HIPAA certification business for software vendors a good idea?

A reader recently asked:

Is there a group that ‘hipaa certifies’ online healthcare vendors/providers as Verisign does for security? It would be a neat business idea because I keep reading stats about 50% or lower compliance levels.

While I do lots of HIPAA work, I thought I’d invite a buddy of mine who knows even more about the subject to respond to the question. Bob Burns, who’s been working on healthcare IT systems for almost as long as I’ve been alive [he’s gonna kill me for saying that ;-)], wrote back:

I don’t know of any agency that is granting any such “licenses” or certification. There are companies that offer to certify folks as CHP (Certified HIPAA Professional) and the like but they have no official standing. Verisign got its trust by offering certificates and authority in the early days of the Internet. And, it’s pretty easy to create, sign, and authenticate digital certificates for browsers. However, it might be difficult to replicate their success in our industry given the complexity of the solutions that HIPAA covers. Having vendors be HIPAA certified is a good idea, but I am not sure how you would get any standing. HHS is not going to do it, perhaps an affiliation with JCAHO. I guess we could replicate what has already been done and just issue a certificate on our own and assert its accuracy.

What do you think about the idea of a HIPAA certification authority? Is such a thing even possible? If you’re a software vendor, would you use the service?

Newsletter Sign Up

8 thoughts on “HIPAA certification business for software vendors a good idea?

  1. Day One
    Module(s) covered: 1, 2
    Book used: Certified HIPAA Professional (CHP) Module 1: HIPAA at a Glance
    Estimated Implementation Costs
    Compliance Challenges
    Do The HIPAA Rules Apply To Me?
    Business Associate Test
    If I’m a Covered Entity or Business Associate – What Do I Do?
    What penalties are there for violations?
    Should Business Associates Fear Penalties?
    What if State Laws Conflict?
    How do the Privacy and Security Acts Differ?
    What Are the Implementation Deadlines?
    Module 2: What is the Privacy Rule
    Using and Disclosing PHI?
    Patient Rights
    Forms, Forms, Forms
    Notice of Privacy Practice
    Unique Release Situations
    Who Are Non-Business Associate Organizations?
    Employers – What Role Is This Anyway?
    Government Access to PHI
    Minimum Necessary Standard
    Privacy – Can We Talk?
    Arranging the Office
    Must I Document and Provide Patient Access to Oral PHI?
    Are Co-Workers Protected?


    Day Two
    Module(s) covered: 3,4
    Book used: Certified HIPAA Professional (CHP)
    Module 3: What are Transactions and Code Sets?
    Diagnostic and Procedure Codes
    Physician’s Office Codes
    Dental Codes
    Drug Codes
    Other Services
    ANSI ASC X12N Standards – Huh?
    Are Pharmacy Transactions the Same?
    NPI, EIN, NPlanID, and NHI…Oh, my!
    National Provider Identifier (NPI)
    NPI Enumerator
    National Provider System (NPS)
    Applying for an NPI
    EIN aka NEI aka EIN
    National Health Plan Identifier (NPlanID)
    National Health Identifier for Individuals (NHI) (Suspended)
    Module 4: What is the Security Rule?
    Are Computer Threats Real?
    Defining Security
    Confidentiality, Integrity and Availability (CIA)
    Definition and Terminology
    Approach and philosophy
    Security Rule Selection Criteria
    Administrative Safeguards
    Physical Safeguards
    Technical Safeguards
    Group Health Plans
    Policies, Procedures and Documentation Requirements
    Some Non-Technical Explainations of Technical Solutions

  2. There seems to be a bit of a misuse of the term “certified” in this article. People are certified, but “things” are accredited. People (vendors) can be certified in that they understand the rules of HIPAA by passing one or more exams. However, vendors and their products cannot be accredited for HIPAA because they are supplying only one or more components of an entire system. It is the entire system that must be HIPAA-accredited, not the individual components or the vendors. A component that is not inter-operable with an existing HIPAA-compliant system may threaten the integrity of the system, but work as desired with another system. Accreditation is achieved per-system, not per-product or per-vendor.

  3. As an independent consultant, I wish to carry some form of designation that indicates to Medical Professionals that I am a Business Associate who understands basic security requirement’s i.e. firewalls, passwords, etc. that support the medical field from a Information Technology standpoint.

    Therefore I think it’s a good idea and would not mind having a health care IT certification. It can be called HIPPA-IT as opposed to HIPPA-CHP since it is geared towards IT. Is there such a think out there?

  4. We’ve recently begun looking for accrediting agencies as well and discovered URAC (www.urac.org). They seem to be a legitimate, independent organization that provides a variety of accreditation and certification programs including HIPAA Security Business Associate (this is the one in particular we are looking at since we provide online backup services). If anyone else has heard of this organization, I would appreciate any feedback — I am concerned that many of the experts have not heard of it.

  5. Hi

    I know Edifecs offers different services for healthcare transaction management. Edifecs offers consulting and online services for HIPAA Testing and HIPAA Certification. As you mentioned they also offer educational services for HIPAA training.


Add Comment