What is HIPAA Certification?


“HIPAA Certification” is not an officially-recognized qualification to indicate that a Covered Entity or Business Associate is HIPAA compliant. It is just a certificate indicating a person or group has undergone some level of training towards HIPAA compliance.

The Department of Health and Human Services has released a statement on its website to the effect there is no HIPAA Certification process, and that no company has the authority to award HIPAA compliance.

The statement says: “It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule”.

The training conducted by HIPAA certification companies – even though not officially recognized – can supply valuable information that will help your practice or business towards compliance with HIPAA. Remember, HIPAA compliance is mandatory.

In addition to this, such are the complexities of HIPAA, the Final Omnibus Rule and HITECH, it can be an incredible help to have somebody with an extensive knowledge of the regulations guide you through what needs to be completed in your specific circumstances. Many HIPAA certification companies offer bespoke training plans to meet their clients´ individual requirements.

It should be emphasized that, although certified training will not stop fines being issued by HHS for HIPAA violations, the fact that you or a colleague/team within your organization has completed training could be a mitigating factor and reduce the amount of any fine – assuming of course the lessons learned during HIPAA training have been put into use.

The cost of HIPAA certified training is different depending on the nature of the training and the personnel within a healthcare or healthcare support business that needs training. Personnel working in a 5,000 bed medical center will require much more HIPAA training than a sole-trader insurance broker who handles a limited number of healthcare claims annually.

Although the HIPAA regulations apply at the same level to both bodies, there will be more compliance issues to resolve and more policies to establish in larger groups. Personnel within a 5,000 bed medical center will have access to a greater amount of Protected Health Information – placing the medical center at greater risk of a security or privacy violation.

Although the HIPAA training requirements are vague, HIPAA training is mandatory. But searching for around for the “best HIPAA certification deal” is not an ideal solution. There are companies offering HIPAA certification for $19.99 after thirty minutes of training. Naturally, thirty minutes of training is insufficient to cover he complexities of HIPAA, the Final Omnibus Rule and HITECH.

Constantly reviewing processes, updating risk assessments and educating staff can be resource-intensive – and expensive if you are employing a third-party HIPAA certification firm. Many groups therefore appoint one person as a HIPAA compliance office, pay to have the person trained as a HIPAA trainer, and then conduct all their HIPAA training in-house.

A different way to cut the cost of HIPAA training is with HIPAA training software. HIPAA training software allows you to achieve HIPAA certified training at your own pace. You can concentrate on the online training modules that are more relevant to your particular instances, pause and restart the modules as you wish, use the same material to train other staff .

The best software-based HIPAA certified training courses use constantly updated online training modules with ongoing human support. Often sold as “total compliance solutions”, these courses can be customized to suit the requirements of each individual entity, and both train and guide employees through the minefield of HIPAA regulations.

A complete total HIPAA compliance solution should, by definition, be “total”. Many companies advertise their solutions as “total” while only providing advice on Security Rule risk assessments and safeguards. Similar to avoiding companies offering HIPAA certification for $19.99, firms that offer anything less than a total solution should be avoided. The key things to look out for include:

  • Risk assessments in relation to security, administrative, technical, physical, privacy and devices.
  • A training management utility that records who has been trained and when.
  • Configuring administrative, physical and technical safeguards.
  • The formulation of compliant policies and procedures.
  • How to spot, report and handle breaches of PHI.
  • Business Associate management and due diligence features.

What is HIPAA Certification? FAQs:

Are HIPAA certifications only awarded for completing training courses?

No. Certifications can also be awarded to organization who demonstrate compliance with Privacy Rule and Security Rule standards – although it is important to be aware that these are “point-in-time” certifications that do not guarantee ongoing compliance. This is why the HHS does not endorse or recognize private organizations´ certifications regarding Security Rule compliance.

Does the HHS recognize certifications of Privacy Rule compliance?

A Covered Entity may award certificates to members of the workforce when they complete their initial policy and procedure training, if they undergo refresher training, or when reaching milestones in security and awareness training. In these cases, although not officially recognized as certification by HHS, copies of certificates have to be retained for a minimum of six years to comply with the document retention requirements of the Privacy Rule.

What if an outsourced company provides HIPPA certification?

Covered Entities can outsource workforce training and other elements of HIPAA to third-party compliance companies. Indeed, many smaller Covered Entities use compliance companies to conduct the periodic evaluations required by the Security Rule see 45 CFR § 164.308 and this HHS article). If the outsourced company provides a certificate at the end of a training course or evaluation, these should also be retained to demonstrate good faith efforts to comply with HIPAA in the event of an OCR audit, inspection, or investigation.

What are the benefits of demonstrating good faith efforts to comply with HIPAA?

When a HIPAA violation or data breach occurs, organizations that have “exercised a reasonable amount of care” to comply with HIPAA will be treated more leniently than an organization that has demonstrated “willful neglect”. This can reduce the financial penalties issued by the HHS Office for Civil Rights, or the time the organization is required to comply with a Corrective Action Plan.

How does online HIPAA training work?

Online HIPAA training is provided as a cloud-based service so members of the workforce can access the training from any Internet-connected device at work or at home. Courses consist of modules providing information about individual subjects (e.g., patients´ rights, minimum necessary standard, cyber threats to ePHI, etc.); and, as each module is completed, a record is kept of the student´s progress on a Learning Management System. This way of providing basic training can raise the bar for HIPAA knowledge and simplify the provision of HIPAA-mandated policy and procedure training.