Let’s bust a popular HIPAA myth, shall we? There is no HIPAA certification! Period. Contrary to what you may read in the multitude of content on the world wide web, there is nothing official about HIPAA certification. It doesn’t have the blessings of the Department of Health and Human Services (HHS) or the Office of Civil Rights (OCR) either. In fact, the OCR has made it unequivocally clear that it doesn’t endorse any HIPAA certification and that having one doesn’t preclude healthcare organizations from being audited when the need arises.
So, what’s the big hullabaloo about HIPAA certifications? Can getting one, even if it doesn’t have legal standing, help your organization? While nothing can prevent a healthcare organization from an audit, getting a third-party HIPAA certification demonstrates your compliance posture or at least that you made earnest attempts to be compliant.
Read on to learn how HIPAA certification can help your organization and how you should go about achieving one.
HIPAA Brass Tacks
Before we go any further, let’s quickly understand some of the oft-used terms in the article.
HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that standardizes the best practices to protect patient data (such as medical records) and other personal health information.
Protected Health Information (PHI): As per HIPAA regulations, PHI is 1) identifiable demographic or genetic information related to health, 2) information on the physical or mental condition of an individual, or 3) payment or financial information related to healthcare.
Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically and generate, store, transmit and handle PHI.
Business Associate: Service providers, vendors and entities that work on behalf of HIPAA-covered entities that involve the use or disclosure of PHI.
Business Associate Agreement: These are legally-enforceable written agreements between a covered entity and its business associate that will get access to PHI as part of a service it provides the covered entity.
You can read more about whom the HIPAA law applies to here.
What is HIPAA Certification?
Third-party compliance experts offer HIPAA certification after a review of your organization’s compliance status. As mentioned earlier, these certifications aren’t endorsed by the HHS, the federal agency overseeing HIPAA, or the OCR, and don’t protect you from a HIPAA audit. HIPAA doesn’t offer certification as an end goal as it believes compliance to be an ongoing process – certifications only reflect an organization’s compliance status at that point in time.
That said, HIPAA certifications offered by third-party consultants aren’t entirely without merit. They demonstrate your organization’s commitment to compliance with HIPAA by way of ensuring you are doing everything you can to protect PHI, including employee training on HIPAA-related policies and procedures. Besides, it implies that your organization has the necessary nuts and bolts to ensure compliance with HIPAA requirements.
Why HIPAA Certification is important to Healthcare Providers?
HIPAA certifications hold importance to healthcare organizations on multiple counts. Let’s look at some of them:
Know your compliance status
Compliance with HIPAA isn’t optional. Besides, failure to comply can be pretty expensive. So, going through a certification audit, even by a third-party consultant, can help organizations understand their compliance status. It can showcase gaps and oversights in their compliance readiness.
Showcase a proactive approach to HIPAA
HHS expects organizations to take decisive action to meet HIPAA standards continually. Even though certifications don’t stand as proof of future compliance, they do demonstrate that the organization has made their ‘good faith’ efforts to get compliant with HIPAA and may stand it in good stead in case of a breach or an audit.
Stand out from the crowd
It’s one thing to say you are HIPAA compliant, and it’s another to have a credible third-party assessor back your compliance claim. By law, HIPAA makes it mandatory for covered entities to work with HIPAA-compliant vendors. As HIPAA-certified business associates, you can reduce deal frictions to some extent when prospecting opportunities with covered entities.
Add to your HIPAA documentation
HIPAA certification carried out by a professional services organization can make for reliable documentation that your organization can share with prospects regarding your compliance status.
How to get HIPAA Certification (7 easy steps)?
Before you approach a third-party professional service organization to review and certify your compliance with HIPAA, you must create and execute a compliance program.
Here’s a look at your step-by-step journey toward HIPAA certification.
Step 1: Select a Security & Privacy Officer within the organization
The HIPAA Security Rule requires every healthcare organization to appoint a security officer to develop and implement the necessary policies. The Privacy Rules also mandate organizations to designate a privacy officer.
Aside from legal requirements, it is impossible to implement HIPAA’s rigorous compliance without designated officers. You can either appoint a new employee(s) or assign an existing one(s) for this role. Most organizations hire one person to fill the security and privacy officer role or designate one person for each role. Either way, HIPAA doesn’t have strict guidelines for selecting a compliance officer.
Step 2: Establish privacy policies within the organization
HIPAA requires covered entities to develop and implement appropriate policies and procedures to comply with the provisions of HIPAA’s Privacy and Security Rule. You must maintain written privacy and security policies and procedures, and keep records of required activities, actions, and assessments for up to six years from the creation date.
You must also ensure that the policies and procedures are reviewed periodically and updated to accommodate changes in your business environment or organization that can affect the security of your PHI and ePHI.
Some of the policies that you will need to establish include:
Step 3: Establish security procedures to protect PHI
HIPAA requires healthcare organizations to uphold the confidentiality, privacy and security of PHI and calls for three types of safeguards: administrative, physical, and technical.
These safeguards lay the foundation for the security procedures organizations must implement to protect PHI in their environment.
Organizations must document their security management process, analyze risks to ePHI and implement security measures to mitigate them.
Organizations must control access to the physical facilities where ePHI is stored and secure all workstations and devices that store or transmit ePHI.
Organizations must implement technical safeguards that include hardware, software, and other technology to limit access to e-PHI.
At a broader level, HIPAA requires healthcare organizations to implement some of these cybersecurity measures to ensure compliance:
- Access control
- Data encryption
- Audit logging
- User authentication
- Data backups and disaster recovery
- Business Associate Agreements (BAA)
Step 4: Establish Business Associate Agreements with vendors
HIPAA Privacy Rule mandates covered entities to obtain reasonable assurances from their business associates that they will ensure the security of the PHI it receives or creates on behalf of the former. These assurances are made legally binding as a written BAA with clearly assigned responsibilities for each party concerning PHI.
The BAA, therefore, makes the business associates also responsible for safeguarding PHI as per HIPAA.
You can look up sample business associate agreements on HHS’ website.
Step 5: Train staff as per HIPAA guidelines
Your organization’s compliance with HIPAA is only as good as your employees’ understanding and compliance with HIPAA regulations. So, it is essential that you train your employees on the law, its updates, and its many nuances.
Besides, employee HIPAA training is an annual requirement. HIPAA defines workforce as ‘trainees, volunteers, employees or any other individual whose conduct, while performing work under a business associate or covered entity, is under the business associate’s or entity’s direct control.’
Getting your employees trained to become HIPAA-compliant has several benefits.
- Reduce the possibility of HIPAA violations and/or data breaches due to human error
- Showcase an appropriate amount of care to abide by HIPAA Rules in case of OCR audits or inquiries
- Promote patient trust, support promotions, and raise job prospects for employees
- Avoid the chances of attracting sanctions such as written warnings or losing one’s professional accreditation
Step 6: Implement annual risk assessment to avoid data breaches
Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with HIPAA’s Security Rule standards. Covered entities and business associates must conduct an annual security risk analysis (SRA) to identify and assess the risks and vulnerabilities to the confidentiality, availability, and integrity of PHI in their environment.
Monitor Data Collection
To begin with, organizations must identify where the e-PHI is stored, received, maintained or transmitted.
Identify and Document Potential Threats and Vulnerabilities
Organizations must then identify and document reasonably anticipated threats and vulnerabilities to e-PHI.
Assess Current Security Measures
Organizations must then assess and document the security measures they use to safeguard e-PHI – whether they are already in place, configured, and used correctly.
Determine the Likelihood of Threat Occurrence
Organizations must consider the probability of potential risks to e-PHI so that protection against ‘reasonably anticipated’ threats can be put in place. Organizations must document the same.
Determine the Potential Impact of Threat Occurrence
Organizations must assess the magnitude of the potential impact of the identified threats or the possible exploitation of an identified vulnerability. The impact can be measured using either a qualitative or quantitative method or a combination of the two.
Determine the Level of Risk
Organizations must now assign risk levels for all the threats and the identified vulnerability combinations during the risk analysis. The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and its impact.
The Security Rule requires the risk analysis to be documented but does not require a specific format.
HIPAA’s Security Rule requires organizations to implement administrative, physical, and technical safeguards based on risk assessment and analysis to protect ePHI. HIPAA also offers a Security Risk Assessment Tool for organizations to conduct a risk assessment. While organizations needn’t submit their security risk assessment, it serves as a supporting document to showcase that organization conducted a thorough and accurate risk analysis as required by HIPAA.
Step 7: Establish breach notification protocol
Organizations must establish guidelines around breach notification in line with HIPAA requirements. HIPAA’s Breach Notification Rule requires covered entities to notify individuals when their unsecured PHI gets breached. Post a breach, the organization is obligated to inform the relevant parties (individuals, HHS and/or the media) within 60 calendar days from when PHI was compromised or when they discovered it was.
There, however, are a few exceptions. These include
- The breached data is encrypted to the standards of HIPAA
- The breach was done in good faith and not further used unlawfully
- If the unauthorized person wouldn’t have been able to retain the information
Your organization’s HIPAA policies must be communicated to all staff.
Who audits your HIPAA certification and approves them as per HIPAA law?
No official organization backs HIPAA certification. At best, it validates your organization’s compliance with HIPAA. Several third-party professionals assess organizations based on HIPAA audit protocol and identify gaps, vulnerabilities and areas of improvement.
Some of these vendors not only perform HIPAA evaluations but also assist organizations in implementing effective compliance programs.
What are the three HIPAA certification requirements?
Again, as we mentioned earlier, there isn’t an official HIPAA certification. However, organizations must meet specific HIPAA certification requirements depending on their type.
Certification of Covered entities
For covered entities to be HIPAA-certified, areas of evaluation include:
- Compliance with the physical, technical, and administrative safeguards of the HIPAA
- Compliance with HIPAA’s Security Rule (includes physical site audit, asset and device audit, IT risk analysis questionnaire, and more)
- Remediation plans to fill the gaps revealed by the assessments
- Policies and procedures to implement and monitor compliance with HIPAA
- HIPAA certification training for employees
- Updated and detailed HIPAA documentation
- Management of business associate agreements and due diligence processes
- Incident management procedures
Certification of Business Associates
The HIPAA certification requirements for business associates are similar to that of covered entities, except that they are customized based on the type of services offered. Here are some must-knows:
- Implementation of HIPAA security and awareness training program for all members of the workforce and not just for those providing services to covered entities
- BAs are often subject to third-party audits to assure covered entities that their services, products, and policies are HIPAA-certified.
Certification of Healthcare Providers
Due to their direct interaction with patients, healthcare providers require a more profound and on-ground understanding of HIPAA regulations and violations. Therefore, the HIPAA certification program for healthcare providers goes beyond the context of a covered entity’s HIPAA policies and procedures.
They must be educated and trained to understand why the rules exist and how they can become HIPAA-compliant employees.
Their HIPAA training, therefore, must also dwell on the often-violated HIPAA standards. These include:
- Patients’ rights
- Minimum required standard
- Permissible uses and disclosures
Find out how Sprinto is helping organizations become and stay HIPAA-certified
As a cloud-hosted business associate looking at covered entities for growth opportunities, your compliance with HIPAA can be a real clincher. Sprinto helps you tick all the boxes for compliance with HIPAA in an effortless and automated way that complements your business needs.
It comes with in-app features to monitor your HIPAA safeguards, manage vendors and subcontractors with PHI access, and offers in-built HIPAA training for your staff. It integrates HIPAA rules and your relevant security controls onto the platform such that you can get a dashboard view of your compliance status at any point in time.
Talk to us today to know more about how you can get HIPAA compliant and maintain it with continuous monitoring.
How long does HIPAA certification last?
While the HIPAA certification only reflects an organization’s compliance with HIPAA at the time of assessment, all HIPAA-related documentation should be retained for a minimum of six years.
Why is HIPAA certification important?
HIPAA Certification is important for covered entities and business associates on the following counts:
- It gives them a comprehensive understanding of their compliance status
- It showcases a proactive approach to HIPAA and can stand them in good stead at the time of audit
- It helps them stand out from the crowd and competition and shows them in good light
- It adds weight to their HIPAA documentation
Who needs to certify with HIPAA?
Though there isn’t any certifying authority for HIPAA, covered entities and business associates can consider getting their compliance with HIPAA reviewed by credible third-party professional assessors. Professional assessors test the organization’s compliance with HIPAA, issue a report/certification, and highlight gaps, vulnerabilities, and areas of improvement. Some even assist organizations in implementing an effective compliance program. Such certifications also add to the organization’s ‘good faith’ efforts in becoming and staying HIPAA compliant.