HIPAA Certification vs HIPAA Compliance
What is the difference between being HIPAA compliant and HIPAA certified?
Compliance refers to adhering to the proper rules in accordance with the guidelines and requirements of HIPAA in order to safeguard individually identifiable health information.
Certification is the process in which an organization or individual is awarded a document that signals the completion of an education course or process.
Both of those have their own individual purpose and can’t be used interchangeably. For example, certification is something that is obtained by an individual or organization, but compliance is something that is maintained by an organization by adhering to the regulations of HIPAA. An employee cannot be compliant with HIPAA, but they can help an organization maintain compliance. It is important to note that the Department of Health and Human Services and the Office of Civil Rights, which is responsible for enforcing HIPAA, do not recognize or endorse HIPAA courses or certificates as fulfilling the obligations of the security rule.
HIPAA certification just means that an organization has participated in and completed a process that is meant to instruct and train the organization staff in how to become HIPAA compliant. Just like it is possible to pass a test without understanding the material being tested and then immediately forget the information, an organization can receive a HIPAA certification without actually taking any real action towards compliance. With that in mind, a certification is not a recognizable measure of compliance. A HIPAA certification course or framework should be viewed as a toolkit; the organization now has access to meaningful tools and instructions to help it become compliant with the laws that make up HIPAA.
HIPAA certification courses and frameworks are available from a number of companies (like yours truly) that focus on ensuring businesses understand and are able to comply with the regulations of HIPAA, but they do not perform those tasks for the company, nor do they assume any risk or liability for an organization that does not follow through the appropriate steps. For example, our HIPAA compliance software will provide detailed information on how to conduct a risk audit. However, it will not complete the risk assessment for you.
So no, HIPAA certified does not guarantee HIPAA compliance nor are any of the courses or frameworks endorsed by the HHS. Does that mean that a HIPAA Certification program is worthless? No.
Why get a third party HIPAA Certification?
If certification is not proof of compliance, you may be asking what is the value of seeking certification from a third party. There are several reasons why this may be good idea for your organization:
Third parties are far more knowledgeable of HIPAA rules and regulations. By virtue of working with multiple organizations, they have created frameworks that you can work within to identify risks, address shortcomings, and adopt policies and procedures that fit your organization. We understand what measures you should take to safeguard and maintain electronic protected health information, and can walk you through the various rules such as the HIPAA privacy rule.
You can outsource HIPAA training. Rather than have to identify the training materials and present them to your employees yourself, you can trust experts to present the simplified and relevant information to your employees in order to satisfy the HIPAA security rule which states employees must be trained to protect PHI. It is one less thing for you to do.
A fresh perspective on your policies and procedures. You may have been doing all that you think you need to do to achieve compliance. But most people are not experts in HIPAA; even compliance departments at large healthcare organizations do not know everything about HIPAA. With that in mind, third party frameworks can help you identify blind spots and look under stones that you wouldn’t have thought to look under.
Guide you through a risk assessment. One of the key requirements of the HIPAA Security Rule is that an organization conduct a thorough risk assessment to identify vulnerabilities and gaps in their security. However, HIPAA does not tell you how to do this, and you may not know what questions to ask. A fresh set of eyes can help you identify your organizations shortcomings better than an insider would.
HIPAA Certification can be a great marketing tool. Depending on the type of organization working to ensure compliance, a third-party certification like the one we offer may be beneficial for marketing services.
If you are a cloud software provider hoping to gain clients in the healthcare industry, a covered entity may be more comfortable doing business with you if you have received a third-party HIPAA certification. Likewise, patients seeking a primary care physician may feel reassured if they see a HIPAA certification seal on your website, even if it is not from the HHS. Either way, a third-party certification will look more credible than your own claim about HIPAA compliance.
How to be HIPAA compliant
Organizations and individuals should take all the information learned from their HIPAA certification training and frameworks and put it into practice to achieve and maintain HIPAA compliance, so these tools certainly have real value.
With the expansion of the HIPAA regulations over the past two decades, specialized organizations such as payroll providers or cloud hosting that were not originally designed to comply with healthcare regulations now may find themselves in the crosshairs of the OCR. With that in mind, it is important that these business associates now add HIPAA compliance to their toolkit. Since HIPAA and its acts are extremely broad yet vague, platforms like Accountable can help them learn about the five rules of HIPAA and provide you with a framework to make certain that all the requirements have been met in order to protect your business from an audit. The penalties for noncompliance can be quite severe.