Are You Telling Your Clients Your Company is HIPAA Certified?

July 26, 2019

By: Gail Bisbee, RN, BSN

If so – you may be misleading the client! A record center or service provider as a company is not a “certifiable” entity as it pertains to HIPAA. Yet, there are RIM providers who suggest and/or market the company as HIPAA Certified. That is painting the company’s compliance with a very broad brush!

The U.S. Department of Health and Human Services issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The standards of the Privacy Rule address the use and disclosure of an individual’s health information that is referred to as “protected health information” (PHI). The health care provider organizations subject to the rule are “covered entities”.  The goal of the Privacy Rule was to assure that an individual’s health information is properly protected while allowing the flow of the health information essential to provide and promote high-quality health care and protect the public health and well-being.

Throughout the RIM industry there are references on websites and marketing materials that indicate “our company is a HIPAA Certified company”. Be it a false advertisement or merely misinterpretation of the HIPAA guidelines applicable to a service provider in the RIM industry the company is not in itself certified.

How do you Market to Health Care Entities About HIPAA?

So how do you market to health care entities that you understand the compliance regulations of HIPAA? The “certification” acronym has been used by various providers that serve the health care industry since HIPAA was passed in 1996. The first group of providers to tout “certification” was the IT industry and/or providers of software. There was a rush to market software as “HIPAA approved” long before there was a mechanism or “vehicle” available for software companies to “vet” a product. During the early implementation of HIPAA, venders completed an internal self-evaluation based on initial guidelines and expectations for the protection of PHI. They later proclaimed their software was HIPAA Certified. As many end-users in the health care arena discovered, such was not the case.  Health care providers, often in panic mode, purchased software from the emerging software packages presented. Unfortunately, many discovered in the months to come that the programs were in fact not capable of protecting PHI as proclaimed during external transactions and within the practice infrastructure.

Who Can be HIPAA Certified?

HIPAA training and certification is an individual endeavor. Group compliance training for RIM team members may occur within your record center and participants may receive a certificate of completion. For audit purposes, a copy of the certificate should be maintained in a Personnel file. An individual staff member may even seek HIPAA certification (as an individual) and provide training to the record center staff on hire, during annual updates, and as regulatory changes occur. These team members have then received standardized HIPAA Compliance training. However, they are still not certified – nor is the company.

Business Associate Agreements

A client needs to feel confident that the RIM provider understands the aspect of HIPAA Compliance standards as they apply to the service company and safeguarding client data in any format. As such, organizations are asked to sign a Business Associate Agreement. It is not enough to sign the document. It is essential to understand the expectations outlined in the document. The client may have very broad expectations for applicable safeguards within your service area. They may even have unrealistic expectations that are not based on HIPAA but on a reaction to an occurrence with another service vendor. It is essential to clarify reasonable expectations.

Setting Expectations

One of the most effective ways to manage expectations is to
have a prospective or current client visit the record center. Site visits serve the RIM industry well.  The “show and tell” of a site visit is an excellent way to reinforce the high standards utilized in the RIM industry. Each of the industry standard operating procedure components recommended by PRISM International dovetails with the management of PHI within the HIPAA standards. The record center’s goal is to be “show ready” at all times – from the appearance to the written protocols and expectations of your team members.

Regulatory compliance, whether federal or state, should be built into the daily activities of the record center. When standards such as HIPAA are included in SOPS and staff training, compliance success is more readily achieved. Good business practices when developed, applied, and measured – is compliance.

HIPAA blog