Is your health care organization HIPAA certified? Before you start searching for your certification documentation, you should know that this is a trick question.

The fact is that there is no such thing as an official HIPAA certification for organizations. There is no regulatory body that officially recognizes any certification based on an organization meeting compliance requirements.

But that hasn’t stopped a handful of companies from marketing this service, and offering to help organizations become “HIPAA certified.” And it hasn’t stopped health care organizations from falling for this scam.

In fact, when you consider the reality of cybersecurity, HIPAA certification of an organization doesn’t even make sense. For example, say your organization was “certified” on a Monday. Then on Tuesday your systems were breached. How effective was the so-called certification?

The Only Real HIPAA Certification

There is only one actual type of HIPAA certification, and it’s given to health care employees who receive specific HIPAA training. Although the law does not require any individual to become certified, some organizations may want certain employees to obtain HIPAA certification—such as employees in security, risk and accounting, for example.

Typical certifications include one or more levels of HIPAA awareness, security, privacy, administration and transaction—and these four steps:

Step 1 — Choose a reputable HIPAA training company that offers certification credentials at the training level desired. Options include awareness certification for basic knowledge of HIPAA, privacy and administrator certification for handling and storing data and files, and transaction and security certifications for employees working with electronic data.

Step 2 — Attend the training, either online, at a training center, or in your facility.

Step 3 — Take the certification test at the end of the training. (Basic HIPAA training may not require testing.)

Step 4 — Stay current by visiting the U.S. Department of Health and Human Services website for changes, additions and modifications of the HIPAA.

Implement Real Cyber Risk Management Tactics

Like any quality health care organization, you want to do everything in your power to keep your patient data secure and stay compliant with all industry regulations. There are proven ways to accomplish that commendable goal—including risk analysis, continuous risk management, and progress monitoring and recording.

  1. Bona Fide Risk Analysis

Risk analysis is a systematic, rigorous process used to identify all of the possible ways in which the confidentiality, integrity or availability of any sensitive information (like patient’s personal data) may be compromised. The main deliverable from a risk analysis is a risk register or risk rating report that prioritizes potential security issues. This service helps organizations prevent costly complaints, fines and reputational damage caused by a breach.

  1. Continuous Risk Management

Keeping a company secure is not a “one and done” event. Continuous risk management is a critical piece of the security process. It addresses multiple aspects of a security program, for example, identifying when updates are needed.

  1. Progress Recording and Monitoring

Promises and policies are not enough to ensure compliance today. Your organization also needs to track and monitor your security, for example, the use and disclosure of patients’ personal data. This includes regular reviews of procedures, tracking disclosures, and verifying all issues were addressed correctly.

As cyber risks become an increasingly bigger problem for health care organizations, more marketing scams by unscrupulous companies will sprout up to take advantage of companies’ fears. The best defense is staying informed, so you can separate the reality from the rip-offs—and keep your organization secure rather than swindled.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.