HIPAA Certified vs. HIPAA Compliant

Share This On:

According to the HIPAA Security Rule, any business or organization that handles protected health information (PHI) is  required to establish and maintain appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of the protected health information (PHI).

Occasionally a prospective client who handles protected health information (PHI) will ask  whether we are “HIPAA Certified”…

It is important to know that there is no governing body that is established to  “certify” that an organization or business is HIPAA compliant.  The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body for HIPAA.   And, HHS does not endorse or recognize the “certifications” made by private organizations.

The correct term that prospective customers should be using is “HIPAA compliant”.  When a company or agency is “HIPAA Compliant” this means that, as a covered entity or business associate, they are in compliance with the HIPAA Security and Privacy Rules as established by the Department of Health and Human Services (HHS).   They have put together policies, processes and procedures to achieve technical, administrative and physical safeguards to protect PHI (protected health information).

So for service providers in the healthcare industry – and for healthcare organizations that contract out to them, please take note: the correct term is “HIPAA compliant” not “HIPAA certified.” Be wary of those that claim to be certified – because chances are, they might not really know what they’re talking about at all.

To learn more about PHI, maintaining HIPAA compliance and the proper document destruction process for disposing of PHI, please visit http://www.properphidisposal.net/