HIPAA Compliant, HIPAA Certified

What does HIPAA Compliant Mean?

The US Department of Health and Humans Services (HHS) does not formally define the term HIPAA Compliant, but it is generally defined as being in compliance with each of the applicable requirements of the national standards for the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification rules published by HHS.

However, the phrases “HIPAA Compliant” or “HIPAA Certified” appear frequently in marketing materials and on websites. You may even see logos like the one below. But what does that really mean? And do you need to obtain a HIPAA Certification?

(Does this logo REALLY mean the company is “HIPAA Compliant”?)

The truth is there is no formal “HIPAA Compliant” certification approved by the US Department of Health and Human Services (HHS), the federal agency charged with overseeing HIPAA. As a result, any organization can claim they are “HIPAA Compliant” in their marketing efforts. And the standards for claiming HIPAA Compliance vary dramatically. I recently saw one vendor whose Google headline read “HIPAA Compliance in 14 Min.”

Do I need to be HIPAA Compliant?

HIPAA applies to healthcare providers, health plans and healthcare clearinghouses who transmit data electronically. So basically, every provider, such as your doctor, dentist, pharmacy, hospital, etc. would need to be compliant. As would your insurance company and the clearinghouses that connect your provider with your insurance. HIPAA refers to these organizations as covered entities. A covered entity is expected to be compliant with all HIPAA Privacy, Security and Breach Notification Rules.

However, even if you aren’t a provider, health plan or clearinghouse, you may be subject to HIPAA as a business associate. A business associate is an individual or organization that performs functions for a HIPAA covered entity that involves the use or disclosure of protected health information.

As a business associate, you will be asked to sign a Business Associate Agreement (BAA) that outlines the elements of the HIPAA regulations you are expected to implement and address. Additionally, if you subcontract any of the work you do for a covered entity, you need to enter into a BAA with your subcontractor. Business associates are always required to comply with the HIPAA Security rules and may be subject to other rules depending on the services they are providing for the covered entity.

Both covered entities and business associates are legally required to be HIPAA compliant and are subject to fines and penalties for failure to comply with the HIPAA regulations. In 2019 HIPAA enforcement by HHS resulted in financial penalties of over $12 million.[1]

Covered entities often assume that if they have obtained a BAA with a vendor, they will be protected if the vendor has a data breach. However, a HIPAA BAA does not always indemnify a covered entity. If the covered entity fails to obtain “satisfactory assurances” that your vendor is HIPAA compliant prior to entering into the contract and a breach subsequently occurs, the covered entity may be liable for the breach. And regardless of who is liable, the covered entity will sustain reputational damage if their vendor has a breach involving Protected Health Information (PHI) of the covered entity.

How do I prove I am compliant? How do I know my vendors are compliant?

Since there’s no formal certification program, you may be wondering how you can prove to your patients or clients how you are in compliance with the applicable HIPAA regulations. And if you are looking at a vendor and they tell you they are HIPAA compliant, how do you know what that means?

In order to prove HIPAA compliance, you have to evaluate your operation against the HIPAA regulations. One way to do that is to audit your organization using the HHS Office of Civil Rights (OCR) HIPAA Audit Protocol. The protocol outlines the expected policies and procedures for HIPAA compliance. You should verify that your policies and procedures meet the HIPAA requirements and that these policies have been fully implemented.

HIPAA compliance reviews can be performed internally or by an independent external organization. Internal reviews should be performed by someone independent from the processes being reviewed and should include evidence supporting the conclusions reached.

Alternatively, an external review may provide you with more robust support for your clients. An external review done by a professional services organization should provide you with documentation that you can offer to your clients regarding your HIPAA compliance status.

For example, at CompliancePoint, we perform a detailed audit of your operations using the OCR HIPAA Audit Protocol as our audit baseline. We then provide the audited organization with a formal report outlining their status on each of the audit questions and a memo of compliance, which can be used to provide evidence of compliance with the HIPAA rules and regulations.

For a business associate, having an independent third party perform your HIPAA audits will provide you with evidence you can use to set yourself apart from your competitors. It will also help reduce the time you spend responding to security questions from your clients.

HIPAA is an ongoing process, and any audit is always just a “snapshot” in time. We recommend revalidating the results of your HIPAA audit at least annually to help ensure you maintain compliance with the HIPAA rules.

If you are evaluating a vendor and they say they are HIPAA compliant, you should still screen to confirm their compliance standard agrees with your expectations of compliance. If they have had an independent audit of their compliance, ask them to provide you proof of this review so you can verify what was reviewed and identify any significant gaps that might impact your operations. If the organization has not had an independent audit, you need to perform an assessment of their compliance prior to allowing them access to PHI in order to prove you exercised due diligence before granting access to ePHI.

Compliance, Compliance, Compliance

HIPAA compliance is not optional, and failure to comply with HIPAA can be costly to both your reputation and your bottom line. The lack of a formal HIPAA Certification program means that it is dependent upon the organization to provide robust proof of compliance, both to their customers and external regulators. Failure to be proactive and address any gaps in compliance can result in significantly increased fines in the event of a breach or other OCR investigation.

CompliancePoint has experienced assessors who have worked with providers and business associates to assess HIPAA compliance and develop effective corrective actions. If you are interested in how we can help, please reach out to us at 855-670-8780 or connect@compliancepoint.com .

[1] https://www.hipaajournal.com/hipaa-enforcement-in-2019/