By Jack Anderson
September 19, 2016
We get lots if questions about “HIPAA certification”. We also see companies claiming that they are “HiPAA Certified”, generally followed by a claim that some unnamed group did an audit and declared them compliant. Of course that group didn’t claim that the certification was from or authorized by HHS or OCR since they have repeatedly stated that there is no certification process approved by them. There are lots of certificates issued for individuals that have taken some training classes in security and privacy but even if every staff member had a certificate it would not mean that the company was compliant.
Yet, many organizations are asked to provide proof that they are HIPAA compliant. Fortunately there are tools that provide lists of compliance activities that must be accomplished on an on-going basis and documentation of their completion. This then can be confirmed through a risk assessment showing on-going progress. But what kind of risk assesment is needed?
The gold standard and the only one mentioned by HHS and OCR is the NIST protocol. Developed by the federal government as the standard to be used when auditing government entities the NIST protocol is the one recognized by al auditors. Our partner, ACR2 Solutions has automated this process and delivers it through a SaaS model that makes it cost effective and efficient.
The Jumpstart program jointly developed by Compliance Helper and ACR2 Solutions provides the task lists, templates, of policies, documentation, and support from a personal Helper that feeds data to the risk assessment engine. Every quarter the Jumpstart client gets a new risk assessment showing the progress they have made in privacy and security. The Compliance Meterr shows compliance in training, policies, and risk assessment updating while the risk assessment report provides an in-depth analysis of risks and steps taken to mitigate those risks.
Your quarterly risk assessment is your HIPAA certification based on your work, not on some third party’s analysis. It is dynamic, granular, and defensible. For more information shoot me an email at Jack@compliancehelper.com