Corporate Compliance

Q&A: Certifying your compliance with HIPAA security standards

Compliance Monitor, December 9, 2009

Q: Does CMS require organizations certify they are compliant with the HIPAA security standards?

 A: There is no standard or implementation specification that requires a covered entity to certify compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The covered entity or an external organization that provides evaluations or “certification” services may perform an internal evaluation. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that the Department of Health and Human Services (HHS) does not endorse or otherwise recognize private organizations’ “certifications,” and such “certifications” do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

 This Q&A is adapted from the CMS FAQ website page. To view this and other FAQs click here.

Most Popular