HIPAA Server Compliance vs Certification: What’s the Difference?

The issue of HIPAA server compliance vs certification is simple to explain: compliance refers to following a set of rules, imposed by a governmental body. Following the rules is required, not optional. Certification refers to receipt of an award or other document of completion, given to someone to indicate he or she has completed a course of education. Completion of the educational course, whether offered by a private entity or a governmental entity, is optional; that is, the law does not require that the course be completed. The issue of HIPAA server compliance vs certification is discussed in greater detail below.

HIPAA Server Compliance vs Certification: Who Does What?

HIPAA server compliance consists of maintaining an organization’s server in accordance with the HIPAA Security Rule’s administrative, physical, and technical safeguard provisions.

The administrative safeguard requirement of the HIPAA Security Rule dictates that covered entities and business associates implement security management practices. To do this, organizations must implement policies and procedures designed to prevent, detect, contain, and correct security violations.

One of the most important administrative safeguard provisions is the requirement for covered entities and business associates to perform a risk analysis for each server. The analysis is necessary to determine whether the server’s existing security measures are reasonable and appropriate.

A server risk analysis process includes the following activities:

• Evaluating the likelihood and impact of potential risks to ePHI associated with each server;
• Implementing appropriate security measures to address the risks identified in the risk analysis (i.e., “risk management”);
• Documenting the chosen security measures for each server and, where required, the rationale for adopting those measures; and
• Maintaining continuous, reasonable, and appropriate security protections for all servers.

Physical safeguard measures protect the physical security of the work environment and of devices storing ePHI. Such measures include:

Facility Access and Control Measures. Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI. 

Workstation and Device Security. Covered entities and business associates must: 

• Implement policies and procedures to specify proper use of and access to workstations and electronic media.
• Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media. 

Technical safeguards are measures used to keep ePHI secure. These safeguards consist of the following:

Access Controls. Implementing technical policies and procedures that allow only authorized persons to access ePHI.

Audit Controls. Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. 

Integrity Controls. Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed. 

Transmission Security. Technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network.

HIPAA Server Compliance vs Certification: What Certifications Exist?

Private entities offer educational courses and training on the elements of HIPAA server compliance. HIPAA server compliance vs certification comes down to this: Certification shows that you attended the class, and demonstrated a certain level of knowledge. Compliance is actually meeting the legal requirements the class covers. The difference is similar to the difference between attending driving school and passing a road test: A certificate of completion of driving school shows that you attended a class and that you read and understood driving laws and requirements. Passing a road test is proof that you have met these legal requirements. 

An example of HIPAA certification is ISO (International Standards Organization) certification. The ISO (International Organization for Standardization) is an independent, non-governmental, international organization. The ISO develops standards to ensure the quality, safety, and efficiency of products, services, and systems. Businesses can receive ISO standards training on a variety of security topics, including server security. Once this training is completed, and once an organization implements server security measures recommended by ISO, ISO certification is awarded.