All healthcare organizations, health app developers, and associated covered entities are responsible to protect sensitive, medical data. But for some, it’s tempting to think that the right software solution or security tool is sufficient to make them HIPAA compliant.
Certainly, technology plays an important role. But HIPAA compliance depends on much more than the right security tools, or even obtaining a certification.
So what’s really needed for HIPAA compliance? Does getting a certification guarantee adherance to HIPAA requirements? As with most questions, it helps to start by clarifying the relevant terms. Here’s the important distinction between compliance and certification:
- HIPAA Compliance refers to adhering to the rules and requirements set forth by the Department of Health and Human Services (DHHS) policies and guidelines.
- HIPAA Certification is the process to obtain or be awarded a document or designation to attest that a person has completed an educational course.
Note that these statuses cannot be used interchangeably; they each have their own separate purposes. For example, employees and businesses can become “certified,” but individual employees cannot be labeled “compliant.” The difference is that “certification” is obtained by a person or company, whereas “compliance” must be continually maintained by an organization.
HIPAA “certification” can be obtained by taking an exam to validate knowledge and skills in the core areas of HIPAA regulations and guidelines. It should be noted, however, that the Department of Health and Human Services (DHHS) – the government entity which manages and is responsible for enforcing the HIPAA Rule – does not endorse or otherwise recognize HIPAA certification as a way to absolve organizations from the legal obligations of the HIPAA Security Rule.
Nevertheless, there are many businesses and websites which offer HIPAA Certification. This “certification” has been designed by private companies that include training and testing, but has not been officially approved by the federal government. Once successfully completed with a passing grade, certification is granted by these companies.
HIPAA compliance, on the other hand, cannot be achieved by means of taking and passing an exam. HIPAA compliant companies (known as covered entities, as well as their business associates) are required to perform a periodic evaluation – technical and non-technical – to establish that security policies and procedures meet HIPAA requirements. (Note: If you’re just beginning the process, HIPAA Vault has a helpful checklist you can use for assessment).
In the world of data protections, maintaining HIPAA compliance is a continual process; it requires vigilance in the face of continual attempts by malicious actors to gain unlawful access to protected health information.
In other words, HIPAA compliance can be maintained one day and lost the next, depending on adherence to HIPAA protocols and procedures.
HIPAA in the Cloud
As noted, there is no one, particular company entrusted to “certify” an organization as HIPAA compliant. When it comes to particular cloud solutions – such as those offered by HIPAA Vault – this evaluation for HIPAA compliance can however be verified by independent, third-party auditors and cloud experts. These auditors will perform extensive examinations of controls in data centers, infrastructure, and operations.
For developers, web designers, and all covered entities who will handle electronically protected health information (ePHI), applications and websites must be properly configured and secured for HIPAA compliance. A complete risk assessment of your organization should also be completed as part of HIPAA’s Administrative Safeguards, which entails identifying the e-PHI that your organization receives, maintains, or transmits.
This assessment of risk should also be performed by vendors or consultants that handle e-PHI, with a view towards any a “human, natural, and environmental threats to information systems that contain e-PHI.” Physical and technical safeguards should also be in place to protect workstations, equipment, and access to networks and environments.
There are definitive differences between HIPAA “certification” vs “compliance.” HIPAA compliance means adhering to the set of rules and regulations set forth by DHHS for secure handling and protection of medical information. Following these regulations is vital for compliance, and especially important when it comes to choosing a hosting provider. You want an experienced provider with the proven expertise to keep your data secure and your patients protected, so you can continue to do what you do best.
HIPAA certification consists of obtaining the credentials which validate your understanding of these rules and regulations. HIPAA Vault can help you on this journey, with the training and resources you need to help your organization become compliant.
Questions about HIPAA? Give us a call (760-290-3460), or chat with us online at www.hipaavault.com.
HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to HIPAA Compliant WordPress, HIPAA Vault provides secure email and file sharing solutions to improve patient communications.