How Do You Get HIPAA Certified – How To Be HIPAA Certified

When working in the healthcare industry, organizations must comply with the standards set forth by the Health Insurance Portability and Accountability Act (HIPAA). How do you get HIPAA certified? If you’re a HIPAA covered entity or business associate, you may make inquiries into how to be HIPAA certified. The following article discusses HIPAA certifications.

How Do You Get HIPAA Certified

How do you get HIPAA certified? Well, that question is the wrong one to ask, since the Department of Health and Human Services (HHS) does not recognize HIPAA certifications. One of the main reasons the HHS does not recognize HIPAA certifications is because HIPAA compliance is not static. HIPAA compliance is an ongoing issue that organizations need to monitor, updating their HIPAA compliance program to account for changes in business processes.

How To Be HIPAA Certified

Instead of asking – how do you get HIPAA certified – you should be asking, how do I become HIPAA compliant. Again, how to be HIPAA certified is the wrong conversation, how to be HIPAA compliant is the right one. 

The following are steps that you can take to build your HIPAA compliance program:

  • Self-audits. Before building your HIPAA compliance program it is important to assess your current privacy and security practices to ensure that they are inline with HIPAA standards. Covered entities are required to complete six annual self-audits, while business associates are required to complete five.
  • Gap Identification and remediation plans. By completing self-audits, the gaps in your privacy and security practices are identified. To be HIPAA compliant you must address identified gaps with remediation efforts. Remediation efforts allow you to bring your organization’s privacy and security practices up to HIPAA standards.
  • Policies and procedures. As part of HIPAA requirements, organizations must have policies and procedures that apply directly to their business operations. As such, you must create custom policies and procedures dictating the proper uses and disclosures of protected health information (PHI) within your organization. You must review your organization’s policies and procedures annually to account for any changes in the way you conduct business.
  • Employee training. You must train all employees that may come into contact with PHI, on your organization’s policies and procedures, as well as HIPAA standards. This ensures that employees are aware of their obligation to maintain the privacy and security of patient information. All employees must be trained within 60 days of being hired and employees must be retrained annually.
  • Business associate management. You have an obligation to vet your vendors before it is permitted for the business associate to create, receive, transmit, maintain, or store PHI on your behalf. The best way to do this is to send your vendor a vendor questionnaire. Similar to a self-audit, the vendor questionnaire identifies gaps in the vendor’s privacy and security practices. Before it is permitted for you to work with that vendor, they must be willing to address their gaps with remediation efforts. Each time you consider a new vendor, you must send them a vendor questionnaire before you start working with them.

In addition, to be HIPAA compliant, you must have signed business associate agreements (BAAs) with each vendor. A BAA is a legal agreement that mandates what protections the business associate must have in place. It also dictates that each signing party is responsible for managing their own compliance. Your BAAs must be reviewed annually to account for any changes in your business relationship with that vendor.

  • Incident response. If you experience a healthcare breach, or similar incident that risks the confidentiality, integrity, or availability of PHI, you must report the incident. A breach affecting less than 500 patients must be reported to affected individuals and the HHS by the end of the calendar year. Breaches affecting more than 500 patients must be reported to affected individuals, the HHS, and the media within 60 days of discovery.