The Dangers of a HIPAA Certificate

The Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA) is misinterpreted by individuals and companies across the nation daily.

Without going into the actual language of HIPAA (it is not a gripping document that has you on the edge of your seat), I will sum up the definition that HIPAA does lay out for covered entities to abide by.

Compliance is:

“Adherence to the laws the laws and regulations passed by official regulatory bodies as well as general principles of ethical conduct. In the United States, such regulating bodies include the U.S. Congress; federal executive departments and federal agencies and commissions; and corresponding state-level entities.” (Compliance 101, HCCA, 4th Edition, p. 142)

That is a definition that organizations should use as the foundation when building a robust and compliance program when an organization is under the microscope. No certificate will demonstrate meeting standards outlined in the HIPAA regulation. All that certification says is that on the certificate’s date of issue, a third-party expert stated that the organization complies with the regulation defined in HIPAA. Without ongoing compliance programs, organizations enter into agreements with covered entities (Business Associate Agreement; Click here for more info).

I want to emphasize the difference between HIPAA Certified and HIPAA Compliant. This article supports HIPAA compliance but errs on the side of caution when it comes to HIPAA Certification. This article is not a gripe about all interpretations of the entirety of the HIPAA regulation. This article calls for a better and consistent understanding of HIPAA to ensure that personal health information is secure. This article focuses on one small part of HIPAA interpretation in one specific area where easy to implement improvements could be made.

This article hopes to achieve three objectives:

1. Promote robust and ongoing compliance programs
2. Warn organizations about the negative impact that HIPAA certification can have. It is in the best interest of the organization to understand that HIPAA certification leads to laziness in compliance (Ge Bai and John Jiang, June 2020, Wall Street Journal)
3. Inform those unfamiliar or misinformed about HIPAA regarding the actual interpretation by the federal entity that enforces it.

HIPAA is a necessary law to protect patient information. Sensitive, personal, and at times embarrassing information. Healthcare is also a lucrative economic sector. More and more tech companies are trying to get in on some of the benefits of working with or in the healthcare sector (K. Joy, 2020), mainly financial. If you are lucky enough ever to be entrusted with someone's medical record, HIPAA is there to try its best to ensure the minimum amount of people have access to your information. HIPAA is not there to make a company extra money.

For years I faulted the language of HIPAA as being too complex in its verbiage for many to understand. Over my nine years in healthcare, I saw it was the many different interpretations that were the cause of issues. There seemed to be no consensus on Protected Health Information (PHI) or what is not PHI. Nor does there need to be a consensus as the government lays out the requirements clearly. This article focuses on the only specific interpretation of HIPAA Certifications, which harms the integrity of secure PHI.

“Data breaches at health-care entities mostly expose identifying and financial information, not sensitive medical information.” (WSJ, 2020)

I speak to the concept of the HIPAA Certification. I have been approach many times and asked if the non-profit I run is HIPAA compliant, and I frequently offer advice to companies looking to get into healthcare. The fact is, some companies get inadequate or incorrect training in HIPAA regulations. Those same companies that have access to your personal information and do not have a compliance program in place are relying on and showing off HIPAA certifications.

There is a consistent insistence by many that have anything to do with healthcare must be HIPAA Certified. No single document or certification is recognized by the U.S. Department of Health and Human Services (DHHS) regarding HIPAA compliance. No piece of paper with a certification from a third-party vendor will ever be considered sufficient evidence of a compliance program. It the culmination of policies and audits that hold weight in an audit should your company be subject to one.

Google search results for “HIPAA certification.”

A quick google search leads to advertisements for HIPAA certificates that you can pay for. Note that none of the advertisements mention maintaining a compliant program. Also, note that there are legitimate training courses that you can take to understand HIPAA better. If you are passionate about HIPAA and other healthcare regulations, check out DHHS accredited certification in compliance.

Per the HIPAA enforcing body, DHHS released the following statement (out of respect to the third-party expert's businesses, I have attempted to remove any information that indicates specifics about the companies).

We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as “HIPAA compliant.” (DHHS, HIPAA Guidance)

There is a very logical and reasonable purpose that DHHS published this statement. HIPAA Certification leads to laziness in ongoing compliance efforts, which leads to complacency and leaves PHI vulnerable for illegal release or hacking. I feel obligated to include here that your medical record most likely contains your Social Security Number, insurance information, payment information, and other nonmedical related information that is considered highly sensitive and should be treated with the highest possible security available.

Organizations that obtain these certifications feel like they are automatically and continuously in full compliance because a piece of paper says so. I want to emphasize that I do not doubt third-party experts' validity in implementing a good and robust compliance program. However, compliance is not a one-time action or designation. Compliance is ongoing, and thinking otherwise is leading to vulnerable PHI.

A compliance program needs an ongoing set of policies and procedures that are monitored regularly to ensure that internal policies and conduct align with HIPAA regulations. Once you are under the microscope of an audit, that certification is meaningless.

So what’s an alternative? While it is probably better described as an essential best practice versus an option, there are some things companies can do to ensure PHI is secure and protected that align with the language in HIPAA itself.

Two easy fixes can be made to remain compliant and do so because it is the right thing to do, not fear of being fined.

1. Hire a compliance officer who doesn’t scare you into compliance but rather encourages compliant practices. Compliance officers that scare people into compliance are inherently encouraging overprotection of PHI, leading to delay in care. A good compliance program is necessary if you want to put your business in the healthcare sector (odds are you will end up in an agreement.
2. Don’t get scammed into thinking that a certificate as you get out of jail free card. It isn’t. By all means, have an expert come in and build a program for you, but know that the program must be maintained on an ongoing basis. If you hire a contractor to set up a compliance program for you, ensure you have something to continue the monitoring once the contractor is finished. You could even ask the contracting company if they maintain compliance programs as a service.

True compliance officers are in the compliance sector to ensure the safety and protection of sensitive information.

Really doing an ethical gut check on your policies and procedures and make sure they align with the actual verbiage of HIPAA. They always do a line with the guidance from HIPAA and the Department of Health and Human Services. I cannot stress enough that compliance is not a one-time thing. It is ongoing and must be kept in such a manner to embolden the entire compliance program's integrity.

The Department of Health and Human Services is specifically worn against these marketing certificate scams. If you think you have been defrauded by one of these scams, the U.S. Office of Civil Rights (OCR) has an email to contact them to discuss your options. It’s worth going back and looking at your certificate and asking yourself if you were sold a certificate under false information that it protects against audits from enforcement agencies such as the office of inspector general (OIG), DHHS, Centers for Medicare and Medicaid (CMS), and many more federal regulatory enforcement bodies.

For individuals who think that they're protected under the umbrella of the corporation from HIPAA. Individuals are not. You do not need to be clinical to violate HIPAA. You don’t need to be a health care company to violate HIPAA. If you engage or conduct business with an entity that is a covered entity, meaning they bill the federal government for healthcare services, then you are inherently a covered entity under that contract (also known as a Business Associate Agreement).

The risk for a fine or penalty is not worth the marketing upside of a HIPAA certificate. One audit by the OIG can undo an entire compliance program. The federal government can hold individuals responsible should there be supporting evidence of negligence leading to the breach (HIPAA Privacy Rule 45 CFR §164.530.

The Federal government does not take this lightly. So much so that one of the penalties for fraudulent claims is something called an exemption, meaning you can not work for a business that conducts healthcare-related business with a covered entity or work for a covered entity that builds Medicare. Pretty much every hospital in every company working in healthcare is potentially at risk for this.

This is also for individuals. This is for those working in healthcare who misinterpret or do not fully understand the privacy rule. You are working in healthcare; it is your duty and your employer's duty to ensure that you are trained in accurate HIPAA compliance on an annual basis, if not more often. HIPAA does not mean nobody gets to see anything. It is clearly defined when and what can be released. If you work for a healthcare organization and believe you do not have sufficient training in HIPAA compliance, go to your compliance officer and remind them that to maintain compliance with HIPAA, these kinds of training are mandatory Administrative Safeguard of the (HIPAA Security Rule 45 CFR §164.308). It is expected that everyone understands the essentials of HIPAA to ensure the best protection of patient information and other sensitive information. Nobody is expected to memorize the language of HIPAA, but everyone should be familiar with the limitations and expectations that are in HIPAA.

This article is not to shame or say companies made a mistake by hiring marketing scams but to plea for companies to understand what HIPAA compliance truly means. It is not a one-time certification. It is always ongoing and should be monitored as such. This is a warning to businesses that work in healthcare or work with healthcare companies regarding liability in ways you may not have been told because you have a certificate.

If you have a robust HIPAA compliance program, make sure it does not get set aside and forgotten about. A statement like that means that you have an ongoing plan to monitor and measure against regulatory statutes. In all honesty, I think that is a better marketing ploy than a certificate.

It would be best if you never were afraid of compliance. If your organization ever feels scared of an audit and what the outcome could be, then you are probably doing something wrong. Healthy, robust compliance programs should make you feel confident. Your compliance program should feel confident and inspire confidence in anyone that works for the organization. It should not instill fear. Yes, some outcomes are scary, like large fines and exclusionary consequences. That is not how you approach or teach compliance.

You teach the aspect of compliance, so people are aware of the consequences of not following HIPAA but ensuring you are getting accurate information from your contractor who is selling their compliance specialty. If you have any questions about HIPAA, reach out to someone who’s an expert in the field or a representative with the Department of Health and Human Services themselves. They are the best resource when it comes to interpreting and understanding HIPAA. I am still astonished when I hear that companies are HIPAA certified because it does not fully understand HIPAA.

If your company is required to be HIPAA compliant, it’s worth going back and making sure that you actually are HIPAA compliant on an ongoing basis and have a structure in place to ensure that you are compliant on an ongoing basis.

For more detailed information or to answer other questions regarding HIPAA, the best place to get the information is from the Health and Human Services Department themselves: https://www.hhs.gov/hipaa/

This article is the first in a series of articles that strive to clarify the interpretation of HIPAA and other healthcare regulations and the requirements that must be met to be compliant.

Updated: 01–14–21 (Typo Corrections)