By Jack Anderson
January 14, 2016
A press release claiming the company was “Certified HIPAA Compliant” recently showed up in my inbox. https://uk.finance.yahoo.com/news/quovant-certified-hipaa-compliant-060000563.html . I responded with a comment that pointed out that there is no such thing as HIPAA certification and got a message back ordering me to stop contacting the company. I let that go but could have followed up with the information that the Federal Trade Commission was fining companies that made compliance claims that were not true.
FTC Fines Software Vendor Over Encryption Claims
Henry Schein Faces $250,000 Penalty for Misleading Marketing of Software
Marianne Kolbasuk McGee (HealthInfoSec) • January 6, 2016
“This case is mainly a question of making sure that clients take claims a bit skeptically, especially if they seem too good to be true or make statements that are hard to support, Since there isn’t a specific encryption standard under HIPAA, and a ‘product’ can’t by itself ever be HIPAA compliant, any vendor that says ‘my product is HIPAA compliant,’ really isn’t making an accurate statement.” says privacy attorney Kirk Nahra of the law firm Wiley Rein.
A covered entity or business associate can claim to be HIPAA compliant but they better be ready to back up that claim with documented proof. This would necessarily include, and uptodate HIPAA Risk Assessment, updated and written policies and procedures, and documented staff training.