How to Get HIPAA Certified?
What seems like almost a daily basis here at Accountable, we have prospective clients asking us for their “HIPAA Certificate” or if we can help them obtain their HIPAA Compliance Certification. While we never turn anyone of these individuals away, we do take this as an opportunity to educate and clarify the services that we at Accountable and other services offer. We hate to break it to you, but…
There is no such thing as a HIPAA Certification that is formally recognized by HHS (United States Department of Health and Human Services) or OCR (The Office of Civil Rights)--the governing bodies that regulate HIPAA.
This might come at a shock to you or may not be a surprise at all. How can you know you are truly HIPAA compliant? Well, you have a couple different options here, so let’s dive right in. Your first (and most risky option) is to try and take on HIPAA compliance yourself, the sort of short-from-the-hip approach. You can sit down with the hundreds of pages of legislation that entail and begin to tackle the seemingly insurmountable task of understanding and executing the steps necessary to become HIPAA compliant. If that just raised your blood pressure, don’t worry, we’ve got two more options for you.
Your next option would be to hire a HIPAA specialized lawyer, who will essentially charge you anywhere from $100-$300 per hour, to accomplish the aforementioned Goliath task. This could take them two weeks, or it could take them two months (The math there is $8,000 on the lowest end, $96,000 on the highest end). Again, this may seem like quite a rock and a hard place, and we agree! That’s why we came up with a complete administrative solution to this and have solved this problem for thousands of businesses just like you.
Here at Accountable, we offer a complete administrative solution to HIPAA compliance so that you can achieve and maintain HIPAA compliance efficiently and effectively for a fraction of what it would cost to hire a legal professional while still providing the peace of mind that comes with working with a third party expert. Now that is great and all, but you’re here to know how you can get HIPAA certified. As you just learned, such formally recognized certification exists, however we will outline the basic steps to HIPAA compliance below.
Selecting a Privacy Officer
An easy step forward on your path toward compliance is electing an internal Privacy Officer to spearhead compliance for your organization. While you are able to get help from other external organizations, it is a requirement of HIPAA to have someone internally with the formal designation of Privacy Officer. Unlike other legislation like GDPR, there is no specification as to the credentials of this individual. We've worked with CEOs, CTOs, IT professionals, executive assistants - if they’re on your payroll, they can be the Privacy Officer. However, the most effective privacy officer is someone who has the authority and clout in the organization to implement the correct organizational changes to safeguard health data.
Security Procedures are often grouped together with Privacy policies, and while they sound similar, they are both completely separate requirements of HIPAA. The Security Procedures are going to be practical ways that privacy is maintained. Think of security as more of the defense. This can be anything from strong passwords, multi-factor authentication, encryption. Essentially anything that secures and protects your PHI is going to fall under the security procedures sort of like locking your doors at night. In a physical office this could be as simple as documenting that you lock your filing cabinets where PHI is stored. All in all, robust security play a major role in actively protecting the PHI your organization comes in contact with.
Establish Business Associate Agreements with Vendors
HIPAA outlines two kinds of entities that are required to be HIPAA compliant, so your business falls under one of two categories: a covered entity or business associate. A Covered Entity is anyone providing direct medical services or care. This would include entities such as medical practices, pharmacies, dental practices, psychotherapists. These are the kinds of organizations that commonly come to mind when thinking about who needs to be HIPAA compliant. Business Associates on the other hand are any organizations that are not directly providing medical care, but come in contact with PHI due to the nature of their job. They could be telehealth companies, accountants, software developers. When two of these organizations work together they are required to sign a business associate agreement that states both organizations are HIPAA compliant. If either of the organizations is breached or audited, it can result in an audit of any other parties involved. Because of this, it is crucial that you have strong BAAs in place as well due diligence is vetting potential Business Associates.
Annual HIPAA Training
We are intentionally now just talking about annual HIPAA training as they are often seen as the only requirement for a company to be HIPAA compliant when in reality it is but one of many steps in obtaining HIPAA compliance. That being said, an annual HIPAA is an important part of HIPAA compliance and often one of the most important on the employee level. Keeping a record of these trainings is important and ensuring that every employee who comes in contact with PHI has gone through adequate training reduces the risk of a breach from human error considerably.
Annual Risk Assessment
Another major requirement of HIPAA is annual Risk Assessments or whenever a major change to the organization occurs. For a covered entity this could be the opening of a new location or for a more tech based business a new product offering. These risk assessments serve as a sort of reevaluation of internal practices to ensure both what you are saying you are doing is actually being practiced as well as making sure ample policies and procedures are in place to reduce risk. It is important to store these risk assessments internally as they serve as a paper trail to show continued HIPAA compliance in the event of an audit. While a breach can always occur, these risk assessments serve as a way of showing that your organization has taken HIPAA compliance seriously and can help to mitigate further fines in the event of a breach or audit.
Established Breach Notification Protocol
Finally, an important step in HIPAA compliance is establishing an internal breach notification protocol in the event that your organization does have a breach. This internal reporting system basically should be an efficient way of notifying internal key employees of the breach occurring so that an adequate response can take place and the further data exposure is prevented. Ultimately, no organization ever wants to have a breach occur but it is always important to have a plan in place in the event of one occurring.
So, while unfortunately there is no formal HIPAA Certification recognized by HHS or OCR, these are a handful of the basic steps of being certain you are HIPAA compliant. At Accountable, if you complete the steps within our platforms to become HIPAA compliant we offer our Seal of Compliance that can be displayed on your website as well as any marketing material to show your prospective clients and business partners that you have taken HIPAA seriously and have taken comprehensive steps to achieve and maintain your HIPAA compliance. For more information on everything Accountable offers, feel free to schedule a demo with one of our Compliance Specialists today!