Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 2 down vote favorite

I work at a small company that writes cloud based medical software, I often get asked if we are HIPAA compliant. To the best of my knowledge we are but I am unsure whether or not a certification or other proof is required for us to legally claim that we are. I looked around the internet but didn't find anything that has answered my simple question.

Can we claim that we are HIPAA compliant without a legal document stating that we are?

share|improve this question

2 Answers

up vote 6 down vote accepted

Please see the Dept. of HHS' own rules on "certification": http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2003.html

HHS states there is "no standard or implementation specification that requires a covered entity to 'certify' compliance".

HHS also states "It is important to note that HHS does not endorse or otherwise recognize private organizations’ 'certifications' regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a 'certification' by an external organization does not preclude HHS from subsequently finding a security violation."

Based on this, I would conclude that getting some "document" that "certifies" HIPAA compliance doesn't do anything in the eyes of the Dept. of HHS.

share|improve this answer
up vote 1 down vote

"Are we required to “certify” our organization’s compliance with the standards of the Security Rule? Answer:

No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."

Source: United States Department of Health and Human Services FAQ

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.