Is There An Official HIPAA Certification?
Although many healthcare vendors are searching for a way to become “HIPAA certified”, there is no official certification that ensures that an organization is HIPAA compliant. Health and Human Services (HHS) who enforces HIPAA regulations, may investigate any potential covered entity or business associate for HIPAA violations.
Although there are a number of different services that may provide HIPAA certifications, it is up to organizations to ensure they are properly managing all administrative, technical, and physical safeguards in order to maintain compliance. Services such as the Dash ComplyOps streamline the compliance process and make it easy for organizations to configure, monitor, and maintain HIPAA compliance.
HIPAA Training and Certifications
HIPAA requires that organizations provide HIPAA security awareness training to their employees. Although there are no official training programs required under the regulation, many companies offer third-party HIPAA training courses for covered entities and business associates.
These courses generally provide specific videos, slideshows, or other learning materials to teach healthcare employees specific aspects of HIPAA that are relevant to their role in the organization. Employees generally learn about protected health information (PHI), managing PHI, and reporting potential incidents.
At the end of a course, employees may be presented with a certification for HIPAA training. This certification allows companies to show that employees have had training related to HIPAA regulations, however it does not exempt organization from being liable for specific HIPAA violations. HHS may still investigate potential HIPAA violations an issue monetary penalties.
HIPAA Risk Assessments
HIPAA requires that organizations perform a risk assessment at minimum, on an annual basis. A risk assessment is generally performed by independent third-party and outlines potential compliance and security risks that an organization faces.
Risk assessments are a valuable tool for identifying compliance issues before they become violations or breaches.After an organization is presented with the findings of a risk assessment, the organization will typically work to remediate issues within their administrative policies and technical infrastructure.
Performing these assessments on a periodic basis allows organizations to maintain a high level of compliance and security. Third parties may even provide a certification to the organization as security goals standards are met. As with other evaluations and certifications, no risk assessment guarantees HIPAA compliance.
Penetration Testing and Third Party Audits
Healthcare teams often conduct third-party penetration testing every year or every few years. These kinds of tests allow the organization to see what potential vulnerabilities exist in their systems. A list of findings is shared with the healthcare organization and the organization works to fix potential vulnerabilities and issues.
Penetration tests allow organizations to strengthen their security profile and provide proof of high security standards when going through procurement with hospitals. Although these tests help to improve the security stature of the company, no penetration test or third-party certification guarantees compliance.
A Note About HIPAA Certifications
Although there are many valuable services add evaluations for HIPAA compliance, at the end of the day it is the responsibility of the organization to maintain all HIPAA regulatory requirements. Many third parties may provide “HIPAA certifications”, but the certifications have no legal standing and do not exempt organizations from potential HIPAA violations and penalties. There is no magic bullet to HIPAA compliant.
Organizations should select an appropriate cloud service provider, adopt understandable administrative policies, and set technical controls that work with their organizations and technologies. Organizations may turn to a service such as Dash to automate compliance processes and utilize continuous compliance monitoring to monitor potential compliance issues.