HIPAA Certified: Not So Fast

seal-1674127_640A healthcare organization is looking for a new electronic medical record, secure messaging application or any other solution. It compares a number of vendors, product features and gets close to choosing one. Just before making the ultimate decision, someone asks, what about HIPAA? As this question enters the discussion, another person says that the chosen product is HIPAA “certified.” Hearing that the product is certified, everyone is satisfied and thinks that HIPAA obligations are all set. Unfortunately, HIPAA “certification” does not settle any issue.

The question of certification is one that has been around almost as long as HIPAA itself. From the legal perspective, certification is not even worth the paper it is printed on. The government, specifically the HHS Office for Civil Rights, does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification. This fact is revealed in a longstanding “Frequently Asked Question” from OCR. As such, any company or product advertising HIPAA certification is providing an unverifiable statement. Since OCR does not endorse or recognize certification, questions should be asked about any product claiming certification. A buyer cannot feel comfortable just be seeing the “certification.”

The lack of any recognized certification raises the question of whether it is time to have an official certification program. Would such a program help distinguish those products or solutions that truly meet HIPAA standards from those that do not? Who would administer and/or oversee a certification program? These are important aspects to consider if a certification program were to be pursued. At first blush, certification seems desirable because it may establish baseline standards and expectations. However, there could be a concern that certification would be an end in and of itself, without thinking farther. As such, certification is an open question and one worth fully vetting.

At first blush, certification seems desirable because it may establish baseline standards and expectations. HIPAA is quite clear in terms of privacy policies and protections that need to be in place. The differences can arise when it comes to security policies and procedures. The Security Rule is designed to be flexible. Not every organization will have the same policies and procedures. Such differences are not necessarily a barrier but need to factor into the certification standards.

From the opposite perspective, there could be a concern that certification would be an end in and of itself, without thinking farther. Would organizations target the bare minimum to ensure that certification is issued, or think holistically about what is needed above and beyond HIPAA requirements. At this point, it is important to remember that HIPAA only establishes a baseline for good security protections. Truly effective security needs to go well beyond what HIPAA may require.

With all of these considerations in mind, certification is an open question. Even though it is an open question, the topic is one worth fully vetting. For the time being, an organization can certainly have an independent party audit its policies and procedures to have an unbiased scoring of compliance status. However, any audits results are more for internal education and assessment, not for holding out as a stamp of approval.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Health IT, HIPAA, Regulations and tagged , , , . Bookmark the permalink.

2 Responses to HIPAA Certified: Not So Fast

  1. Sincere Sentry says:

    Absolutely Correct! – “HIPAA Certified” is nothing but a marketing ploy that the Internet-based cottage industry of HIPAA compliance vendors use to sell products and services. Some also say they provide “HIPAA Insurance” if you buy their products – have you read the so-called insurance policies? They are as worthless as “HIPAA Certification”. I am surprised that state bar associations have not taken action against many of these vendors who are giving unauthorized legal advice.

  2. Pingback: HITECH Answers: Meaningful Use, EHR, HIPAA News - HIPAA Certified: Not So Fast

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s