How does my company get HIPAA Certification?

If you see a statement from an organization that they are “HIPAA Certified” run away. HHS has stated many times in many ways that there is no HIPAA Certification process and that no company has authority to certify HIPAA compliance. Here is their quote from their website; “It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.” Frequently I see press releases stating that a company is HIPAA Certified and in reading between the lines I see that an outside company has performed an audit of some sort and told the company that they are HIPAA Certified. Rarely do they mention the name of the company certifying their HIPAA compliance and never do they tell what methods they used and what results they found. If we were to accept that at the moment of this audit the company was HIPAA compliant how long would that apply? Only until something changed, like a new software application, new hires, a change in their business model, a change in the HIPAA standards or any other change that materially affected their organization.

The reality is that HIPAA compliance is not an event but a process, an on-going process that requires compliance activities every month with documentation to support the accomplishment of these activities. Large organization have sophisticated systems in place to monitor processes, document their activities, and provide dashboards to management so that they can see what their current level of compliance is at all times. What does a small business associate do to emulate this within a reasonable budget and with reasonable expenditure of time and resources? They could build Excel spreadsheets that lay out the tasks that need to be accomplished and document their activities, presuming that they know what activities are required by HIPAA and the new HIPAA Omnibus Rule that became effective on September 23, 2013. Most business associates would not know where to start and if they actually went to the HHS website and read the standards their bewilderment would grow. The HIPAA Omnibus Rule is over 500 pages of dense bureaucartese impenetrable to most of us.

What is a business associate to do? Find a quide, with a process, the tools that lay out the tasks, a method of measuring compliance, and a human HIPAA expert to lead you through the process, check your work, and answer all of your questions. Then every month you need a new task list of tasks required to keep you compliant and a method of documenting accomplishment of these tasks.

If you want to see how this works go to www.compliancehelper.com and watch the appropriate video. If you want to check your own compliance download the HIPAA Compliance Checklist.