Does my healthcare practice need to be HIPAA/HITECH certified?

blog-hitechcertifiedWe mentioned earlier in one of our blog posts that we would get back to you about the HIPAA/HITECH “Certification” question that lot of  the healthcare practices are asking about …  Certification by a third-party is not required for Covered Entities and Business Associates unlike PCI or ISO certification requirements. HIPAA/HITECH “certification” is not mandated in any way and no one is authorized to provide HIPAA/HITECH certification per se. Rather Covered Entities and Business Associates need to be in compliant with the new omnibus HIPAA Privacy, Security and Breach Notification rules. This is very clearly stated in HHS website: “A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.” If you want to learn more about HHS’s position on getting HIPAA certification please go through the following links:

http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html

http://www.techrepublic.com/article/industry-insiders-say-dont-bother-with-hipaa-certs/

The above discussion clearly concludes there’s no single certifying authority on HIPAA/HITECH rules. The assessment of HIPAA rules in your practice and implementation of required remediation could be technically performed by anyone (with no prior qualification). However, the purpose and intent of evaluation is two fold:

1) To genuinely secure patient data and implement required processes in place to avoid legal issues

2) To handle HHS Office for Civil Rights(OCR) audit request

In order to handle this HIPAA conundrum, we recommend at least conducting the initial HIPAA/HITECH assessment against the new rules by an externally qualified organization. Use the same methodologies and processes used by the external organization to conduct your periodic assessment for subsequent annual assessments. In addition, if there’re any major scope change in terms of your IT infrastructure, vendor upgrade or new business introduction have the assessment done by an external organization.

Only experience and industry knowledge will help apply the for your practice successfully.

There are quite a few organizations providing training and certification to acquire HIPAA expertise.  Firms can benefit from their workers completing one or more of the established credentials, including:

1) Healthcare Information Security and Privacy Practiioner  by ISC2 https://www.isc2.org/HCISPP/Default.aspx

2) AHIMA certification page (http://www.ahima.org/certification),

3) CompTIA – (http://certification.comptia.org/getCertified/certifications/hittech.aspx).

No matter how you do your assessment, at least ensure the following 3 aspects of your HIPAA/HITECH rules::

1) Conducting a thorough security risk assessment of all your technological assets

2) Updating your information security policy document

3) Providing awareness training to your staff

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Subscribe for Updates

Upcoming Events

  1. Managing the Risks of a Healthcare Data Breach

    April 6 @ 12:00 pm - 1:30 pm