How to Get HIPAA Certification: Declassified

HowtogetaHIPAACertification_321.jpg

I imagine after you finished college and received your degree it didn’t take you very long to realize that your education wasn’t over. The 70-20-10 model is a widely accepted guideline for training organizations in order to maximize learning. The theory believes that employees gain their knowledge through…

  • Job-related experiences: 70%

  • Interactions with others: 20%

  • Formal educational events: 10%

That’s not exactly what I’m referring to, though.

HowtogetaHIPAACertification_6_321.png

I’m talking about what happened once you started applying for jobs right out of college. During the resume-building process, one of the tips I remember receiving from the university’s career board was to seek out certifications in order to stand out. Sounds simple, right?

Well, through a quick Google search you’ll find that there are hundreds if not thousands of different certifications. Each of them provides you with different, arguably essential knowledge, yet getting through all of them takes a long time.

As a result, if you were in a similar situation, you had to pick and prioritize certain certifications that you thought were most important for the position you wanted to apply for.

Well, if you wanted to work within the healthcare space and weren’t already a licensed medical professional you probably prioritized getting a certification for the Health Insurance Portability and Accountability Act (HIPAA).

Proving that you have background knowledge in one of the biggest regulations makes you a valuable job candidate. Especially considering the millions of dollars healthcare organizations spend just on unintentional HIPAA breaches alone.

Maybe you’re not an individual trying to become a more valuable job applicant. Instead, you’re a practice manager in the middle of trying to make your workforce more aware of HIPAA. Or, maybe you’re a compliance officer at a company that provides services to healthcare organizations as a business associate and need to ensure your employees know how to operate with your client’s data.

Either way, providing a training program to your employees that gives them an official certificate upon completion helps your compliance environment tremendously.

The only question that remains is, how do you get an official HIPAA certification?

Table of Contents

The Tangibility of HIPAA Compliance

Before I dive into the detailed process explaining how to get a HIPAA certification, I first need to explain what it means to be “HIPAA compliant”. I specifically put quotes around that phrase because it’s not something that’s tangible.

No matter how much time or money you invest in staying true to the safeguards and specifics of the law, you won’t ever receive an official designation.

After reading that, you might say to yourself, “How is it not tangible? I’ve Googled ‘HIPAA compliant organizations’ before and thousands of results showed up with websites that have official badges.”

Well, have you ever noticed that all of those badges are specific to the organization and have a different design?

Howtogethipaacertification_badges_321.png

If you don’t know what I’m talking about, take a look at the image above. Notice how each is custom to the company that hosts it on their website. The reality is that the companies that reinforce the idea that they’re HIPAA compliant with badges give themselves this title. They then design their own badge and, in some cases, hand them out to clients of their governance services.

I’m not trying to speak negatively about the organizations that do this, they probably offer great services.

Unofficial HIPAA compliant badges exist is for two reasons. First, the government agency that enforces the regulation doesn’t officially designate organizations as such. Second, they’re an effective marketing strategy.

I’ll elaborate more on both of those reasons throughout this blog post, but I’ll end this section with why they’re a great marketing strategy. Let’s say your organization offers compliance management services. During onboarding, they gave you a HIPAA-compliant badge and encouraged you to include it on your materials.

In other words, everything that faces their clients has your logo on it within the badge. That’s a tremendous amount of exposure for your brand.

The Official HIPAA Certification

So, if HIPAA compliance isn’t something that’s tangible according to the previous section of the blog post, what does that mean for its certification?

Although there are actual benefits associated with getting a HIPAA certification, it’s in a similar scenario. The Office of Civil Rights doesn’t recognize or offer official documentation for demonstrating adequate knowledge of the Health Insurance Portability and Accountability Act.

HowtogetaHIPAACertification_1_321.png

However, that doesn’t mean that seeking or achieving a certification on HIPAA isn’t a waste of time. There’s still value that comes from spending time learning about healthcare’s biggest regulation and having proof to show that you went through an unofficial certification process.

That value happens to any individual who goes through the process, whether their one person trying to get a job in the medical industry or an entire workforce boosting their compliance efforts.

Value: Proof of Compliance

For the rest of this blog post, I’m going to list and break down the different and main benefits associated with obtaining a HIPAA certification.

The first and biggest benefit is that these diplomas act as proof of adherence.

Since HIPAA isn’t attainable, how the Department of Health and Human Services (HHS) enforces the law remains nebulous. They dole out violation penalties on a case-by-case basis. 

Nevertheless, their process starts with an audit of your compliance environment. During this audit, they compare what safeguards and policies in place to what’s required of the law.

HowtogetaHIPAACertification_2_321.png

Section § 164.530(b)(1) states that a covered entity must train all members of its workforce. Further, § 164.530(b)(2)(i) goes into specific requirements, explaining that new employees need training within a reasonable period of time after the person joins.

Those sections are helpful, yet they’re still vague. Nevertheless, they’ve led to a tremendous amount of debate on best practices for decades.

But, here’s the reality. Let’s say your organization is in the middle of an audit from the HHS for an unintentional violation. Imagine how impactful it would be to give the auditor records of all of the training sessions your employees sat in on, how each of them performed and their timestamped HIPAA certifications.

That data could have a massive impact on the auditor's penalty.

Value: Instilling Confidence

Some of the most common HIPAA violations that occur are…

  • Medical record snooping

  • Employee gossipping

  • Improper disposal of records

  • Using unencrypted email to send sensitive information

There are other types that happen often, but those won’t help illustrate the point I’m about to make.

None of the violations I just listed require help from a cybersecurity expert. They aren’t problems that need outside guidance, they’re knowledge-based.

In other words, you can prevent each of them from happening through training. How would your employees know that they can’t do the following without training?

  • Look through medical records for the sake of it

  • Talk about what happened at work with their loved ones

  • Throw away previous patient information

  • Attach requested information in an email to a patient

HowtogetaHIPAACertification_3_321.png

Certain secrets to success require firsthand knowledge. Of course, your employees who commit a violation would learn once you disciplined them for it. But that wouldn’t make them feel very confident.

Instead, holding a training course on an annual basis that covers real-world examples and rewards participants for their completion with a HIPAA certification helps tremendously. They’ll learn the less obvious concepts of the comprehensive law and feel more confident in their work.

Even if it isn’t an “official” document, it still provides a sense of accomplishment that leads to more certainty in day-to-day responsibilities.

Value: Continuity is Key

A HIPAA-compliant entity and a certified individual aren’t officially recognized because the law isn’t something that’s stagnant. It’s always changing.

In other words, it’s not a standard you achieve and maintain it puts you in a cycle of achievement, losing and attempts to replicate.

As a covered entity or business associate, you can only read and interpret the law then apply its guidelines to your operations. Yet, since the law changes so often, complying with it entirely is only a temporary status.

In other words, staying compliant with healthcare’s most comprehensive law requires continuity. 

HowtogetaHIPAACertification_4_321.png

By implementing an annual training program (hopefully it’s engaging) and giving your employees a HIPAA certification upon completion, you’re achieving continual improvement.

Some of the most official and professional certifications have a time limit associated with them. They’re only valid for a few months or years and require individuals to re-up or take continuing education courses.

Thus, the vendor you choose should assist you with achieving a continual environment.

Get Out There and Find a Vendor

You don’t have enough time in your day to come up with a comprehensive and engaging HIPAA training course. Even if you did, you definitely don’t have the bandwidth to keep up with changes in the law and make continual improvements on your material.

Luckily, there are organizations that exist to provide you with everything you need to give your team HIPAA certifications on an annual basis.

I will caution you about a couple of tricks that some of them may try to pull on you, though.

HowtogetaHIPAACertification_5_321.png

First, pay attention to how they talk about HIPAA. They should acknowledge the fact that it’s not a destination, but a road. In other words, they shouldn’t say that their services make you entirely compliant.

Second, if they tell you that the certification they provide you with upon completion of their content is officially recognized by the HHS, that’s a red flag. I’ve pointed out throughout this blog post that there’s no such thing as an official HIPAA certification. Although they’re helpful instilling confidence in your workforce and providing evidence to an auditor, the HHS doesn’t designate fully compliant entities.

Finally, make sure they let you preview the content before you sign a contract. If the courses that they provide you with aren’t engaging, your employees won’t receive any benefit from them.

Keep each of those factors in mind during your vendor evaluation and you’ll find the perfect training course for your organization.

Conclusion

I imagine when you first clicked on this blog post, you thought it would be a simple “how-to” guide that walks you through the process of getting a HIPAA certification.

I wish it were that simple. The reality is that HIPAA certificates aren’t officially recognized by the government entity that enforces the law. They aren’t completely worthless, though. They help you…

  • Strive towards the continual process of HIPAA compliance

  • Provide evidence to auditor

  • Instill confidence in your workforce

Thus, it’s still worth going through the process of finding a trusted vendor. A comprehensive, unofficial training module still provides a ton of value to you.