HIPAA Certification, To Do or Not To Do

Catherine Beasley, MS, BSN, LNCC 
Dec 2020 

Breaches of protected health information are becoming commonplace.  The US Department of Health and Human Services, Office for Civil rights now publishes a Breach Report Results which can be accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.   

Hospitals and health care organizations must report breaches affecting more than 500 people to the Department of Health and Human Recourses as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  A breach of more than 500 patients’ information may result in the organization’s name on the Department of Health and Human Resources website.  Simply stated, breaches of protected health information are bad for the business of health care organizations.  Patients are left to wonder about the ability of the organization to provide safe, effective care.  After all, if an organization can’t manage paper, how can they manage safe care?   
The Health Insurance Portability and Accountability Act (HIPAA) training is now available online by third party vendors.  Training can be done at the convenience of the trainee and both individual and corporate rates are provided.  Seminars ranging from one or two days are also offered nationwide and pricing varies by vendor.   

The Department of Health and Human Services is very clear in that breaches of protected health care information are unacceptable regardless of the number of victims impacted.  However, does having a HIPAA certification mean an organization is better able to secure the personal data of those they serve?  There are two schools of thought to consider.  First, the training and knowledge will support safe practice and thus decrease risk of any potential breaches.  Training will also increase the confidence level of staff in managing protected health information and recurring training allows the trainee access to up to date information regarding HIPAA.   

An opposing view is that the Department of Health and Human Services does not endorse or recognize HIPAA certifications regarding security rules and warns against misleading marketing claims.   

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as HIPAA compliant.” 

The HHS website goes on to reflect:  

“There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation. 

Given certification is not mandatory it is up to an organization to ensure compliance is achieved.  Investment in training, while not required, is an organization decision based on the level of comfort and ability to meet requirements.   

Breach Portal, (n.d.).  Retrieved 23 Nov 2020  from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 

HHS.gov. (n.d.).  Are we required to “certify” our organization’s compliance with the standard security rule?  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html 

HHS.gov. (n.d.) What you should know about OCR HIPAA privacy rule guidance materials.  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html 

A Litigation-Oriented Case Database Is Crucial

Tip #2

Look for a Record Retrieval Company Offering a Litigation-Oriented Case Database

The record retrieval company selected should make use of a litigation-oriented case tracking database.  This will save time by allowing instant access to the current work product, which can be posted for secure viewing and downloading by both the legal nurse consulting firm and law firm staff.

In addition to viewing the work product, other vital information can be communicated through an online case tracking database.  For example:  Deadline dates, deposition or trial dates, dates and names of records received, status of the records reviewed, and names of personnel involved in the case can be included.

Having a case database to track the status of the medical records in the review process makes an efficient use of technology and allows the client to assess the status of the case at any time.  It is especially useful when setting deposition dates.  Furthermore, a review of the case status reflects how near completion the case is in terms of the work product, which many attorneys utilize during deposition.  For this reason, the status of record retrieval should be viewable in real time.


Peg Crowell, MS, RN, APRN-BC, LNCC. Originally printed December, 2005
Updated and Edited: January 2016 by Catherine Beasley, MS, BSN, LNCC


American Association of Legal Nurse Consultants (AALNC). (Peterson & Kopishke Eds.) (2010) Legal Nurse Consulting: Principles and Practice. (3rd Ed.). Boca Raton, FL: CRC Press.

Choosing A Record Retrieval Company

Tip #1

Select a Reputable Medical Record Retrieval Company with Electronic Online Tracking

Initial strategic planning for case preparation with record access must include the selection of a reputable, quality-driven record retrieval company.  Attempting this process in-house can be time consuming and cumbersome.

A record retrieval company should not just retrieve the records in a timely manner, it is critical that they provide real time tracking of the status of records. Once obtained, the records should be organized into the proper sequence prior to scanning and Bates numbering.

If outsourced to the right retrieval company, this process can cut costs in case preparation.  In-house staff will be available to support the preparation of cases rather than shuffling through boxes of papers.

The organized records are then scanned, Bates-numbered and uploaded to an electronic on line data base available to clients 24/7.  Electronic records eliminate the costs associated with shipping paper records to various offices and medical Experts.  Access is immediate when time is of the essence.  In today’s mobile world, being able to access and read case records and work products after office hours or while commuting is vital.  The records can also be downloaded and saved to a secure location for off-line viewing.

This service should not require an additional software purchase by the firm.  Ideally the firm can utilize an existing universal electronic platform provided.  Be aware that some retrieval companies charge access, “per click” or archiving fees to law firms so the costs can add up quickly.  Be sure to select a company that provides this access as a value-added service.


Updated and Edited: September 2015 by Catherine Beasley, MS, BSN, LNCC
Peg Crowell, MS, RN, APRN-BC, LNCC. Originally printed December, 2005

Announcing: Litigation Management Series

Law firms involved in product liability cases must be well-versed in legal principles and must also be extremely organized to avoid spending needless time and money in the litigation process.  No matter on what side of the litigation table you sit, preparation is the key to successful resolution.

Complex aggregate torts, such as product liability involving thousands of cases, can quickly become an organizational challenge.  Partnering with the right organization for assistance with aggregate torts is an effective way for firms to increase internal flexibility, leverage resources, and improve cost-effectiveness.

The difficulty arises in selecting the right organization for the job.  In the coming weeks, we will explore popular areas within the legal industry for utilization of external consultants, as well as ground-breaking areas which you may not have considered.  We will provide you with some effective ways to identify internal workloads that can be eased through utilization of external resources, discuss the qualities of organizations that are likely to result in effective partnerships, and share some pointers that will help you avoid some common pitfalls in the process of engaging with external consultants.

Join us next week for the first installment in this series.

Updated and Edited: September 21, 2015 by Catherine Beasley, MS, BSN, LNCC
Peg Crowell, MS, RN, APRN-BC, LNCC. Originally printed December, 2005