HIPPA – Get Certified or Not?
Should You Get HIPPA Certified or Not?
Many of our clients have brought up the question about HIPPA Compliance, “Are we required to “certify” our organization’s compliance with the standards of the Security Rule?”
The reason for the question is because there are companies out there charging Medical related companies a lot of money to “Get Certified”
We can get the answer from the U.S Department of Health & Human Services (HHS). The following is their answer to the question.
No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
If you company is paying large fees to “Get Certified” you are wasting your money unless the company that provides the certification is will to put in writing that they will pay for all expenses or fines related to becoming complicate after you fail an audit by HHS.
Your company needs to perform a periodic technical and non-technical evaluation that establishes the extent to which security policies and procedures meet the security requirements. This can be a checklist of items to verify on an annual basis. You may want an external company to also run the checklist annually for verification.
If you need any assistance give us a call at 505-892-7364