HIPAA compliance certification is a concept rife with confusion. Certification often gets confused with HIPAA compliance, resulting in erroneous and potentially costly assumptions.
Healthcare practices should understand that there's a big difference between achieving HIPAA compliance certification and achieving HIPAA compliance. According to the HIPAA Journal, "… there is no standard or implementation specification within HIPAA that requires covered entities or business associate to certify compliance …"
What does HIPAA compliance certification mean for your practice? Let's explore some facts about certification and examine why it can be a good idea despite not being an essential part of achieving and maintaining compliance.
1. HIPAA compliance certification has no official purpose.
Before diving headfirst into pursuing HIPAA compliance certification, understand that HIPAA compliance certification is not a federal requirement and does not officially provide a practice with any regulatory protections. Becoming HIPAA certified essentially means that a practice has completed training provided by a commercial third-party that is intended to help an organization become more HIPAA compliant or validate existing compliance. As a result of completing this training, the training company may provide its own "certification" to the organization — and possibly include a physical certificate.
However, receiving that certification does not mean you organization is HIPAA compliant, nor does it indicate your organization is somehow "certified" by the Department of Health and Human Services' (HHS) Office for Civil Rights, which is responsible for enforcing the HIPAA Privacy and Security Rules. In fact, HHS does not endorse any type of HIPAA certification.
If you complete a certification program today, it likely means your organization is performing well concerning its HIPAA compliance … today. But what about the future?
2. HIPAA compliance is ongoing.
HIPAA compliance is an ongoing process, and there's no guarantee an organization certified today is or will remain HIPAA compliant. That's one reason HHS doesn't endorse certification or offer certification itself, the HIPAA Journal explains.
There are a multitude of reasons why a practice may not remain HIPAA compliant. As time passes, a practice may adopt new technologies or experience staffing changes, for example. These are just a few changes that could affect compliance, notwithstanding changes to the HIPAA regulations themselves.
That said, while HIPAA compliance certification is completely optional. HIPAA training, like HIPAA compliance, is not.
3. Training your team is essential.
The HIPAA regulations do not mandate any specific training program, but they do require training. Here's how HHS summarizes workforce training and management requirements: "Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the (HIPAA) Privacy Rule."
That's a heavy lift, and it explains why many healthcare organizations seek outside support for the delivery of training and education. This HIPAA requirement also serves to motivate some healthcare providers to seek certification as a means to facilitate what it hopes will be effective training. Keep in mind that HIPAA certification provides no special protection when it comes to compliance audits.
The following statement from HHS outlines its stance: "It is important to note that HHS does not endorse or otherwise recognize private organizations' 'certifications' regarding the (HIPAA) Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a 'certification' by an external organization does not preclude HHS from subsequently finding a security violation."
Still, this information does not mean that practices should avoid seeking certification; rather, they just need to be clear about its limitations.
4. If you purse HIPAA compliance certification, do your due diligence.
Should you decide certification is the right avenue for your practice, you have options for companies that will provide the service for you. The certification can often be handled remotely, so the pandemic poses no barriers.
Companies will have different approaches to providing certification, but most usually begin the process by conducting a HIPAA assessment to identify potential vulnerabilities and weaknesses and then assisting with implementing fixes and improvements. Employee training and a review of policies and procedures may also be part of the package.
If you elect to pursue certification, it's crucial to do your due diligence. You want a process that delivers tangible benefits and not just a certificate to post on your website.
Keep in mind, however, that some health IT experts question whether certification is worthwhile. For example, it may make more sense to outsource your healthcare information security needs to a reputable health IT service provider that is well-versed in HIPAA compliance, keeps current on changes and developments, and can demonstrate a track record of success in supporting customers.
Choosing the Right Healthcare IT Partner
Regardless of whether you decide to get "certified," when considering the security of your patient and practice data, you will want a managed services provider partner that thoroughly understands healthcare and health IT. In addition, you will want a team with HIPAA-specific expertise — one that provides ongoing (not once-and-done) training. This allows you to focus on ensuring HIPAA compliance in your practice without worrying about your data while reducing your potential liability.
Make sure the IT service provider you partner with offers regular reporting. That's good business any time, but it is crucial in the case of an unexpected HIPAA audit.
You also want an organization that can perform a HIPAA risk assessment. The HIPAA Security Rule defines a risk analysis as an "… accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." Failure to undergo this type of HIPAA assessment is one of the most common HIPAA-related violations, with fines potentially running into the millions.
Medicus IT is here to help. We understand HIPAA and the high stakes that come with achieving and maintaining compliance. Connect with us to schedule a time to talk and learn more about how we help practices just like yours develop effective HIPAA programs that effectively identify and address the vulnerabilities that put protective health information and other sensitive data at risk.