• E-mail
• Print
• RSS

Are we required to undergo HIPAA certification?

HIPAA Weekly Advisor, March 13, 2006

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Two HIPAA security rule standards relate to this question: the security management process (risk analysis implementation specification) and evaluation.

Although both require you to evaluate specific elements, there is no requirement that an outside party certify you for HIPAA compliance. In fact, outside of the International Organization for Standardization's (ISO) information security management standard ISO/IEC 27001:2005, there is no true HIPAA compliance certification.

You can perform your own security assessment via a checklist or workbook, but odds are that you may need to hire an outside consultant to dig a little deeper. Performing your own risk analysis and ongoing security evaluations is much like a sick patient self-diagnosing instead of going to see a doctor for treatment.

Assessing your practice means more than just making sure you have a firewall, antivirus software, and data backups. Both technical and nontechnical security evaluations usually require specialized expertise in software, computers, networks, physical safeguards, threats, vulnerabilities, and various security best practices and standards. This is especially true for medium- and large-sized practices, but also applies to smaller organizations-just on a smaller scale.

Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive