Can we say we are HIPAA compliant

2

I work at a small company that writes cloud based medical software, I often get asked if we are HIPAA compliant. To the best of my knowledge we are but I am unsure whether or not a certification or other proof is required for us to legally claim that we are. I looked around the internet but didn't find anything that has answered my simple question.

Can we claim that we are HIPAA compliant without a legal document stating that we are?

Legal Documents

asked Sep 12 '12 at 08:50
Blank
Todd B Fisher
163 points

2 Answers

6

Please see the Dept. of HHS' own rules on "certification": http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html HHS states there is "no standard or implementation specification that requires a covered entity to 'certify' compliance".

HHS also states "It is important to note that HHS does not endorse or otherwise recognize private organizations’ 'certifications' regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a 'certification' by an external organization does not preclude HHS from subsequently finding a security violation."

Based on this, I would conclude that getting some "document" that "certifies" HIPAA compliance doesn't do anything in the eyes of the Dept. of HHS.

answered Sep 12 '12 at 09:11
Blank
Henry The Hengineer
4,316 points
1

"Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
Answer:

No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."

Source: United States Department of Health and Human Services FAQ

answered Sep 13 '12 at 12:24
Blank
Max
11 points

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
  • Link
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Legal Documents

Topics

Stats

Viewed 1.68K times

Asked 11 years ago

Last Update 10 years ago

Related

5 Best NYC Mobile App Development Companies