Corporate Compliance

Q&A: HIPAA certification compliance

Compliance Monitor, October 14, 2009

Q: Are we required to “certify” our organization’s compliance with the HIPAA Security standards?

A: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements.

The evaluation can be performed internally by the covered entity or by an external organization that provide evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that Health and Human Services does not endorse or otherwise recognize private organizations’ “certifications,” and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude Health and Human Services from subsequently finding a security violation. 

This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.

Most Popular