HIPAA Certification is a term that is invariably the center of attraction for every healthcare organization over the past years. Unknown to many providers and known to many of them. It has changed the way of business for the healthcare industry. It is the first national standard to protect PHI. So what’s required to be HIPAA certified?
What is HIPAA Certification?
Though there is no official HHS-mandated accreditation and standard specification within HIPAA that needs Business Associates & Covered Entities to verify compliance. Nevertheless, some companies claim they are HIPAA certified, despite there being no requirement for HIPAA compliance. This means that they must have implemented certain mechanisms to maintain compliance and passed a HIPAA compliance program of a third-party organization.
This could be the next best thing in the absence of a program by the HHS (Department of Health and Human Services). So, when a medical practice is HIPAA certified this means it is meeting all the standards of security, breach, and privacy notification mandates of HIPAA. In addition, a HIPAA-certified firm can also help your organization to stay updated with the HIPAA requirements.
HHS-Endorsed No HIPAA Certification, Why?
HIPAA compliance is a continuous process so the HHS department doesn’t support any kind of HIPAA certification. An organization may have passed a program but that doesn’t mean it will stay compliant with HIPAA in the future too. There are a variety of reasons it could not remain compliant in the future. It may alter the way technologies are used or change the technology it uses.
This may change staff management policies, operational procedures, and business objectives. Notwithstanding that HIPAA regulations in the future may also change and any of these changes may invalidate HIPAA certification. Hence, you must consider the HIPAA certification as an initial objective & later as a continuous process.
It doesn’t require any individual to obtain HIPAA certification and complete any particular training session. But the nature & date of training is important to be documented. However, these HIPAA rules are far-reaching and complicated. The training agencies recruit experts in HIPAA compliance so they can handle the aspects relevant to their roles such as allowable disclosure/use of PHI and ways to handle Protected Health Information accurately.
Moreover, using a third-party training agency provides one benefit to Covered Entities, they are issued with a certification that signifies that the individuals have attended a training course. This will be helpful to the Covered Entity in the case of a HIPAA audit when the certification may not be confirmed by the HHS. Once the training is done, your staff must be efficient enough to follow the policies and procedures as they comply with HIPAA. In addition to this, you can outsource it to a reputable medical billing company if you don’t have official training protocols.
Health Care Providers
Regardless of the practice size, each healthcare provider is a covered entity that transmits the health data in connection with the particular transactions electronically. These include the transactions following the HIPAA transaction rules established by the HHS and other transactions such as referral authorization requests, benefit eligibility inquiries, medical claims, etc. The transaction should be in connection with an official transaction.
The HIPAA privacy regulation covers a medical practice whether it transmits transactions via an outsourced medical billing company or directly transmits it electronically. Medical practices include every organization or other person that bills to get reimbursed for services like a Health Care Clearinghouse. And include all healthcare providers such as, “providers of health or medical services” (for example dentists, physicians, and other practitioners included in non-institutional providers), “providers of services” (for example hospitals included in institutional providers), defined by Medicare.
Covered Entities- HIPAA Certification Requirements
Compliance professionals review the following areas to declare an entity is HIPAA compliant;
- Incident management processes in the case of violation of HIPAA and data breach.
- Audit documentation to assure the required HIPAA documentation is accessible and maintained.
- Due diligence methods and business associate contract management.
- Remediations plans to identify and address the gaps in the audits.
- Training sessions for employees so they can understand the above procedures and policies.
- Compliance with safeguards of the HIPAA Security Rule such as technical, physical, administrative safeguards. It is not limited but includes a privacy standards audit, HITECH Subtitle D privacy audit, a physical site audit, device audit, a security standards audit, asset, and an IT risk analysis questionnaire.
- Procedures or policies to document the right efforts to stay compliant and address HIPAA regulatory compliance.
HIPAA certification requirements are not something you can fulfill overnight due to the delicate procedures involved with the HIPAA Security Rule in auditing compliance. Additionally, it is impossible to tell how much time it will take to achieve HIPAA certification. When gaps in the audit procedures are unknown and you are unaware of the remediation plans that are required to address these gaps.
HIPAA Risk Management & Analysis
In provision to the Security Rule, the administrative safeguards require Covered Entities to conduct risk assessment. Risk analysis influences the implementation of all of the safeguards involved in the Security Rule. By determining which security measures are appropriate and reasonable for a particular covered entity you can address the risk management separately. It involves the following;
- Maintain appropriate, continuous, reasonable security protections.
- Address the risks found in risk management by taking appropriate security measures.
- Assess the impact and likelihood of possible risks to e-PHI.
- Document the selected security measures.
- Evaluate the rationale for adopting the above measures.
A risk assessment must be a continuous procedure that helps Covered Entities to regularly track access and reviews records to e-PHI-
- Reevaluates potential risks to e-PHI regularly.
- Evaluates the effectiveness of security measures periodically.
- Detecting security incidents.
Documentation Requirements & HIPAA Policies
The Covered Entities should take proper measures and follow policies/procedures to stay compliant with the Security Rule provisions. They should maintain- at least 6 years after the ‘’last effective date’’ or ‘’next date to creation’’, written records of required activities/assessments/actions, and written security policies/procedures.
The Covered Entities must update their documentation and periodically review it in response to organizational/environmental changes that impact the security of e-PHI.
- Compliance Dates/Compliance Schedule
Except for “small health plans,” all Covered Entities must stay compliant with the Security Rule.
- State Law/Preemption
Federal requirements will apply until the State law is more stringent. Because generally HIPAA regulations State laws are preempted by these requirements.