When considering HIPAA compliance, it’s a bit of the wild west out there right now. The Office of Civil Rights (OCR), enforces fines and sanctions for HIPAA violations, but it is mostly on a reactionary basis. You can review the HIPAA cases currently under investigation and get a sense of the type of incidents and breaches that currently lead to fines. You can also see the category of each type of breach under investigation. At the time of this article, there are many hacking and IT incidents that lead to breaches of HIPAA data.
If HIPAA enforcement doesn’t come from the OCR then where does it come from? It’s going to have to come from healthcare organizations requiring more assurance than has been provided historically or a large enough breach, fine, or incident to raise public awareness of the issue.
Our firm has seen an increase over the past few years of companies providing healthcare IT services being required to provide greater assurance to business partners than has historically been provided. In the technology space, an organization’s “word” that they are HIPAA compliant may no longer be enough for business partners. This brings us back to the wild west of HIPAA compliance.
Although there is no such thing as a HIPAA certification, a quick Google search confirms that many companies are offering HIPAA certifications. What is unfortunate is that after paying a significant amount for a “HIPAA Certification”, companies might discover that marketing themselves as HIPAA certified does not provide as much assurance as hoped when working with business partners that know there is no such thing as a HIPAA certification. So how can you demonstrate HIPAA compliance?
How to Demonstrate HIPAA Compliance
The following are options for demonstrating HIPAA compliance:
- Identify relevant HIPAA requirements, perform self-assessment, remediate any gaps, and attest to business partners that you are HIPAA compliant (least expensive).
- Engage a third party to assist with performing a HIPAA readiness assessment and remediate gaps identified by the third party. Then, attest to business partners that you are HIPAA compliant.
- Engage a third party to perform a readiness assessment, remediate any gaps, and obtain a third party attestation to your organization’s compliance with HIPAA. The AICPA offers a method for CPA firms to attest to clients compliance with rules and regulations. Other companies offering HIPAA “certifications” provide a similar service that a CPA firm would, but they may not have equivalent workpaper standards or oversight as a CPA firm would. So…buyer beware. Ensure the firm you choose to assist with HIPAA compliance is reputable and the auditor you will be working with has significant HIPAA experience.
- Obtain a HITRUST assessment. HITRUST assessments and certifications are gaining traction because large healthcare organizations see HITRUST as a way to ensure business associates and other organizations are complying with HIPAA. A HITRUST assessment is more involved than a typical HIPAA audit because it may include other requirements from NIST or ISO in addition to HIPAA. A HITRUST assessment is unique to each organization because scoping questions and factors drive the requirements for each organization.
HIPAA Summary
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of protected health information. In response, the HHS created the HIPAA Privacy and Security rules. The Privacy Rule established certain rights that all US citizens have with regard to protecting their health-related information.
Privacy Rule
Protects US citizens personally identifiable health information from unauthorized disclosure or use. The Privacy Rule applies to covered entities and business associates of covered entities.
Security Rules
The Security Rule added to the Privacy Rule by creating requirements for how electronic health information also known as electronic protected health information (ePHI) is protected. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (ePHI).
What Does HIPAA Compliance Mean?
Being compliant with HIPAA is dependent on the type of entity or healthcare organization you are. Covered entities have additional requirements that must be complied with under HIPAA. The American Recovery and Reinvestment Act of 2009 (ARRA) also expanded HIPAA requirements to include business associates or service organizations for covered entities.
To hold your organization out as HIPAA compliant you must comply with any of the applicable HIPAA requirements for your organization.
Other Common HIPAA Compliance Questions:
- Who needs HIPAA compliance? IPAA protects US citizens health records from unauthorized use and disclosure and applies to covered entities and business associates to covered entities.
- Who oversees and is responsible for HIPAA compliance? The U.S. Department of Health and Human Services (HHS).
- Who enforces HIPAA compliance? Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
- How to get HIPAA compliance? Perform a self-assessment or hire a firm to perform a HIPAA compliance assessment. Following gap remediation, your organization should be HIPAA compliant.
- What is a key to success for HIPAA compliance? Performing HIPAA related controls consistently.
- What is used to verify HIPAA compliance? HIPAA compliance can be verified internally or using a third party. Third parties are used to provide greater assurance to business partners that HIPAA requirements are being met.
Summary
To summarize, there are a variety of ways to demonstrate HIPAA compliance. The correct answer is to determine the level of assurance required by your business partners. Does a contract depend on having a third party report on HIPAA compliance? Or perhaps the contract requires a HITRUST certification.
Our firm provides both HIPAA attestation reports (AT-C 315) that our clients use to demonstrate HIPAA compliance. We also perform HITRUST validated assessments. If you have questions about HIPAA compliance or “certification” feel free to reach out. We enjoy helping provide the peace of mind to our clients that they are truly HIPAA compliant. Also, see links to past Linford & Company HIPAA related articles below:
- A Summarized Guide to HIPAA Compliance Audits
- HIPAA Business Associate Agreements
- HIPAA Security Rule Requirements & Implementation Specifications
- HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?
- The HIPAA “Wall Of Shame”
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.