Are you searching for a program that provides a HIPAA Compliance Certification? It may not be what you think it is.
Another question we get here at HIPAAgps is if we provide a HIPAA Compliance Certification. This Certification is a document provided by some third party organizations who claim that if you go through their system, they guarantee you are HIPAA compliant.
We gladly tell our clients we do not provide one. Now, I know you might be a little confused by that. Why would we be happy to claim that we don’t provide one when other companies do?
Because the U.S. Department of Health and Human Services (HHS) doesn’t provide one for any health care organizations that are required to be HIPAA compliant, nor do they recognize any HIPAA Compliance Certifications. They even buffer their own HIPAA tools with disclaimers informing users that the use of the tools does not ensure HIPAA compliance. On the HHS website, it states:
“It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
Essentially, HHS is warning health care organizations to be wary of any companies that “guarantee HIPAA compliance” or provide HIPAA compliance certifications.
Why doesn’t the government provide or endorse a HIPAA Compliance Certification?
Most likely, the government doesn’t provide or endorse any HIPAA compliance certifications because of the very nature of HIPAA compliance. HIPAA compliance is very much like risk management. The program and ways to stay compliant are ever evolving. Health care organizations have to regularly re-evaluate and make changes to their organization to mitigate Protected Health Information (PHI) security risks. Technology is constantly changing and new risks pop up all the time.
For example, a few years ago, many people didn’t know what ransomware was. This year, the health care sector was hit hard by ransomware, and most people now know what it is and how detrimental it can be. Plus, in a 2016 Gemalto report, data showed that the health care industry is now the No. 1 target for data breaches. That’s new!
Consequently, even if an organization received a HIPAA Compliance Certification, something may change and that organization may no longer be HIPAA compliant until another risk assessment is conducted and new policies and procedures are implemented. So, an organization may have received one of these so-called HIPAA compliance certifications in 2015 and then had a ransomware breach in 2016. And, because they hadn’t performed a new risk assessment or any other evaluations, the Office for Civil Rights (OCR), who perform HIPAA audits and give fines for noncompliance, is likely to fine the organization. Remember, HIPAA requires active, dynamic, ongoing compliance practices that are evaluated regularly and documented. A one-time certification doesn’t meet that standard.
Don’t be fooled by what some companies call a HIPAA Compliance Certification. You could end up paying several thousands, even millions, of dollars in HIPAA fines if you put your trust in that little piece of paper. Start your compliance journey with a company that truly has your best interest in mind. At HIPAAgps, we’re open and honest about the realities of HIPAA compliance. We help you understand and manage the many HIPAA requirements in an affordable way.