Understanding HIPAA Certification

Simar Kohli
January 7, 2022

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most important pieces of regulation impacting companies today, but it can be extremely confusing. If you find yourself on the website for a company in the healthcare industry, you may notice a badge showcasing that the organization is “HIPAA Certified”. Seeing these badges can be confusing since there is no official HIPAA certification. This guide will explain what companies mean by HIPAA certified, how to get a certification, and how a certification benefits healthcare organizations.  

What are HIPAA Certifications

A HIPAA certification is a way for an organization to proclaim that they are compliant with HIPAA rules and regulations. Covered entities and business associates utilize a certification to show prospective clients and vendors that they understand HIPAA’s privacy and security rules and care about protecting their patients’ data.

It’s important to note that the Department of Health and Human Services (HHS) does not issue HIPAA compliance certificates. HIPAA certifications are issued by third-party auditors. If you see a HIPAA compliance certificate on a website, it does not guarantee that the organization is actually abiding by HIPAA regulations.

Does HHS Endorse HIPAA Certifications

Although it may seem like it on some websites, HHS does not endorse any third-party HIPAA certifications. Being HIPAA compliant is not a one-time or annual requirement. It is a continuous process that requires companies to remain up to date with any changes to the regulatory environment. Technology also evolves quickly, so companies need to ensure they are utilizing relevant security controls to protect protected health information (PHI).

In certain situations the Office of Civil Rights (OCR), a sub-branch of HHS, will audit organizations they believe to be violating HIPAA requirements. These scenarios include OCR random selection, someone filing a complaint against an organization, or if an organization experiences a breach.

Passing an OCR audit does not make you ‘HIPAA certified’, it only confirms you were not violating HIPAA guidelines at the time of the audit. Having a HIPAA certification can help companies prepare for audits, but ultimately HHS does not recognize certifications as anything meaningful.

How to get a HIPAA Certificate

The best way to get HIPAA compliance certification is to pass a third-party audit. That means that an auditor evaluated how a company handles PHI, checked whether its computer systems have sufficient security controls, and ensured that employees underwent proper training. Audits can take anywhere from a few months to over a year, but they are worth it to build customer trust.

The cost of a HIPAA certification ranges from around $50,000 to over $150,000 per year. This includes the cost of training, building controls, and hiring an auditor. Costs vary significantly based on the size of an organization, so consider solutions that fit your companies needs.

For training, some companies write their own content while others use a prewritten training course. We recommend using a prewritten course that has specific training for different roles within a company. Haekka has a large library of courses with training materials that tailor to everyone in your organization.

An auditor will also evaluate every external organization you work with that comes into contact with PHI to ensure they are HIPAA compliant. If you are a covered entity, you need to make sure your business associates also complete HIPAA training and utilize proper security methods. It is a good practice to have all organizations you work with complete a risk analysis questionnaire to make sure they are safe to work with.

When looking at the cost of compliance, consider what the cost of a privacy or security violation would be.  HHS can issue penalties such as fines and jail time. These fines can reach several million dollars per year, so effective spending to pass an audit is definitely worth the money.

Although any organization can throw a HIPAA compliance badge on its website, it is not recommended to do so. Most prospective clients and partners will conduct due diligence to ensure the company they are working with is actually protecting PHI and meeting all of their legal obligations.

Potential business associates may ask to see an audit report or some other proof that your systems function as intended. You should be prepared to share the results of any third-party audits, but make sure to have an NDA in place to avoid anyone disclosing confidential information.

When do HIPAA Certificates expire?

Since HIPAA certifications are not endorsed by a regulatory body, they do not have an official timeframe after which they expire. However, most third-party auditors will only issue certifications that are valid for one year. This is because compliance requirements and HIPAA rules can change rapidly.

Deeming a company compliant for long periods of time creates a false sense of security. HIPAA’s security rule mandates that companies do a periodic technical evaluation of their controls to ensure PHI is protected. HIPAA also mandates employees undergo security and privacy training. Training is typically administered once a year, so HIPAA audits are also usually done on an annual basis.  

How HIPAA Training and Certifications work together

One of the most important aspects of HIPAA compliance is training every employee with access to PHI. The HIPAA privacy rule mandates training that explains what constitutes PHI, how to handle it, what to do in case of a breach, and other best practices for protecting patient privacy.

The HIPAA security rule requires security awareness training. This training should cover things like using strong passwords, utilizing multi-factor authentication for logging into systems, and other ways to keep your systems secure.

Passing an audit requires companies to show auditors proof that their employees have completed training. Writing HIPAA training, administering it to employees, and collecting proof of training can be a burden for many companies. Haekka puts these steps on autopilot. Haekka ships with a large library of HIPAA content, allows admins to automatically assign training to employees, and generates certificates upon successful completion of a course. These certificates can be used as evidence during audits.

If you have decided to pursue a HIPAA certification by undergoing an audit, make sure to choose a training solution that does most of the heavy lifting for your organization. Passing an audit is difficult, but choosing a platform like Haekka makes it much easier.

Audit Procedures for Business Associates and Covered Entities

Passing an audit and getting a HIPAA certification is a great way to showcase your organizational security. Here are the (simplified) steps involved in a HIPAA audit.

  1. Create policies and procedures for HIPAA compliance. Make sure they are easily accessible and include provisions for what to do in case of a breach.
  2. Train your team to understand what HIPAA requires. This should include both privacy and security awareness training. They should also have specifics on the HIPAA Privacy Rule, the HIPAA Security Rule, and breach notification rules.
  3. Evaluate your current systems and conduct a risk analysis. See what meets HIPAA security requirements and what needs to be upgraded or modified.
  4. Upgrade your systems to remedy any weak areas and reevaluate the effectiveness of your controls.
  5. If you are working with any business partners create business associate agreements that specify how risks and liabilities will be shared.
  6. Document all of the above procedures. Create logs for things such as someone logging in to a system, someone accessing PHI, network firewall status, and any other activity that can affect the security of your platforms. Documenting and logging activities is one of the most important aspects of compliance.
  7. Hire an auditor from a third-party organization and have them evaluate your security. Make sure you give them access to your logs, provide proof of employee training, and help them procure any other information they need. The auditor will typically conduct a physical site audit on top of looking at your digital security.
  8. Your auditor should combine all of their findings and create remediation plans for all of your vulnerabilities. Implement your auditor's recommendations and make sure your procedures meet their standards.

After these steps you should be able to receive a HIPAA certification from your auditor. Many of these steps may happen quickly, so you should have an employee or team dedicated to working with your auditor. Passing an audit is crucial to succeeding in the healthcare industry.

How HIPAA Certification affects employees

HIPPA training may feel like a chore, but it’s extremely beneficial for employees. For starters, it prevents them from violating HIPAA. HIPAA violations can lead to fines or jail times, so it is important for anyone with access to PHI to know what their responsibilities are. Ignorance of the law is not an excuse to avoid penalties.

One common question people ask is “can I put HIPAA certification on my resume?”. Although a HIPAA certificate is not an official license, it doesn’t hurt to put on your resume that you have been undergone HIPAA certification training that covers privacy and security awareness. Organizations should train new employees regardless of their previous training, but hiring someone with preexisting knowledge makes the training process smoother.

Does OSHA require HIPAA Certification?

One common question is whether the Occupational Safety and Health Administration (OSHA) requires HIPAA certification. OSHA does not have a specific requirement for HIPAA training, but there is some crossover between the two. OSHA requires collecting workplace data that can be considered PHI. Knowing how to create, process, and transmit that data in a way that is HIPAA compliant is important for OSHA purposes.

Reporting incidents to OSHA is also one of the exceptions to HIPAA’s disclosure rules. In scenarios involving workplace injuries, covered entities may disclose PHI without patient authorization. Understanding how HIPAA works is crucial for any covered entities or business associates that work in an OSHA-regulated workspace.