How Do I Get My HIPAA Certification?
If you’re a healthcare provider or a vendor that serves providers, you probably already know that having a HIPAA certificate is essential for compliance. You may even come across promotions that hint at obtaining a “HIPAA Certified” status.
While it may sound appealing, the truth is that such certifications hold no weight in the eyes of the government. Just like Bigfoot, they simply do not exist. What truly matters to the government is your full compliance with HIPAA regulations.
HIPAA Compliance, NOT HIPAA Certification
Although there is no HIPAA certification or accreditation, third-party organizations can audit your practice or company. HIPAA compliance experts will review your policies and procedures for effectiveness. The audits are meant to confirm that the physical, technical, and administrative safeguards required by HIPAA law have been met.
However, in the event of an audit, these third-party validations have no legal standing as HIPAA certified accredited, the OCR states, “Certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, the performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”
The question to ask yourself is this: “If you don’t understand what is being certified, how can you be sure you are actually fully HIPAA compliant?”
HIPAA Compliance with Compliancy Group
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is in charge of enforcing and creating HIPAA regulations. As such, they have established several rules in relation to privacy and security, that any entity working with protected health information (PHI) must follow. It is important to note, that to be HIPAA compliant, you must address the full HIPAA regulation in its entirety. HIPAA law can be confusing, and just because there is no HIPAA compliance certification, doesn’t mean that your organization can’t achieve compliance. Compliancy Group is one such third-party organization that enables HIPAA covered entities and business associates to implement an effective HIPAA compliance program as required by the HHS.
Compliancy Group enables healthcare organizations to achieve HIPAA compliance in a logical and knowledgeable manner. Through our web-based HIPAA platform, clients conduct their required annual self-audits, so they understand exactly where their current state of compliance is.
Completing your self-audits enables our HIPAA software to identify your gaps, allowing us to tailor remediation plans specific to your organization’s needs. In other words, You clearly see what you have done well, where you are currently falling short, and what has to be done to bring your organization to full compliance.
We help you create your organization’s policies and procedures, each tied to specific parts of the law and notated to address your remediation plans. These policies are customized to apply directly to your business’s operations. All of your employees are trained within our HIPAA software, allowing you to track their progress along the way. Compliancy Group facilitates business associate management by providing you with vendor questionnaires to vet your vendors and business associate agreements. We also provide you with the means for employees to report suspected breaches anonymously, and offer you full audit support!
HIPAA Requirements
In order to be HIPAA compliant, your organization must address the following as identified by the HHS:
Self risk assessments to assess administrative, technical, and physical gaps in your organizations compliance program (Asset & Device Audit, IT Risk Analysis Questionnaire, Physical Site Audit, Security Standards Audit, Privacy Standards Audit, and HITECH Subtitle D Privacy Audit).
Corrective actions address the gaps identified by the self-audits to fix vulnerabilities.
Policies and procedures are developed to address HIPAA regulatory standards and document your “good faith” effort toward compliance.
Employee training ensures that all of your employees have read and understand your organization’s policies and procedures.
Documentation is crucial in the event of a HIPAA audit, it demonstrates the efforts your organization took to be HIPAA compliant, documentation must be maintained for 6 years.
Business associate management ensures that those you are sharing PHI with are properly protecting it, you must have a business associate agreement (BAA) in place with all of your vendors before you transmit any PHI.
Incident management in the event of a breach, you must report it to the HHS and the affected individuals (and in the case of breach affecting more than 500 individuals, the media), and have procedures in place to track the incident.