We mentioned earlier in one of our blog posts that we would get back to you about the HIPAA/HITECH “Certification” question that lot of the healthcare practices are asking about … Certification by a third-party is not required for Covered Entities and Business Associates unlike PCI or ISO certification requirements. HIPAA/HITECH “certification” is not mandated in any way and no one is authorized to provide HIPAA/HITECH certification per se. Rather Covered Entities and Business Associates need to be in compliant with the new omnibus HIPAA Privacy, Security and Breach Notification rules. This is very clearly stated in HHS website: “A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.” If you want to learn more about HHS’s position on getting HIPAA certification please go through the following links:
The above discussion clearly concludes there’s no single certifying authority on HIPAA/HITECH rules. The assessment of HIPAA rules in your practice and implementation of required remediation could be technically performed by anyone (with no prior qualification). However, the purpose and intent of evaluation is two fold:
1) To genuinely secure patient data and implement required processes in place to avoid legal issues
2) To handle HHS Office for Civil Rights(OCR) audit request
In order to handle this HIPAA conundrum, we recommend at least conducting the initial HIPAA/HITECH assessment against the new rules by an externally qualified organization. Use the same methodologies and processes used by the external organization to conduct your periodic assessment for subsequent annual assessments. In addition, if there’re any major scope change in terms of your IT infrastructure, vendor upgrade or new business introduction have the assessment done by an external organization.
Only experience and industry knowledge will help apply the for your practice successfully.
There are quite a few organizations providing training and certification to acquire HIPAA expertise. Firms can benefit from their workers completing one or more of the established credentials, including:
1) Healthcare Information Security and Privacy Practiioner by ISC2 https://www.isc2.org/HCISPP/Default.aspx
2) AHIMA certification page (https://www.ahima.org/certification-careers/get-certified/),
No matter how you do your assessment, at least ensure the following 3 aspects of your HIPAA/HITECH rules::