HIPAA Certification is a term commonly used by many vendors today which erroneously claim the ability to certify organizations on the HIPAA Privacy Rule and make them HIPAA Compliant. In most situations this is a term used for marketing purposes and has little meaning in terms of HIPAA compliance. This is a misconception actively countered by the Office for Civil Rights (OCR) with oversight of the HIPAA Regulations

The Office for Civil Rights and HIPAA Certification

The Department of Health & Human services (HHS) and OCR have made it clear that in regard to HIPAA certification they do not endorse any private consultants’ or education providers’ seminar, material, or systems, and do not certify any persons or products as “HIPAA compliant.” In addition, the Privacy Rule does not require attendance at any specific seminars. The OCR has taken a further step and indicated that anyone making false or misleading representations about HHS or OCR in regard to HIPAA training and compliance may be reported to the OCR.

Does this mean there is no certification and no guidance from the OCR regarding certification?  No, of course, the HHS and OCR have given direct guidance in their Administrative Notices and Guidance as listed below:

“The Privacy Rule requires activities such as:

Training employees so that they understand privacy procedures.

The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies: whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.

HIPAA Associates and HIPAA Certification

We will assist your organization to follow the OCR requirements which expects that each member of the workforce will review and understand privacy policies; HIPAA Associates will provide training through video presentations, or interactive software programs. We are prepared to certify your organization has completed the necessary training in HIPAA which is consistent with the requirements of the OCR. Our staff is prepared to assist you with these requirements through our programs and our personal service.

HIPAA Requirements

In the Administrative Requirements HIPAA requires covered entities to institute HIPAA training programs that address the various procedures and systems to meet HIPAA Privacy Rule regulations. An organization such as a covered entity should determine the appropriate tools for training that are appropriate to the size, nature and needs of the organization. For example, the HIPAA training program should accomplish the following:

  • address the HIPAA privacy and security rules;
  • cover any new organizational policies and procedures;
  • address new software; and
  • general HIPAA awareness training.

Train For Compliance

HIPAA Trained HIPAA Associates

Office for Civil Rights Guidelines on Training

Privacy Rule Training Requirement

A statement from the Office for Civil Rights (OCR), The Administrative requirements of HIPAA (§ 164.530), gives clear guidance on requirements for training.

A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by the Privacy Rule.

“Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”

Our Recommendation:

It is required that all members who access protected health information have HIPAA training to carry out their functions.

Security Rule Training Requirement

Statement from the OCR addressing the Security Rule requirement.

Implement a security awareness and training program for all members of its workforce (including management).”

Our Recommendation:

An ongoing training program addressing the Security Rule is required for all workforce members.

How Often is Training Necessary

HIPAA training is required by the Privacy Rule for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce” and when “functions are affected by a material change in policies or procedures” – again within a reasonable period.

The Security Rule training standard indicates that security and awareness training programs should be ongoing.

HIPAA training should also be provided whenever there is a change in working practices or technology, whenever a risk assessment identifies a need for further training, or whenever new rules or guidelines are issued by the Department for Health and Human Services (HHS).

Our Recommendation:

Based on these conditions and best practices an organization should offer training at least every other year if not more often.

In Summary:

  • A covered entity must provide training to each member of the covered entity’s workforce no later than the compliance date for the covered entity.
  • Each new member of the workforce must be trained within a reasonable period after the person joins the covered entity’s workforce.
  • A covered entity must train each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures within a reasonable period after the material change becomes effective. This should happen at least every two years.
  • A covered entity must document that the training has been provided.

HIPAA Training and Certification

The Office for Civil Rights does not recognize HIPAA certification and consequently HIPAA Associates does not offer such. We offer to those who take and pass our HIPAA training, a certificate of completion that acknowledges they have received the information related to HIPAA that is pertinent to the HIPAA Privacy Rule and their job function. This is in keeping with the requirements of the OCR.

We offer online HIPAA training programs created with the requirements of the HIPAA Privacy Rule in mind. We base our training on in-depth knowledge of the law and the benefit of many years of experience working with HIPAA and the Office for Civil Rights. Our professionals have over 20 years of experience and have HIPAA/Compliance certifications from the Health Care Compliance Association and the American Health Information Management Association. These courses include information on best practices and cover all of the necessary information you will need to understand the basic concepts of HIPAA. We follow the intent of the OCR in all of our training programs.

How to Become HIPAA Compliant

HIPAA compliance is not a simple one step process covered by an individual HIPAA training program. HIPAA compliance is a multi-step process as described in our HIPAA Compliance Checklist. It involves at least the following steps which must be in place and constantly monitored to ensure they are functional.  These are the same features you will find in HIPAA Privacy Policies.

  • Implement written policies, procedures and standards of conduct. Policies and procedures help establish rules that help employees carry out their roles that ensure compliance with the HIPAA Privacy Rule. An organization must create the policies and procedures necessary to effect the requirements from the OCR.
  • Designate a compliance officer and compliance committee. The compliance officer is responsible with operating and monitoring the compliance program.
  • Conduct effective training and education. It is expected that all employees, physicians, and board members should receive training on the HIPAA Privacy Rule.
  • Develop effective lines of communication. Employees must have avenues available to them for reporting concerns internally.
  • Conduct internal monitoring and auditing. A well-functioning program will have an ongoing process that evaluates and assess the organization to detect inappropriate behavior
  • Enforce standards of conduct through well-publicized disciplinary guidelines. It is important that an organization have well published standards of conduct.
  • Respond promptly to detected offenses and undertaking corrective action. It is imperative for an organization to ensure timely and effective remedial action for offenses.

HIPAA Compliance and Certification of Compliance is only obtained by following these steps and ensuring they are constantly followed. HIPAA Associates can help you take make this happen. We can ensure you meet these requirements and thus will you be able to verify to the OCR that your organization is in compliance with the HIPAA Privacy Rule.