HIPAA compliance vs. certification
HIPAA compliance and HIPAA certification both serve important functions in health care settings, but the terms aren't interchangeable. Read on for a closer look at their key differences, benefits of each, and how Box makes it easier to achieve a HIPAA-compliant workplace.
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, is a federal statute establishing strict standards for how health care facilities and insurance providers manage and protect patient data, or protected health information (PHI). Every facility has different privacy requirements and external risk factors to consider, so specific HIPAA regulations vary between organizations. It generally involves creating and updating processes, plans, documentation, and technology to protect sensitive information.
There is no written HIPAA exam to study for and pass. Instead, successful compliance includes following all guidelines and requirements deemed appropriate for your facility. Failure to do so results in legal penalties and costly fines.
HIPAA compliance is not a one-time event. It's a constant state of excellence your organization must maintain and keep up-to-date as trends, risks, and regulations change. All those who achieve compliance are considered "covered entities" and are responsible for conducting regular evaluations to maintain that label.
What is HIPAA certification?
Having a HIPAA certification is not the same as being HIPAA compliant. Certification signifies that your facility has completed one or more educational courses with an internal or third-party expert to learn about HIPAA compliance. It's not enough to have only a HIPAA certification if you're working toward being a HIPAA-compliant facility — you must continue to uphold compliance.
Certification programs give you the knowledge and resources you need to make smarter decisions to protect patient data. Many certification courses are customized to fit your company or organization's specific needs.
Earning a certificate of completion sometimes requires passing an exam or facility test to prove the skills you've learned. Please note, a HIPAA compliance certification alone will not absolve you from any legal obligations related to HIPAA compliance and the HIPAA Security Rule, a specific subset of HIPAA guidelines that establishes standards for both physical PHI and electronic PHI (ePHI). Under the Security Rule, organizations are responsible for implementing all administrative, physical, and technical measures necessary to protect patient data.
Some third-party certification organizations offer different types of HIPAA certificates, such as:
- Certified HIPAA Professional (CHP), which teaches HIPAA basics, history, and applications
- Cyber Security Awareness training, which is used for both HIPAA and non-HIPAA programs
- Certified HIPAA Administrator (CHA) for those overseeing service delivery
- Data Privacy Compliance, which teaches the importance of HIPAA for patient protection and how compliance affects the patient's day-to-day
- Certified HIPAA Security Specialist (CHSS), a higher level certification program for those who already have a CHP certification
HIPAA certification vs. HIPAA compliance
To summarize, the key differences between HIPAA compliance and HIPAA certification are:
- HIPAA compliance is legally recognized as the standard for all health care organizations in the United States
- HIPAA certification is not a necessity but may help you achieve compliance faster and more easily
- HIPAA compliance is an ongoing process of evaluating, adjusting, and monitoring your processes
- HIPAA certification programs are taken once or as needed to learn new skills or stay up-to-date on HIPAA changes and trends
- HIPAA compliance is a process you complete internally, and failure to do so results in penalties and fines
- HIPAA certifications are typically obtained through third-party experts or organizations and are usually optional
Both HIPAA certifications and HIPAA compliance are great ways to market your organization and show stakeholders and patients that you care about protecting sensitive patient information.
Becoming HIPAA certified
Several companies and third-party experts exist to help health care facilities meet HIPAA guidelines through training, on-site assessments, and tests. These companies don't assume any liability or risk for your facility, but they can equip you with the resources you need to achieve compliance or test your current standards before your next audit. Outsourcing to a third party gives your facility a fresh perspective free of bias for existing policies and procedures and can make site-specific recommendations as you move forward.
Third-party certification programs use existing frameworks to find vulnerabilities in your current procedures and walk you through new ways to protect PHI. Third-party professionals are experts in their field and stay up-to-date on the latest HIPAA guidelines and recommendations. They'll keep all your certification documents in a single location, perfect for audit season.
Training programs limit financial risks by making it easier to identify and correct potentially non-compliant areas of your business. It also saves you the time and resources to hire and onboard a new in-house team or director to manage HIPAA training, allowing for more scheduling flexibility, such as a combination of online and in-person courses.
Your organization receives a printed certificate of completion to display in your facility and use in marketing materials and future training programs.
Benefits of a HIPAA certification
The classes you take and procedures you learn during HIPAA certification courses will help you become a better, more patient-forward facility. You'll learn critical steps to take to protect sensitive patient information, like health records, identifiable information, credit card information, and other documents and data. The more knowledgeable and trained your facility is, the better care your patients will receive.
Certification programs can also help you become more organized and prepare for future HIPAA audits. These programs and professionals can address small concerns before they grow larger, guide you through documentation requirements, and give you hands-on tips for achieving or maintaining compliance.
Receiving the best possible certification means working with the right program. Before booking your next certification class, consider the following:
- The provider's industry and compliance experience
- How long they've been in business
- Reviews from former organizations who went through the program
- The type of training courses they offer
- How long their courses take to complete
- Whether they offer online, in-person, or a combination of methods
Compiling a HIPAA policy and passing audits
Official HIPAA audits are when an independent auditor visits your facility to examine your current procedures — like technology security, employee training, and other standards — to confirm HIPAA compliance. While some are random, you can also schedule audit appointments. Prepare your policies for upcoming audits with these tips.
Organize all documentation
Your HIPAA auditor will need to see all the documentation you have regarding patient security and the steps you've taken to protect data, including:
- Written disaster recovery plans
- Data management plans
- Employee training plans
- Written business associate agreements
- Patient authorization forms
- Security risks analysis reports
- Termination procedures
- Asset logs
- Media consent forms
- Activity logs
- Any existing HIPAA certifications
Make multiple copies of each document, store them somewhere protected, and make sure they're readily available during the time of your audit.
Make facility-wide changes
As you conduct your own risk assessments or work your way through a HIPAA certification program, you may find areas of your current organization that don't meet today's standards. Some common pitfalls among health care providers are:
- Not making health records available to patients in a timely manner
- Neglecting to implement the correct policies and procedures
- Outdated technology and software, which pose a security risk
- Inaction during security breaches or suspicious activity
- Lack of an awareness or training program
Every facility is different — what works for one location might not work in another. Work with outside professionals or your own internal team to identify your organization's potential weak spots and create a prompt action plan to address concerns.
Conduct regular evaluations and risk assessments
Perform regular risk assessments on all data and PHI, including everything sent, received, stored, and shared with outside vendors and business associates. Consider your unique situation — what internal, external, accidental, and intentional risks does your PHI face? Is your facility a large, nationally known organization that could attract more cybercriminal attention than average? Are you located in an area prone to natural disaster, requiring more physical protective measures for on-site files? What about terminated employees?
As you anticipate each possible threat to PHI, consider the likelihood of each event and the possible impact. Use this information to create individual risk levels for each potential occurrence, then document those findings and keep them on hand for future audits. Make all necessary changes to policies, software, technology, and procedures, and reevaluate on a regular basis and as you experience any structural, organizational, or industry-wide changes.
Be vigilant with employees and business associates
Train all new and existing employees — including temporary, part-time, full-time, contractors, and PRN workers — on proper HIPAA regulations and keep detailed records of training sessions in your audit file.
Be mindful of what outside vendors and associates you choose to work with. Require each business associate to conduct their own security risk assessments (SRAs) regularly and correct any non-compliant issues as a part of your contract agreement. Have each associate you work with, like billing companies and lawyers, sign specific agreements stating:
- What PHI they do and do not have access to
- How they will use the data they access
- The protocol for returning and destroying that data once finished with it
Business associates must abide by all the same HIPAA compliance regulations while they have access to any of your facility's PHI and could incur legal action and fees if they are found non-compliant.
Use software and technology
Technology and software features can be a helpful way for your organization to stay compliant during everyday operations. Make sure every software your organization uses has built-in, compliance-friendly features. For example, the Content Cloud by Box features collaboration tools, e-sign support, pre-built app integration, and so much more, all backed by protective Box Shield technology and built-in tools to make HIPAA compliance easier to achieve than ever.
You might also consider email encryption tools and HIPAA-compliant storage and hosting platforms.
Consequences of non-compliance
Your facility could be found in violation of HIPAA compliance during self-audits and surprise audits. Employees can self-report their own violations or concerns with coworkers or management behavior, and patients can report compliance concerns, prompting a thorough investigation. Failure to follow HIPAA guidelines can result in:
- Legal fees from lawyers, consultations, court proceedings, etc.
- Costly penalty fees and fines
- Public notice of security breaches and non-compliance issues
- Time and resources for remediation and adjusting policies to prevent a repeat of the incident
- Possible jail time or other serious legal ramifications
Violations are rated on a tiered system. Tier 1 applies to accidental incidents, while tier 2 applies to accidental incidents or violations the facility should have known about with proper diligence. Tiers 3 and 4 are reserved for willful neglect within or outside of a 60-day timeframe. The more serious the offense and the higher the number of patients affected, the stricter the penalty.
You've also got to consider the damage a HIPAA violation could do for your facility's reputation and patient confidence. Studies show that patients worry about how health care centers handle their information, and that worry can cause some patients to seek treatment elsewhere or forgo physician visits altogether. This is especially crucial in a world where telehealth and telemedicine are becoming the new norm, with experts predicting the telehealth market will exceed $396 billion in value by 2027.
Tips for achieving HIPAA compliance
HIPAA compliance is an essential part of protecting your patients and maintaining your facility's reputation. These tips will help you meet and exceed HIPAA requirements.
Use what you learned during certification
Step one of becoming a HIPAA-compliant facility is gathering and using the information you learned during your HIPAA certification training and put them into practice. For some organizations, this might look like a complete overhaul of one or more departments' existing systems, like internal IT policies. Or it could be adjusting a few patient-facing practices, like administrative forms or follow-up.
Understand the different HIPAA rules
Different HIPAA rules exist for different types of organizations and departments within your facility:
1. HIPAA Security Rule
This is a set of standards to safeguard all electronic PHI created, processed, or stored, including when in transit. It includes technical, physical, and administrative safeguards. Examples include monitored activity laws, encrypted communication, and strict access control for specific PHI. Physical measures might mean regulations for mobile devices and workstations or restricted access to certain facility departments.
2. HIPAA Privacy Rule
This rule determines how your facility can use and disclose any PHI produced or stored electronically and creates guidelines for patient authorization and data protection. It also gives all patients a right to request and receive a copy of their health records in a timely manner and request adjustments if necessary.
3. HIPAA Breach Notification Rule
This rule says all organizations must report any and all PHI breaches or security threats to the appropriate body within a specific timeframe, determined by the number of patients affected. Large-scale breaches will be made public.
Designate a HIPAA security team
Designate an in-facility security officer or HIPAA department to act as your organization's go-to resource for audits, compliance updates, and certification courses. Your HIPAA team can stay up-to-date on industry changes, evolving HIPAA guidelines, and helpful software.
Your in-house team can also help you develop a HIPAA compliance checklist for audit preparation and update future procedures and policies during department transitions and organizational changes.
How Box aids in maintaining HIPAA compliance
All Box products and platform features are compatible with HIPAA-compliance regulations, including secure PHI storage, all of which have been evaluated by a third-party auditor. We regularly update the Content Cloud and all Box products, including our internal policies and procedures, to maintain compliance as standards evolve.
These are just a few of the ways Box is here to help your team manage compliance.
Data encryption
Data encryption involves encoding text on your facility's various databases — like email messages, online payment portals, and cloud storage — so it becomes harder for cybercriminals to hack or read. It adds an extra element of security to ePHI.
You should encrypt all ePHI — including data at rest, in transit, and in use — unless a patient puts into writing that they permit specific data to remain unencrypted. The Security Rule doesn't require encryption specifically. Instead, it refers to encryption as an addressable requirement, meaning you're required to implement a similar security alternative if you're not going to encrypt your data and files and then explain the alternative decision with documentation.
An effective encryption strategy involves classifying all data to identify vulnerable PHI, collaborating with departments and leadership to enact an encryption plan, and using encryption software and tools. Box KeySafe helps you encrypt in-transit and stored PHI by giving you complete control over all your facility's encryption keys, including a detailed record of all key usage, access points, and restrictions.
Customizable access
The Box IT and Admin Console lets you see what's going on with your team's projects from the inside out, with access to content, usage data, collaboration, and audit trails for reporting account activity. You can customize access to each user according to their role, department, or task, and choose how those users can share and utilize content with system access controls. You can even restrict access to specific users.
Box also signs confidential business associate agreements (BAAs) with all clients storing PHI in the cloud. Keep in mind that your organization retains responsibility for configuring and enforcing your Box Content Cloud in a HIPAA-compliant manner to meet your facility's specific requirements.
User details
User detail reports from Box give you an overview and detailed profile on every user on your platform, including their:
- Name
- Role
- Group
- Storage information
- External collaboration status
- Contact information
- Last login event
- Password change dates
- Permissions
You can use this information to analyze statistics, see how each user is using their time, and get more precise insights to project completion timelines.
Box will even let you know how many incorrect login credentials a specific user has or when they've last downloaded a file. Our security logs will help you track all changes made to your team's administrative console for added security.
Using Box in health care settings
Box can be your health care team's greatest asset if you're looking for better ways to collaborate, streamline care and case management, increase mobility for your workforce, and continue offering the best patient care possible. Our unique platform lets organizations collaborate seamlessly for personalized patient care — including with third parties and external experts, like reporting agencies, academic centers, and physician groups — with access from anywhere, on any mobile device.
Centralize your team's clinical guidelines, protocols, and practices, and get real-time insights for patient care. Our platform supports e-sign documents and the ability to create unique care teams, so you're delivering top results in less time.
Learn how the Box Content Cloud can transform your operations
HIPAA compliance and certification each have a place in your health care organization. Certificate programs leave you with new skills and resources to become a safer, more HIPAA-compliant facility, while compliance satisfies legal requirements for protecting patient data.
Now that you know how to get HIPAA certified and the key differences between certification and compliance, let Box help you secure and update your processes to reflect your new insights. Our Content Cloud transforms everyday operations by putting everything your team needs to be productive and stay connected in a single, secure, easy-to-access location. Learn more about what Box can do for you and view current business plan options and pricing to find the right fit for you.
Transform everyday operations with a single, secure platform
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.