Paubox blog: HIPAA compliant email made easy

Certificates that can prove HIPAA compliance

Written by Tshedimoso Makhene | June 16, 2024

There are several certifications and reports that can help demonstrate HIPAA compliance, though none are officially endorsed by the Department of Health and Human Services (HHS) as "HIPAA certified."

 

HIPAA compliance vs. HIPAA certification

“Although there is no HIPAA certification, third-party organizations can audit your practice or company,” says the Compliancy Group.

HIPAA compliance refers to adherence to the regulations and standards set forth by the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and security of health information. It involves implementing appropriate administrative, physical, and technical safeguards, conducting risk assessments, and maintaining ongoing monitoring and training. On the other hand, HIPAA certification typically refers to an independent assessment or audit conducted by third-party organizations that evaluates an entity's compliance with HIPAA requirements. While these certifications can provide evidence of compliance, the Department of Health and Human Services (HHS) does not officially recognize any specific "HIPAA certification." Compliance is an ongoing process, whereas certification is an evaluation at a particular point in time.

Learn more

 

Certificates that might prove HIPAA compliance

  • HIPAA compliance certification from third-party auditors: Some organizations undergo a third-party audit by HIPAA experts who assess their compliance with HIPAA rules and regulations. Upon successful completion, the organization receives a certification of compliance.
  • HITRUST CSF certification: The Health Information Trust Alliance(HITRUST) Common Security Framework (CSF) certification encompasses various regulatory requirements, including HIPAA. Achieving HITRUST CSF certification demonstrates that an organization has met industry-defined security requirements and is appropriately managing risk.
  • SOC 2 Type II report: A Service Organization Control 2 (SOC 2) Type II report is conducted by an independent auditor andt evaluates the effectiveness of an organization’s controls over a defined period (usually 6-12 months). While not exclusive to HIPAA, a SOC 2 report can cover HIPAA security and privacy requirements if the Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy) are aligned with HIPAA requirements.
  • ISO/IEC 27001 certification: This is an international standard for information security management systems (ISMS). Certification to ISO/IEC 27001 demonstrates that an organization has implemented a robust ISMS, which can include HIPAA safeguards.
  • NIST Cybersecurity Framework (NIST CSF): National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), while not a certification, adherence to the NIST CSF provides a comprehensive approach to managing cybersecurity risks, including those required by HIPAA. Some organizations get third-party attestation of their compliance with NIST CSF.
  • Risk assessments and management plans: Regular risk assessments and documentation of management plans to mitigate identified risks. This is an internal process that organizations can use to obtain HIPAA compliance.
  • Policies and procedures documentation: Organizations must implement comprehensive documentation of HIPAA-related policies and procedures.
  • Training records: Documentation of staff training on HIPAA policies and procedures keeps a record of any HIPAA compliance strategies that organizations implement. 
  • Incident response plans: Detailed plans for responding to data breaches or other security incidents form part of the internal organizational strategies that companies implement to respond to breaches in a HIPAA-compliant manner.
  • Business associate agreements (BAAs): Ensuring all business associates sign BAAs that mandate HIPAA compliance can also serve as a part of demonstrating compliance.

 

FAQs

Who must comply with HIPAA?

HIPAA applies to covered entities and their business associates. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are individuals or entities that perform activities involving the use or disclosure of PHI on behalf of a covered entity.

Related: Who needs to be HIPAA compliant?

 

What is required for ongoing HIPAA compliance?

Ongoing HIPAA compliance requires regular risk assessments, updating security measures, maintaining comprehensive policies and procedures, conducting staff training, and having incident response plans in place. It is a continuous process rather than a one-time effort.

 

Can I rely solely on certification for HIPAA compliance?

No, certification alone is not sufficient for HIPAA compliance. While certifications can provide evidence of compliance, organizations must maintain ongoing adherence to HIPAA rules through regular audits, risk assessments, updates to policies and procedures, and continuous training.