There’s No Such Thing as HIPAA IT Security Certification
HHS’ website lists answers to professionals’ commonly asked questions. In one FAQ, HHS answers the question of “Are we [the covered entity] required to “certify” our organization’s compliance with the standards of the Security Rule?” HHS’ answer is no.
HHS’ accompanying explanation states:
“No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such HIPAA certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”