Who Certifies HIPAA Compliance?

hipaa-complianceThe short answer is no one.

Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), and it requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies and procedures meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

That said, being evaluated by an independent, third party auditor is still a really good idea. Even though it's not official you should still do it. There are a number of great companies that can help you with this process. For example, Coalfire Systems and ComplySmart offer HIPAA Assessments that can let you know how you stack up to the requirements outlined by the legislation.

This is important. Even if you get a "certification" from an external organization, HHS can still come in and find a security violation. Third party audits and "certifications" do not absolve you from your legal obligations under the Security Rule.

But Texas

It is interesting to note that Texas is the first state to create a formal Covered Entity Privacy and Security Certification Program to help eliminate this ambiguity. The program was developed as part of Texas' House Bill (HB) 300. The Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST) partnered to implement the Certification Program.

They will tell you that the Texas state law protecting patients' health information is more stringent than HIPAA. So in theory, if you are certified by the THSA, then you are ipso facto HIPAA compliant.

Don’t hold us to that because HHS does not endorse or otherwise recognize this claim. But, considering the absence of a federal seal of approval, this is a fantastic program and a step in the right direction. 

Learn more about HIPAA compliance by visiting our Resources section

Get The HIPAA Compliant Checklist


Chapter 5: Becoming HIPAA Compliant | Chapter 7: HIPAA Fines



This article is provided for general informational purposes only and is not intended to be legal advice.  By using the article, you agree that the information on this article does not constitute legal or other professional advice. The article is not a substitute for obtaining legal advice from a qualified attorney licensed in your state. The information on the article may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.