HIPAA Server Compliance vs Certification: What’s the Difference?

The issue of HIPAA server compliance vs certification is simple to explain: compliance refers to following a set of rules, imposed by a governmental body. Following the rules is required, not optional. Certification refers to receipt of an award or other document of completion, given to someone to indicate he or she has completed a course of education. Completion of the educational course, whether offered by a private entity or a governmental entity, is optional; that is, the law does not require that the course be completed. The issue of HIPAA server compliance vs certification is discussed in greater detail below.

HIPAA Server Compliance vs Certification: Who Does What?

HIPAA server compliance consists of maintaining an organization’s server in accordance with the HIPAA Security Rule’s administrative, physical, and technical safeguard provisions.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

The administrative safeguard requirement of the HIPAA Security Rule dictates that covered entities and business associates implement security management practices. To do this, organizations must implement policies and procedures designed to prevent, detect, contain, and correct security violations.

One of the most important administrative safeguard provisions is the requirement for covered entities and business associates to perform a risk analysis for each server. The analysis is necessary to determine whether the server’s existing security measures are reasonable and appropriate.

A server risk analysis process includes the following activities:

HIPAA Server Compliance vs Certification
  • Evaluating the likelihood and impact of potential risks to ePHI associated with each server;
  • Implementing appropriate security measures to address the risks identified in the risk analysis (i.e., “risk management”);
  • Documenting the chosen security measures for each server and, where required, the rationale for adopting those measures; and
  • Maintaining continuous, reasonable, and appropriate security protections for all servers.

Let’s Simplify Compliance

HIPAA compliance can be difficult to navigate. Let us help!

Learn More!
HIPAA Seal of Compliance

Physical safeguard measures protect the physical security of the work environment and of devices storing ePHI. Such measures include:

Facility Access and Control Measures. Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI. 

Workstation and Device Security. Covered entities and business associates must: