HIPAA Certification – How To Become HIPAA Certified

HIPAA Certification – How To Become HIPAA Certified

Key Points

  • HIPAA certification implies that a company has passed the HIPAA compliance audit and its employees have the requisite knowledge to comply company’s policies and procedures. Certification-related documents must be possessed for at least six years although it is best practice to conduct annual refresher training. 
  • The HHS does not endorse or recognize any private organization that offers HIPAA certification. Nor is there a standard to adhere to in order to achieve certification. Third-party compliance experts offer HIPAA compliance training, periodic evaluations, and certification.
  • To ensure continued HIPAA compliance, companies should undertake regular technical and non-technical evaluations either internally or externally. HIPAA compliance costs between $4,000 and $50,000+ depending on the size of the company. Compliance ensures the protection of private health information (PHI) and the reduction of paperwork to have complete electronic confidentiality. 


HIPAA (Health Insurance Portability and Accountability Act), also known as Public Law 104-191, is a 1996 US law that includes provisions for the privacy and security of medical information. It has two major purposes: 

  • To lower the cost of healthcare by standardizing the transmission of financial and administrative transactions
  • To ensure continuous health insurance coverage for workforce members who change or lose their jobs.

All covered entities (healthcare providers, healthcare clearinghouses, health plans) and their business associates, which include companies, individuals, and agencies, that store or process private health information (PHI), must comply HIPAA and make a HIPAA release form.

Companies should be aware that no organization can “certify” HIPAA compliance because the federal body determining compliance, Health and Human Services Department (HHS) and Civil Rights Office (OCR), does not recognize or endorse HIPAA certification by any such organizations. 

However, HIPAA compliance certification—which entails undergoing compliance training, evaluation, and certification from a private HIPAA training company—makes data breaches and rule violations less likely to occur. This, in turn, reduces patient complaints and subsequent OCR investigations. 

In this blog, we will explain what HIPAA compliance certification is, how to get HIPAA certified, and what is the HIPAA certification cost involved. 

What is HIPAA Certification?

HIPAA certification may imply two things:

  • A point-in-time accreditation that shows that a company has passed a HIPAA compliance audit
  • An acknowledgment that certain members of a company’s workforce have acquired the level of HIPAA understanding needed to comply with the organization’s policies and guidelines

Although there are no requirements in HIPAA for companies and/or their workforces to warrant compliance, getting a certification refers to having undergone a training course that teaches you the provisions of HIPAA and the knowledge to apply it to your company. 

HIPAA compliance does not stop with certification; it’s a continuing process. Obtaining a HIPAA compliance certification today does not mean that you are HIPAA-certified for the future. Security violations may still be found so you should know your legal obligations under the Act. 

HIPAA does not have a standard provision that mandates covered entities to get certified for compliance. According to  § 164.308(a)(8), covered entities should conduct technical and non-technical assessments to understand how far their security policies and procedures are aligned with the security requirements. Covered entities may conduct such assessments internally or hire external HIPAA certification companies. 

The HHS also warns companies about deceptive marketing claims that suggest that certain compliance programs and training materials are endorsed by the HHS or the OCR. 

Since HIPAA standards are constantly being updated, many companies hire third-party compliance specialists to ensure that all the rules are being followed. 

Why Should You Become HIPAA Compliant?

You may wonder why you should bother to obtain HIPAA certification if it does not guarantee you’re always compliant or that you won’t be in violation of new updates to the rules. 

We’ll give you three reasons:

  • To become certified, companies have to follow privacy guidelines and put in place technical, administrative, and physical protection for the HIPAA Security Rule. This reduces the chances of data breaches and HIPAA violations, which, in turn, brings down patient grievances and OCR investigations.
  • In the event of a HIPAA violation, a HIPAA compliance certification confirms “a reasonable amount of care to abide by the HIPAA Rules.” 
  • For business associates and covered entities, it indicates an intent to be compliant thus making it more attractive to clients and lowering the level of due diligence needed before a covered entity and business associate get into a business associate agreement (BAA).

HIPAA certification costs vary based on the size of the company:

  • Small covered entity = $4,000 – $12,000
  • Medium covered entity = $50,000+ contingent on the current environment of the entity

Advantages of Workforce Certification

According to the Act, “workforce” means “trainees, volunteers, employees or any other individual whose conduct, while performing work under a business associate or covered entity, is under the business associate’s or entity’s direct control.”

Certifying that your workforce is HIPAA-compliant has the following benefits:

  • Fewer HIPAA violations and/or data breaches due to human error
  • Showcases an appropriate amount of care to abide by HIPAA Rules in case of OCR audits or inquiries
  • For individuals on the staff, HIPAA certification helps promote patient trust, supports promotions, and raises job prospects.

HIPAA violations lead to a variety of sanctions such as written warnings or losing one’s professional accreditation. 

HIPAA Certification Requirements 

There are certain specific requirements for each type of organization that must conform to HIPAA. We’re presenting the salient requirements in the form of a HIPAA compliance checklist

HIPAA for Covered Entities

For covered entities to be HIPAA-certified, seven aspects of compliance are evaluated:

  • Compliance with the physical, technical, and administrative safeguards of the HIPAA Security Rule, which includes a physical site audit, an asset and device audit, an IT risk analysis questionnaire, a privacy standards audit, a security standards audit, and HITECH Subtitle D privacy audit.
  • Remediation plans to fill the gaps revealed by the aforementioned audits
  • Policies and procedures to implement and monitor HIPAA regulatory compliance and record a “good faith” effort to become compliant
  • Employee training of all important policies and procedures
  • A documentation audit to ensure up-to-date HIPAA-required documentation is accessible
  • Management of business associate agreements and due diligence processes
  • Incident management procedures in case of a data breach or reportable HIPAA violation

Depending on the gaps determined during the audit and the type of remediation plans drawn up to fix them, the time taken to achieve HIPAA certification can be estimated. 

HIPAA for Business Associates

HIPAA compliance certification requirements for business associates are similar to that of covered entities, except that they are customized to the type of services offered to covered entities. 

  • 45 CFR § 164.308 requires the implementation of a security and awareness training program for all members of the workforce and not just those providing services to covered entities. 
  • Possible business associates of covered entities are often subject to third-party audits to assure covered entities that their services, products, and policies are HIPAA-certified.

If business associates are unfamiliar with HIPAA regulations, it helps to pick a HIPAA compliance firm that not only performs evaluations but also assists them to implement effective compliance programs.

HIPAA for Healthcare Providers

For healthcare providers, HIPAA certification requires showing a deeper understanding of the Privacy and Security Rules beyond the context of a covered entity’s HIPAA policies and procedures as outlined in 45 CFR § 164.530. They need to understand why the rules exist and how they can become HIPAA-compliant employees.

Thus, they receive comprehensive HIPAA compliance training on often-violated HIPAA standards such as:

  • Patients’ rights
  • The minimum required standard
  • Permissible uses and disclosures

Such training of healthcare providers fills the gaps left in the education of new workforce members at resource-limited covered entities. It ensures that they do not make mistakes that lead to violations due to a lack of understanding. 


Although the HHS does not recognize or endorse any HIPAA compliance or certification programs, companies can benefit from HIPAA certification by reducing their chances of unintended rule violations, patient complaints, and consequent investigations by the federal authorities.

Third-party compliance experts can help you undergo HIPAA certification training and risk assessments to identify gaps in compliance. Sprinto, our cloud-based software, enables healthcare organizations to achieve and maintain HIPAA compliance quickly by assisting in crafting policies, establishing controls, and collecting evidence. 

Contact for a personalized Sprinto demo today! 


  • What is HIPAA certification?

HIPAA certification implies that an organization has been found to conform to the standards of the Security, Privacy, and Breach Notification Rules of HIPAA. 

  • How long does HIPAA certification last?

Covered Entities and Business Associates should retain HIPAA-related documents for a minimum of six years. Thus, HIPAA compliance certification lasts six years although it is best practice to offer refresher training every year. 

  • How to get HIPAA certification?

The first step to getting HIPAA certification is to select a HIPAA certification course that is suitable for the people who will take it. If it is not possible for all employees to undergo training due to budgetary or other constraints, chosen employees could be trained as trainers who will then conduct company-wide on-site training to ensure everyone has a working knowledge of HIPAA. 

  • How to get HIPAA certification free?

Free HIPAA certification is available on various sites like OSHAcademy, Accountable HQ, the Compliancy Group, the U.S. Department of Health & Human Services, and Medscape. However, after passing the final exam the certificate must be purchased.

Posted in: