What is HIPAA IT Security Certification?

HIPAA IT Security Certification

The Department of Health and Human Services (HHS) is the federal agency that enforces the HIPAA regulations. Private entities have asked HHS whether they are required to “certify” their  organization’s compliance with the standards of the HIPAA Security Rule. HHS has made its answer publicly available: There is no Security Rule standard or implementation specification that requires a covered entity to “certify” compliance. Therefore, there is no such thing as HIPAA IT certification. The myth of the HIPAA “requirement” of HIPAA IT security certification is discussed below.

There’s No Such Thing as HIPAA IT Security Certification

HHS’ website lists answers to professionals’ commonly asked questions. In one FAQ, HHS answers the question of “Are we [the covered entity] required to “certify” our organization’s compliance with the standards of the Security Rule?” HHS’ answer is no. 

HHS’ accompanying explanation states:

“No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such HIPAA certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

There are several items to unpack from this statement:

First, HHS states that a covered entity or business associate is required to adhere to the administrative safeguards provision of the HIPAA Security Rule. Administrative safeguards are policies and procedures an organization must create and implement to protect ePHI from being impermissibly used or disclosed

Through these policies and procedures, an entity must:

The “evaluati