The HIPAA Privacy Rule exists to protect protected health information (PHI). It applies to health plans, healthcare clearinghouses, and healthcare providers. More specifically, the healthcare providers who conduct the standard healthcare transactions electronically.

The HIPAA Security Rule creates standards to protect individuals’ electronic personal health information (ePHI). This involves the…

• Creation

• Reception

• Usage

• Maintenance

The rule states that an entity uses appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

If an audit happens, what documents do you need to prove that you have received HIPAA training? Would a certificate help prove that you completed training related to HIPAA training? Can a business become certified or just employees?

There are a few things to consider when trying to answer all of these questions.

First, we need to cover what the Department of Health and Human Services (HHS) has to say about the matter. After all, it’s the organization that imposes hefty fines on your organization if you fail an audit.

Second, we need to discuss the validity of a certificate and why it could be useful.

Finally, we need to answer the question of the day: how do you become HIPAA certified?

• The HHS doesn't officially recognize certificates

• Certificates still act as proof

• Solution 1: Find a company that makes engaging training

• Solution 2: Make your own training

  • Legal Technicalities

  • Administrative Technicalities

• Conclusion

It’s not that the HHS doesn’t recognize certificates.

The truth lies more in the fact that there is no official HHS-mandated certification process or accreditation.

The HHS says that compliance is an ongoing process and thus, they don’t enforce any type of HIPAA-related certification. Their philosophy is that just because you’re HIPAA compliant now doesn’t mean that your organization will be compliant five years from now.

Also, due to the language of the Security and Privacy Rule, you need to take training “periodically” or “regularly”. The timeline of compliance is vague.

Thus, a document claiming compliance isn’t of legal significance. This is because the laws are subject to interpretation by an auditor, lawyer and/or judge.

So why then would a company say that they’re HIPAA certified? Why would employees mention on their LinkedIn that they have a HIPAA certification?

You see, organizations in the healthcare industry might claim that it’s HIPAA certified as a means to communicate that their team underwent HIPAA compliance training.

So what happens if you have an audit or experience a breach? How would certifications come into play?

Well, the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, the performance of a ‘certification’ by an external organization does not prevent HHS from subsequently finding a security violation.”

Thus, in the event of an HHS audit, a company may be able to reduce its fines if it can show evidence of compliance.

HIPAA doesn’t require employees to complete any specific training program. That said, they do need to have training in some manner. Just because HIPAA doesn’t specify a specific training made by a particular company doesn’t mean that you don’t train your employees at all.

HIPAA also doesn’t require employees to get a certification. This is because compliance does have an expiration date. You can also face legal consequences in the event of a breach even if you have taken the training.

However, the HHS website specifically states that certification for healthcare employees is different from ones for covered entities.

HIPAA certification for healthcare workers can serve as proof that employees have completed the training materials provided.

In this respect, documented HIPAA certification for healthcare workers limits the liability of the organization in the event of a HIPAA violation or data breach caused by employee misconduct or data breach.

With this said, proof of training and compliance is necessary and can be very useful.

That’s why certifications are often provided when an employee completes a third-party training program. If the certificate has a signature and date, it helps act as proof that you completed the training for that year, on time.

In the event of a HIPAA audit or breach, certifications have been beneficial to companies when providing proof that training has occurred. Unless you can prove some other way that every employee at your healthcare organization completed their training on time and on a regular basis, a certificate can help.

If you and your business associates are unfamiliar with all of the detailed and complex legal requirements of HIPAA, it may be difficult for you to train your employees without outside help.

Since HIPAA compliance is so vital to healthcare organizations and business associates, many companies use a third-party company to provide employees with HIPAA training.

Not only that, but a third party can also help implement effective compliance management programs.

HIPAA compliance experts create training that’s relevant to the roles of the employees. They can also help provide proof of completion.

This is often done by issuing a certification to verify that employees have attended and comprehended a HIPAA training course.

Third-party experts review seven areas of compliance according to the HHS website including: 

1. Compliance with the administrative, technical, and physical safeguards of the HIPAA Security Rule. 

   1. This includes (but is not limited to), an asset and device audit, an IT risk analysis questionnaire, a physical site audit, a security standards audit, a privacy standards audit, and HITECH Subtitle D privacy audit.

2. Remediation plans to address gaps identified in the above audits.

3. Policies and procedures to address HIPAA regulatory compliance and document a “good faith” effort towards compliance.

4. An employee training program that includes employee understanding of the above policies and procedures.

5. An audit to ensure the maintenance and accessibility of the documentation required by HIPAA.

6. Business Associate Agreement management and due diligence procedures.

7. Incident management procedures in the event of a data breach or reportable violation of HIPAA.

You could always make your own training related to HIPAA laws and regulations.

Of course, there are some problems with this strategy. This includes technicalities on the legal side of HIPAA along with the practical side of creating training. 

Let's first talk about some of the legal issues related to HIPAA training. The Privacy Rule and Security Rule is a complicated matter.

They’re vague and are subject to interpretation.

If you forget to add certain details to your internal HIPAA training, it can mean the difference between compliance and non-compliance. You might not even have a legal team that specializes in the complexities of this law.

Let’s not forget about auditing!

You could interpret some of the laws to mean you should provide training every 2 years.

Yet, an auditor might interpret the law to mean you should provide the training every year. The auditor might not be tolerant of training delays.

This difference could mean thousands of dollars in fines. If the issue is severe enough, it could mean you have to lay off a significant part of your employees. You could even have to close your doors for the time being.

The second area of concern has to do with administrative technicalities.

Time can be a major issue.

Do you spend hours doing research, creating the presentations, and taking the time to present every time you hire someone new? Do you hire someone for the sole purpose of creating the training and evaluating the scores?

This can be costly and the resources could be better spent elsewhere. When you add up all the costs related to the time it takes creating the training, it might shock you. It might be cheaper to outsource the training to a third party.

Do you know how to create proof that each person employed by the healthcare organization completed the training and passed? What even qualifies as passing a HIPAA training module? Would an auditor accuse you of creating false data related to the completion of the training?

I don’t have answers to the questions I asked above.

You must think about the answers to such questions before deciding to create your training. The answer could mean the difference between winning or losing legal battles.

As you can see, there are many layers of complexity related to HIPAA Certifications. There are many decisions that you need to make and many variables at play.

When it comes to HIPAA training, you have two options. You can create training or you can outsource training to a third party. Internal training has two major pitfalls related to time, cost, and legal consequences. You can buy training created by experts who are well versed in all the technicalities of HIPAA.

Many organizations may provide a certificate to prove that you completed the training. If dated and signed, certificates can help in the event of an audit. But they’re a piece of the puzzle when it comes to providing proof.

Now the major pitfall of HIPAA certificates is that the HHS doesn’t recognize them. They also don’t endorse the certificates. This is because, in their professional opinion, HIPAA compliance is an ongoing process. Even if a business has mechanisms in place to maintain compliance, it doesn’t mean that the business will be compliant in the future.

The HHS website states that certification for healthcare workers and employees is different from that for Covered Entities. An employee can have a certification whereas a business entity cannot.