Am I Required to "Certify" My Organization's HIPAA Compliance?

Modified on Fri, 1 Aug at 12:03 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses whether a covered entity or business associate is required to "certify" their compliance with HIPAA. 

The Myth of "Certification" as "Proof" of Compliance


The Department of Health and Human Services (HHS) enforces the HIPAA law and regulations through its enforcement arm, the Office for Civil Rights. The Office for Civil Rights (OCR) may initiate an investigation against a HIPAA-covered entity after someone has filed a HIPAA complaint against that entity.

During the investigation, OCR may request that the HIPAA-covered entity provide documentation of its compliance with specific HIPAA rules.  The investigation may result in remedial action, ranging from technical assistance to civil monetary penalties.


A commonly asked question is, "If I have taken actions X, Y, and Z, I am completely compliant, and will not be investigated, right?" (A variation of this question is, "What specific steps do I need to take to become 100% compliant so I will not be investigated?").

Along the same lines, a common belief is, "There is no way that I can be penalized if I am investigated. I "self-certified" my compliance with HIPAA, or engaged a third-party to provide a "certification." 

As noted by an HHS Q&A,"certification" does not prevent organizations from being investigated, or from being found to have violated HIPAA:

Question: "Are we required to “certify” our organization’s compliance with the standards of the Security Rule?"

Answer:
 It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

The federal government, and the federal government alone, has the power as well as the responsibility to determine whether an entity has committed a HIPAA violation. 




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article