Are you HIPAA Certified?
The difference between compliance and certification in the regulatory world.
We are often asked to provide HIPAA Certifications, and once our program is completed, we do indeed provide a certificate of completion for our clients. However, the Department of Health and Human Services’ Office for Civil Rights (OCR), the main enforcer of HIPAA Rules, does not recognize or endorse any compliance certification program offered by private companies and there is no official government certification program for HIPAA. In fact, there are many regulations where private parties offer certificates that carry no weight within the regulatory bodies themselves.
The Reality of HIPAA Compliance
HIPAA Compliance Certification is no guarantee of compliance with HIPAA Rules as it only demonstrates compliance at a specific point in time. A certificate of HIPAA Compliance is a snapshot in time – on this date in time this organization meets the requirements of HIPAA compliance. However, HIPAA compliance is not a one-time program, it requires vigilance and an ongoing effort to maintain. In other words, being HIPAA compliant today does not necessarily equate to HIPAA compliance tomorrow.
What we do…
If you’ve been selected by the random inquiry process of OCR, or have otherwise found yourself in communication with them, you will know one of the first things requested of you is to provide a copy of your most recent Risk Assessment Report (RAR). If you aren’t prepared, they will know it. A proper RAR is difficult to “backdate”, and that could also constitute an effort to defraud a Federal agency.
Our Risk Assessment, Remediation Report, Network, and External Security Vulnerability Reports, along with our training, policies, and forms, would be akin to a certification in the sense that collectively aligns with all of the requirements to meet HIPAA. These reports reflect the findings of the internal audit of Policies, Procedures, Documentation, HIPAA Training, and security controls, which is a requirement of the HIPAA Security Rule. Section 45 CFR § 164.308(a)(8) of the Administrative Safeguards of the HIPAA Security Rule requires HIPAA-covered entities to periodically evaluate their compliance program. A technical and non-technical evaluation must be performed to ensure all HIPAA standards are being met or exceeded. Further evaluations are required in response to “environmental or operational changes affecting the security of electronically protected health information.”
Becoming compliant with HIPAA Rules is an ongoing effort of all workforce members. It is not only the work of the Information Security and Privacy Officers but also a culture that leaders, doctors, nurses, and managerial positions need to embrace.
There is no guarantee…
That a company that we assessed today, will remain HIPAA Compliant in the future. One action, one change in their technology, one operational procedure can take the organization out of Compliance.
Frequently changes in staff management, business objectives, operational procedures have been the reason for fines and penalties. It is important to note that HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, the performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
What we offer… The 7 Essential Components of Quality HIPAA Compliance Services
1. Secure Data Infrastructure Analysis
2. Access to HIPAA Compliance Experts
3. Business Continuity Plan
4. Documentation of Business Associate Agreements
5. Experience with Healthcare Customers
6. Ongoing HIPAA Compliance and Cybersecurity Awareness Training
7. Updated and Comprehensive Policy and Procedures Documents
We understand when you need assistance. We also know that you need it to be timely provided in a friendly and knowledgeable way. We also offer a security suite for live training for your staff—both online and webinar training is available.
You can rest easy knowing that your patient information and healthcare data is secure with remote backups that are reliable, secure, and HIPAA compliant. Our technology’s fail-over system keeps your vital operations up and running—even during a total server failure.
Our difference is a commitment not just to your HIPAA compliance, but to increasing your cybersecurity defenses. After all, it’s possible to achieve HIPAA compliance and still have considerable cybersecurity weaknesses.
We’d love to help you become and stay HIPAA compliant. Contact us today to see what we can do to help.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.