HIPAA Certification Requirements
The Health Insurance Portability Act (HIPAA) was enacted in 1996 to reform healthcare in the USA. The main objective was to ensure healthcare portability, so people wouldn’t lose their cover when they lost or changed jobs. Additionally, HIPAA put stringent privacy requirements in place regarding the sharing of patient medical records.
Earning a certification in HIPAA compliance can make your business highly valuable in the healthcare industry. However, these certifications are not endorsed or recognized by the US Department of Health and Human Services (HHS). Being certified does not absolve you of your obligations under the Security Rule.
But what exactly is HIPAA certification?
It means a third-party certification company conducts an audit of your company to see if it is compliant with HIPAA requirements. If it meets the standards of the Privacy, Security, and Breach Notification Rules of HIPAA, you can informally become “HIPAA certified.”
It is important to be aware that you need to be compliant – not certified. During an audit by the Office of Civil Rights, you will need more than a piece of paper. You will have to prove what you have been doing in daily practice to comply with HIPAA rules.
So what do you do to become certified?
How do you become HIPAA certified and choose the right certification program?
The first step would be to choose a HIPAA certification course that suits the individuals who need to take it. If it is difficult to include all your employees due to finances or releasing manpower, certain employees can be selected to be trained as internal trainers. Because there are so many courses and providers available online, it is difficult to know which one to choose. Don’t just select any vendor – conduct due diligence first to make sure they can deliver a reliable product.
Now that we know what HIPAA certification is and how to become certified let’s look at the various types of HIPAA certification.
You can find out how to become HIPAA certified here.
Types of HIPAA certification
– Privacy and security awareness training.
This certification program is required on an annual basis for all Department of Health and Human Resources employees and contractors and one of the few overseen by the federal government. It covers information about the technical, administrative, and physical requirements, and can be done by IT administrators, executives, and managers.
– Certified HIPAA Professional (CHP).
Covering the ground-level basics of HIPAA compliance, this program is ideal for employees who have access to personal health information (PHI). Educational prerequisites are not required, and it is useful for anyone, from administrative staff to health care workers, supervisors, IT staff, and executives.
– Certified HIPAA Security Compliance Specialist (CSCS).
This is an advanced version of the basic security training and covers both state and federal regulations.
– Certified HIPAA Administrator (CHA).
This applies to workers directly delivering or overseeing healthcare services, for example, hospital administrators and nurses. It is a more in-depth program and deals with data privacy.
– Certified HIPAA Security Specialist (CHSS).
As this is a higher-level certification, it requires applicants to hold a Certified HIPAA Professional (CHP) certification. It covers the technical aspects of HIPAA compliance and includes security standards applicable to electronic medical records management and storage (ePHI). It is most useful for IT employees in the healthcare field.
Which brings us to the big question:
Should your organization become HIPAA “certified,” and why should you get a third-party certification?
This is a decision entirely up to your organization. As previously mentioned – there is no requirement to do so, and it does not absolve your company of any of its responsibilities regarding HIPAA.
But keep in mind, HIPAA’s requirements are complex, and a violation could result in hefty fines or criminal indictments for your company. Here are a few good reasons for receiving a third-party HIPAA certification, even if it’s not necessary:
– Behaviors that may seem harmless or non-offensive can be HIPAA violations.
Examples are discussing private patient information with a colleague in an open space like a cafeteria or elevator or forgetting to log off your computer, which contains personal health information when going home.
– Provides a fresh perspective on your policies and procedures.
Appointing a third-party to audit your organization’s established practices is an effective way of ensuring that your periodic internal assessments are up-to-date and compliant. They are more knowledgeable of the latest HIPAA rules and regulations, and they can help you identify any blind spots you might have missed.
– Outsourcing employee training.
Trusting experts to present relevant and simplified information not only ensures that your employees are compliant with HIPAA rules and regulations but is also one less thing for you to do.
A third-party HIPAA certification can be beneficial for marketing purposes. For example, patients looking for a primary care physician may feel reassured if they see a HIPAA certification seal on your website.
So knowing how many benefits HIPAA certification offers,
Why is there no HHS-endorsed HIPAA certification?
The main reason is that HIPAA compliance is an on-going process. Receiving certification from a third-party is no guarantee that your company will remain HIPAA compliant in the future. Changing business objectives or staff management policies, may invalidate a HIPAA certification. There is also a strong possibility that HIPAA regulations may change in the future.
To round off, let’s have a look at some HIPAA certification FAQs:
What is the difference between a third-party audit and an HHS audit?
If a third-party audit finds lapses in compliance, the covered entity has an opportunity to correct them. If non-compliance is found during an Office of Civil Rights (OCR) audit, the covered entity may be fined or criminally charged. Consequently, the cost of a third-party audit may be a sound investment.
What is the cost of a third-party compliance audit?
This depends on the standard you’re implementing and the size of the organization. A preliminary step to a full audit includes a Gap Assessment and costs between $20 000 and $30 000, and a full HIPAA audit may cost between $20 000 and $50 000.
I understand why a business can´t be HIPAA certified, but what about software?
Software can’t be certified as HIPAA compliant. While the software may have HIPAA-compliant capabilities, the way these capabilities are used determines compliance.
Some sources claim there is such a thing as HIPAA certification. What does HHS say?
According to HHS, HIPAA has no requirement for a covered entity to be certified as compliant. A certification certificate does not protect a covered entity against non-compliance.
Why might some Covered Entities claim to be HIPAA certified if there is no such thing?
If Covered Entities or their employees have completed HIPAA training and received a certificate stating they have completed a training course, they might claim they are certified. This does not, however, guarantee HIPAA compliance.
There is a difference between being HIPAA compliant and HIPAA certified. Although HHS does not endorse certifications, it is a wise decision to obtain third-party certification. This will ensure that your company and employees remain HIPAA compliant.
Coggno has a wide range of HIPAA certification online training courses.