What is HIPAA IT Security Certification?

There’s No Such Thing as HIPAA IT Security Certification

HHS’ website lists answers to professionals’ commonly asked questions. In one FAQ, HHS answers the question of “Are we [the covered entity] required to “certify” our organization’s compliance with the standards of the Security Rule?” HHS’ answer is no. 

HHS’ accompanying explanation states:

“No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such HIPAA certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

There are several items to unpack from this statement:

First, HHS states that a covered entity or business associate is required to adhere to the administrative safeguards provision of the HIPAA Security Rule. Administrative safeguards are policies and procedures an organization must create and implement to protect ePHI from being impermissibly used or disclosed. 

Through these policies and procedures, an entity must:

• Implement a security management process.
• Designate a security official.
• Implement workforce security measures.
• Authorize appropriate access to ePHI. 
• Establish a process for responding to an emergency.
• Implement a security and awareness training program.

The “evaluation standard” to which HHS refers, 45 § 164.308(a)(8), requires entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s  security policies and procedures actually meet the requirements of the Security Rule. 

The second item of note is that, per the FAQ, “The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.” 

The word “certification” is placed in quotes. The reason why is the third item of note, which states, ”It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

These two items make it clear that while a covered entity or business associate may have the evaluation performed by an outside entity, the covered entity or business associate is not required to do this. The decision, HHS notes, is a business decision – meaning the issue of whether an entity is in compliance with the rule does not change depending on who conducts the evaluation. HIPAA IT security certification is not required. In fact, a HIPAA “IT certification” is not given any legal effect. Regardless of whether an entity enlists the services of someone who performs HIPAA IT security certification, the entity remains responsible for HIPAA compliance. The entity cannot delegate its legal responsibilities to someone else. 

The HHS answer reflects common sense: if the requirements of a law regulating one person’s conduct can be satisfied by another person, the law can (and does) say so (examples of such laws include laws allowing for designation of a healthcare proxy). When the law does not say so, the other person cannot take on someone’s legal responsibilities. The principle that laws must be followed by the entities who are regulated, by name, would be put in serious jeopardy if someone could decide to shunt their responsibility to someone else. 

If a company advertises that it provides actual HIPAA IT security certification, stating that its “certification” satisfies the law, be mindful that such advertising is prohibited not just by HIPAA, but by the Federal Trade Commission, which enforces laws against deceptive advertising. If a company does not use the word “certification” outright, but implies it, such as by using language like “we guarantee X,” or “we guarantee that if you use us, you’ll be fully compliant with X,” don’t believe it. It’s not true.  

Why You Should Use a Third-Party HIPAA Solution

Third party validation and verification of compliance efforts, which can include verification and validation of an entity’s good-faith attempt to meet the standards of the Security Rule, is an important component of compliance. This is especially so for small-to-medium sized businesses with relatively limited experience with cybersecurity principles. A third party can verify and validate that a client went through the third party’s process of making a good-faith attempt to meet legal standards. The third party cannot officially pronounce, through “certification,” that the client is in fact compliant. HHS and HHS alone makes that determination, in the process of investigating entities. It literally says so.