Q&A: Certifying your compliance with HIPAA security standards
Compliance Monitor, December 9, 2009
Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!
Q: Does CMS require organizations certify they are compliant with the HIPAA security standards?
A: There is no standard or implementation specification that requires a covered entity to certify compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The covered entity or an external organization that provides evaluations or “certification” services may perform an internal evaluation. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that the Department of Health and Human Services (HHS) does not endorse or otherwise recognize private organizations’ “certifications,” and such “certifications” do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.
This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.
Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!
Related Products
-
Strategies for Health Care Compliance
News and real-life examples to increase the effectiveness of your compliance program. Strategies for Health Care Compliance...
-
Compliance Monitor
This HTML e-mail newsletter delivers news on Medicare and Medicaid fraud and abuse, as well as recent documents and targets...
-
Medicare Weekly Update
Each issue of Medicare Weekly Update includes the latest CMS proposed and final rules, CMS manual revisions, and...
-
Medicare Update for Physician Services
Medicare Update for Physician Services is a free, monthly e-zine that delivers news and information to help physician...
Most Popular
- Articles
-
- HIPAA Q&A: HIPAA-compliant phone messages
- HealthDataInsights posts new issues for medical necessity claims
- Physician referral patterns ripe for scrutiny
- Dealing with data breaches
- Sneak Peek: Planning for homecare can reduce avoidable readmissions
- Ask the expert: Should medical staff bylaws address employment contracts and exclusive contracts?
- New FAQ posted on storing laryngoscope blades
- Nurse pleads guilty to Medicare fraud
- Q/A: New device pass-through categories
- Featured webcast: Assessing the competence of low- and no-volume practitioners
- E-mailed
-
- HIPAA Q&A: HIPAA-compliant phone messages
- Ask the expert: Should medical staff bylaws address employment contracts and exclusive contracts?
- Sneak Peek: Planning for homecare can reduce avoidable readmissions
- What does case-mix index mean to you?
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Featured webcast: Assessing the competence of low- and no-volume practitioners
- To sign or not to sign
- Bill and charge for supplies correctly to reduce risk and minimize lost revenue
- Blanket Warmers, What Is Safe?
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Searched