must be remedied before the vendor will confirm HIPAA certification. 

HIPAA certification for a healthcare worker will show that a person has completed HIPAA and security in line with the specific training requirements of the HIPAA Privacy and Security Rules. This is normally awarded following a training course in which the recipient confirms that they have a good understanding of their requirements under HIPAA and how it impacts their work.

Having employees who hold this HIPAA certification can be extremely valuable for companies as it can assist with limiting liability in the event of a HIPAA breach occurring. It can be valuable for healthcare workers as it makes them more attractive during the hiring process.