The Risks of Claiming HIPAA Certification

The HIPAA Privacy and Breach rules apply to healthcare providers, health plans, and healthcare clearinghouses that transmit data electronically. So basically, every provider, such as a doctor, dentist, pharmacy, hospital, etc., would need to be compliant. Insurance companies and the clearinghouses that electronically connect all these entities would also need to be compliant. HIPAA refers to these organizations as covered entities. Covered entities are expected to comply with all HIPAA Privacy, Security, and Breach Notification Rules. 

Organizations that provide services to covered entities that have access to or could potentially have access to health information are considered business associates under the HIPAA regulations and are expected to comply with the HIPAA Security Rule. If your organization has signed a Business Associate Agreement (BAA) with any covered entity or other business associate, the BAA will outline the expectations regarding HIPAA regulations. Additionally, if you subcontract any of the work you do for a covered entity you need to enter into a BAA with your subcontractor. Business associates are always required to comply with the HIPAA Security Rule and may be subject to other rules depending on the services they are providing for the covered entity. 

Organizations selling services to healthcare providers often advertise their HIPAA compliance by claiming to be HIPAA certified in their marketing materials and on their websites. You may see logos like the one below.     

Some organizations will provide you with a HIPAA certification and a corresponding graphic for your website.  CompliancePoint is often asked to provide this type of certification, but the truth is there is no formal “HIPAA Compliant” certification approved by the US Department of Health and Human Services (HHS), the federal agency charged with overseeing HIPAA. As a result, any organization can claim they are “HIPAA Compliant” in their marketing efforts. The standards for claiming HIPAA compliance vary dramatically. We recently saw one vendor whose Google headline read “HIPAA Compliance in 14 Minutes.” If you are marketing to healthcare, you may be considering putting a certification logo on your website or you may already have one.   

Are There Risks to Advertising HIPAA Certification?

Yes! Advertising your organization as “HIPAA Certified’ may expose you to Federal Trade Commission (FTC) enforcement actions. In July 2023, the FTC released a Business Blog that outlined its concerns over organizations’ failure to comply with the FTC’s Health Breach Notification Rule and other FTC requirements.  

The FTC blog clearly stated that the only entity that could determine HIPAA compliance is the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR does not currently certify any organization as HIPAA compliant. The FTC blog warns that implying you have been deemed HIPAA compliant when no formal approval exists violates the FTC Act. The FTC blog clearly indicates that both the provider of such certifications and the user of these certifications could be subject to FTC enforcement actions. The FTC blog also says that if a company provides a health-related seal or certification it could be held liable for deceptive claims.

How Can My Organization Demonstrate Compliance? 

While there is no formal certification, one way to demonstrate compliance is to have an independent review or audit of your HIPAA program to verify that you meet all the requirements. A formal report outlining the work performed and the results would give evidence of your commitment to compliance with HIPAA regulations. CompliancePoint recommends the audit be conducted using the OCR HIPAA Audit Protocol, it provides documentation as to what the OCR would expect should they perform an audit or investigation. 

CompliancePoint has experienced assessors who have worked with providers and business associates to assess HIPAA compliance and develop effective corrective actions. If you are interested in how we can help, please reach out to us at connect@complaincepoint.com.