HIPAA Certification

HHS warns that it does not certify any persons or products as HIPAA-compliant

Eagle Associates receives many questions about requirements for HIPAA certification. This usually occurs after a practice has received marketing materials from a consulting or educational group purporting to provide “HIPAA certification.” Such companies may claim that your practice is “non-compliant” and must immediately schedule a consultation or other service with their company, often using urgent language and alluding to potential fines. It is important to know that there is no such requirement for entities to obtain HIPAA “certification”, and these companies are using dubious marketing tactics to sell their services.

The following information from the U.S. Department of Health & Human Services (HHS) website explains the regulator’s position and adds a word of caution.

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as “HIPAA compliant.” The Privacy Rule does not require attendance at any specific seminars. All of OCR’s materials are available free on this web site.

If you believe anyone is making false or misleading representations about HHS or OCR in regard to HIPAA training and compliance, please notify us via email at ocrcomplaint@hhs.gov or by postal mail at Office for Civil Rights, 200 Independence Ave, S.W., Room 509F, Washington, D.C. 20201.”

See also the following Q & A from the HHS web site:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

At Eagle Associates, we know that compliance is an ongoing process and not a designated status. Receiving additional compliance training or assistance with implementation of policies can lead to improved compliance. However, HHS encourages caution when engaging with companies who claim to provide HIPAA certification. Eagle Associates’ compliance programs provide training and ongoing support to help practices understand and maintain compliance without making false or misleading representations. If you are unsure about your compliance programs, please do not hesitate to contact us.