What is HIPAA Certified Software?

The federal government and the states define the term “certification” as the process by which a non-governmental organization grants recognition to an individual (or group) who has met that organization’s qualification standards. This means that neither the federal government nor the various states “certify” a healthcare organization as being HIPAA compliant. In addition, the federal government does not recognize or accept a private company or organization’s attempt to “certify” an organization as being HIPAA compliant. Because there is no such thing as HIPAA certification, there is no such thing as HIPAA certified software.

HIPAA Certified Software: Why is This Term a Myth?

There is no software product or program which, if used as intended, “certifies” someone as being HIPAA compliant. Nevertheless, a company, either out of ignorance or out of an attempt to mislead a consumer, may advertise software as HIPAA certified software. A would-be buyer of this software, not knowing that there is no such thing as HIPAA certification, may buy the software, follow its instructions, and then conclude he or she has “proof” of compliance with HIPAA law. 

Since there is no such thing as HIPAA certified software, no such proof actually exists. Say that a healthcare entity purchases software whose publisher claims the software is HIPAA certified software. Say that, when the entity completes the program, it can print out (and even frame) a “certificate” stating “Software Company X has determined Healthcare Organization Y” is HIPAA compliant. 

The worthlessness of the certificate becomes apparent very soon. Under the HIPAA Breach Notification Rule, a healthcare organization must report breaches of unsecured PHI to affected individuals and HHS. Having the certificate doesn’t give the organization a “Get Out of Jail Free” card to not report the information. The very purpose of providing a breach notification is to permit the government to determine whether the organization should be fined for the breach – which makes sense, since it is the government that is enforcing the law in the first place. If a healthcare organization were allowed to tell an affected individual and HHS, “Sorry about that whole breach thing, but this certificate says I used HIPAA certified software, so I didn’t breach anything, and I don’t have to tell anyone anything and can’t be fined,” the organization would be, in effect, creating and enforcing its own law, instead of the law that must be followed by everyone.

What Can an Organization Do to Become HIPAA Compliant?

Even though there is no such thing as HIPAA certified software, software does exist that a healthcare organization can use to show HHS it did everything it could – that is, made a good faith effort – to achieve HIPAA compliance. Compliancy Group’s proprietary HIPAA compliance tracking solution, The Guard, provides users with the tools they need to document their good faith effort to achieve compliance to HHS.