When organizations put in the effort to implement the many administrative and technological hurdles needed to be compliant with HIPAA, the Health Insurance Portability and Accountability Act, they may wonder whether it is possible to obtain some sort of HIPAA certification. For many, the idea is that such a certification could potentially reduce the time and money spent on different audit procedures or guarantee that all risks had been minimized to an acceptable level.
Does HIPAA Certification Exist? If so, What is it?
HIPAA certification could certainly act as a useful signal for customers or covered entities to use when determining what service provider they wished to bring their business to or partner with. An organization becoming certified or being able to quickly and easily demonstrate the quite dense and complicated aspects of compliance through displaying a simple certification would be an easy way to increase trust in their abilities and potentially gain new customers.
There have been trends where companies or other entities have sought to portray themselves as “HIPAA certified” or otherwise holding some sort of validation of their compliance. Unfortunately for these groups, no official or legally valid certification of HIPAA compliance currently exists.
A crucial obstacle to establishing such a compliance certification process is the fact that HIPAA itself is not a static law that does not change. HIPAA is frequently reviewed and changed to deal with emerging technological ans societal factors. Even a complete demonstration of compliance at one point in time would not be sufficient to act as a guarantee for compliance with future iterations of the law.
A group that was willing to evaluate and vouch for organizations that observed all of the criteria and met all standards as described in HIPAA would first need to prove that it was independent or otherwise verifiably trustworthy for its certification to mean anything. It would also need to establish a method of evaluating all aspects of HIPAA compliance which the organization under review deals with. They would then need to prove they could do an in-depth and complete evaluation of the entity in a short enough time period and at a reasonable enough price that it would be worth companies’ while to gain certification before new rules were introduced.
Let us take the hypothetical example of a large urban clinic that brought in HIPAA compliance experts to review and thoroughly evaluate their procedures, processes, and technical security measures. What they would receive wold be a snapshot of the clinic at a certain point in time, compliant or not. Modifications to HIPAA rules, new policies, different members of staff; any one of these could affect the outcome and make the results completely unrelated to actual activities.
Such an audit can still be undertaken, but it carries no legal weight should the company be the audited or investigated by regulatory authorities.
Training for HIPAA Compliance
HIPAA itself does not call for any specific programs or certifications. The only obligation under HIPAA in this regard is that training has been provided “as necessary and appropriate for members of the workforce to carry out their functions”. The employees must confirm that they have received such training in writing.