HIPAA Certification, To Do or Not To Do

Catherine Beasley, MS, BSN, LNCC 
Dec 2020 

Breaches of protected health information are becoming commonplace.  The US Department of Health and Human Services, Office for Civil rights now publishes a Breach Report Results which can be accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.   

Hospitals and health care organizations must report breaches affecting more than 500 people to the Department of Health and Human Recourses as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  A breach of more than 500 patients’ information may result in the organization’s name on the Department of Health and Human Resources website.  Simply stated, breaches of protected health information are bad for the business of health care organizations.  Patients are left to wonder about the ability of the organization to provide safe, effective care.  After all, if an organization can’t manage paper, how can they manage safe care?   
 
The Health Insurance Portability and Accountability Act (HIPAA) training is now available online by third party vendors.  Training can be done at the convenience of the trainee and both individual and corporate rates are provided.  Seminars ranging from one or two days are also offered nationwide and pricing varies by vendor.   

The Department of Health and Human Services is very clear in that breaches of protected health care information are unacceptable regardless of the number of victims impacted.  However, does having a HIPAA certification mean an organization is better able to secure the personal data of those they serve?  There are two schools of thought to consider.  First, the training and knowledge will support safe practice and thus decrease risk of any potential breaches.  Training will also increase the confidence level of staff in managing protected health information and recurring training allows the trainee access to up to date information regarding HIPAA.   

An opposing view is that the Department of Health and Human Services does not endorse or recognize HIPAA certifications regarding security rules and warns against misleading marketing claims.   

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as HIPAA compliant.” 

The HHS website goes on to reflect:  

“There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation. 

Given certification is not mandatory it is up to an organization to ensure compliance is achieved.  Investment in training, while not required, is an organization decision based on the level of comfort and ability to meet requirements.   

Breach Portal, (n.d.).  Retrieved 23 Nov 2020  from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 

HHS.gov. (n.d.).  Are we required to “certify” our organization’s compliance with the standard security rule?  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html 

HHS.gov. (n.d.) What you should know about OCR HIPAA privacy rule guidance materials.  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html