eHealthMedical DevicesMedical InnovationsMedical RecordsMobile HealthPolicy & LawTechnology

Who Certifies HIPAA Compliance?

tswann
tswann
3 Min Read
HIPAA certification

Who certifies HIPAA compliance?

The short answer is no one.

HIPAA certificationUnlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body here. And, HHS does not endorse or recognize the “certifications” made by private organizations.

Who certifies HIPAA compliance?

More Read

Image
Introducing the Health “Prosumer”
Mobile Apps for Chronic Cancer Patients
Gun Violence Restraining Order: An Idea Whose Time Has Come?
Obama’s Deficit Plan Counters Ryan’s Doctrines
mHealth 2013: Interview with Aetna’s Martha Wofford

The short answer is no one.

HIPAA certificationUnlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body here. And, HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), and it requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies and procedures meet the security requirements. But, HHS doesn’t care if the evaluation is performed internally or by an external organization.

Having said all that, being evaluated by an independent, third party auditor is still a really good idea. Even though it is not official you should still do it. There are a number of great companies that can help. For example, Coalfire Systems (http://www.coalfire.com) and ComplySmart (http://www.complysmart.com) offer HIPAA Assessments.

Important. Even if you get a “certification” from an external organization HHS can still come in and find a security violation. Third party audits and “certifications” do not absolve you from your legal obligations under the Security Rule.

It is interesting to note that Texas was the first state in the nation to create a formal Covered Entity Privacy and Security Certification Program. The program was developed as part of Texas’ House Bill (HB) 300. The Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST) have partnered to implement the Certification Program. They will tell you that the Texas state law protecting patients’ health information is more stringent than HIPAA. So in theory, if you are certified by the THSA, then you are ipso facto HIPAA compliant. Don’t hold me to that because HHS does not endorse or otherwise recognize this claim. But, considering the absence of a federal seal of approval this is a fantastic program and a step in the right direction.

(HIPAA / shutterstock)

TAGGED:
Share This Article

Stay Connected

Latest News

post-surgical recovery
Your Guide To Key Milestones In At Home Post-Surgical Recovery
Health Infographics
Dehydration Poses Serious Risks For Older Adults
Why Dehydration Poses Serious Risks For Older Adults
Infographics Senior Care
care settings
Hidden Risks In Care Settings: Who Faces The Greatest Threat From Healthcare-Associated Infections
Global Healthcare Health care Infographics
Medical Appointment
From Scheduling To Follow-Up: The Full Lifecycle Of A Medical Appointment
Infographics Medical Education Policy & Law

You Might also Like