Did you know there’s no such thing as a “HIPAA Certification”? According to the US Department of Health and Human Services website, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The same goes for business associates: If a company tells you they are “HIPAA Certified”, it’s usually just a marketing tactic.
HIPAA compliance is solely based on a covered entity or business associate’s internal practices falling into line with HIPAA requirements. The rules state that organizations must periodically review their technical and non-technical security practices and procedures. This can be done internally, or by an external group who can provide “certification”.
However, HHS does not recognize or endorse any independent organization’s certifications. Having a certification from an outside agency does not absolve covered entities and business associates of HIPAA Security Rule requirements, and does not preclude HHS from finding violations on their own. So basically, if you get a certification from an external agency and they miss a violation at your organization, HHS could still find it and fine you for noncompliance. A certification offers no protection in this situation.
So then, how can a covered entity be sure they’re fully HIPAA compliant? Or how can they be sure the business associate they’re interested in working with meets HIPAA regulations and requirements? The only true way to know is to know the rules and make sure you and your business associates are following them.
Instead of claiming a “HIPAA Certification”, Gillware Online Backup has decided to help you understand what HIPAA compliance includes and how our backup solution meets the criteria laid out by the Security Rule for the handling of electronic protected health information (e-PHI):
When it comes down to it, you shouldn’t leave your HIPAA compliance up to chance. Be sure that your organization is following the rules and that all of your business associates are fully compliant as well. Certifications won’t do you any good if HHS finds violations at your organization or with one of your vendors. Know the requirements and get in compliance!