A healthcare organization is looking for a new electronic medical record, secure messaging application or any other solution. It compares a number of vendors, product features and gets close to choosing one. Just before making the ultimate decision, someone asks, what about HIPAA? As this question enters the discussion, another person says that the chosen product is HIPAA “certified.” Hearing that the product is certified, everyone is satisfied and thinks that HIPAA obligations are all set. Unfortunately, HIPAA “certification” does not settle any issue.
The question of certification is one that has been around almost as long as HIPAA itself. From the legal perspective, certification is not even worth the paper it is printed on. The government, specifically the HHS Office for Civil Rights, does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification. This fact is revealed in a longstanding “Frequently Asked Question” from OCR. As such, any company or product advertising HIPAA certification is providing an unverifiable statement. Since OCR does not endorse or recognize certification, questions should be asked about any product claiming certification. A buyer cannot feel comfortable just be seeing the “certification.”
The lack of any recognized certification raises the question of whether it is time to have an official certification program. Would such a program help distinguish those products or solutions that truly meet HIPAA standards from those that do not? Who would administer and/or oversee a certification program? These are important aspects to consider if a certification program were to be pursued. At first blush, certification seems desirable because it may establish baseline standards and expectations. However, there could be a concern that certification would be an end in and of itself, without thinking farther. As such, certification is an open question and one worth fully vetting.
At first blush, certification seems desirable because it may establish baseline standards and expectations. HIPAA is quite clear in terms of privacy policies and protections that need to be in place. The differences can arise when it comes to security policies and procedures. The Security Rule is designed to be flexible. Not every organization will have the same policies and procedures. Such differences are not necessarily a barrier but need to factor into the certification standards.
From the opposite perspective, there could be a concern that certification would be an end in and of itself, without thinking farther. Would organizations target the bare minimum to ensure that certification is issued, or think holistically about what is needed above and beyond HIPAA requirements. At this point, it is important to remember that HIPAA only establishes a baseline for good security protections. Truly effective security needs to go well beyond what HIPAA may require.
With all of these considerations in mind, certification is an open question. Even though it is an open question, the topic is one worth fully vetting. For the time being, an organization can certainly have an independent party audit its policies and procedures to have an unbiased scoring of compliance status. However, any audits results are more for internal education and assessment, not for holding out as a stamp of approval.