Sorry Laura and ecfirst, Still No HIPAA Certification
It seems like at least once a week I get a press release stating in one form another that compancy X has been HIPAA certified although for this is the first claiming recertification as well. In many ways life would be easier if there was a certification process for HIPAA but alas not to be.
We do accreditation as well as HIPAA compliance services and here is how certification would work if it was similar to accreditation. In accre"ditation for durable medical equipment companies (DME), CMS (Medicare) appointed 10 agencies with authority to "certify" that a company met the standards established by CMS. The accrediting agency charges a fee from $4-8,000 dollars and performs an unannounced on-site survey (audit). If they pass they get a certificate good for 3 years and they can bill CMS. However they also pay annual fees to their accrediting agency and are subject to unannounced audits during the three year period. At the end of the three years they start the process all over again.
HHS has a philosophy that HIPAA compliance is a process not an event. They want to be able to see proof that the company has documentation of an on-going process of risk assessment, remediation through updating policies and training of staff. We call this the cycle of compliance and provide the tools to manage the process.
Instead of offering faux "certification" we offer the Complianc Meter® which displays the current level of HIPAA compliance. This is a very useful internal tool to assure the company that they are compliant but is also useful to show the outside world that your HIPAA compliance is up to date. That is why we call the service HIPAAssure®.
If you would like true assurance as opposed to faux certification shoot me an email and we can talk; email@example.com