If you've looked into HIPAA compliance before, you might have noticed that there are several similar-sounding terms that are often thrown around: HIPAA-ready, HIPAA compliant, and HIPAA certified. At first glance, they might feel like three variations of saying the same thing at different stages, but these differences become very important when selecting vendors for working with HIPAA data.
In this article, we'll break down the difference between being HIPAA compliant, HIPAA-ready, and HIPAA-certified, and why working with a vendor who claims to be HIPAA-certified is likely the riskiest option.
Overview of HIPAA
HIPAA stands for the Health Insurance Portability Act of 1996 and is now synonymous with the compliance requirements for moving Protected Health Information (PHI), which is any health information that can be traced back to identify a specific individual. This personal data is meant to be strictly private, which is why HIPAA fines can range up to the millions for compliance breaches.
When HIPAA data is involved, parties fall into one of two categories: Covered Entities and Business Associates. Covered Entities are organizations directly responsible for PHI data, like healthcare providers and health clearinghouses. Business Associates provide a service or function on behalf of a Covered Entity, such as a cloud storage provider that is used for storing HIPAA files.
For more information on the specifics of PHI, HIPAA data in regards to file transfers, see our article for HIPAA compliance for PHI file transfers
Every organization involved with the data is responsible for ensuring compliance, whether they are a Covered Entity or a Business Associate. This means that in order to be HIPAA-compliant, every vendor involved also has to be compliant with HIPAA regulations, which is where being HIPAA-ready, HIPAA certified, and HIPAA compliant comes into play.
For instance, in the file transfer space, the storage provider is one of the involved parties. So are both the organizations sending and receiving it. And, as mentioned before, if one section fails to meet the standards, the entire process is non-compliant.
HIPAA-ready and HIPAA compliant - What's the difference?
HIPAA-ready and HIPAA-compliant are more or less saying the same thing.
HIPAA-ready would typically suggest that the service/processes has everything in place to meet HIPAA, but there are still responsibilities for both parties when using them.
HIPAA compliant typically suggests that the service/infrastructure meets all requirements, but it's still up to the user to handle the data appropriately.
It's important to note that these aren't concrete, technical definitions and aren't used the same way everywhere. But in most instances, a vendor that mentions either of them intends to say that they meet the requirements on a technical level and are compliant when all appropriate procedures are followed.
The problem is when a company or business claims to be HIPAA-certified.
What does it mean to be HIPAA-certified?
HIPPA-certified means nothing meaningful, and can give the impression that a company has all parts of HIPAA covered when they don't.
HIPAA is an unusual compliance standard in that there isn't a set of specific requirements to meet. This means organizations can't simply go through a checklist, mark off each item, and be HIPAA compliant.
Because there is no concrete HIPAA compliance certification, a company can't simply have a badge showing they've earned HIPAA compliance and are now certified. Various companies provide HIPAA auditing services, but these are only "point-in-time" validations, meaning the company found them to be compliant with all requirements at that specific moment.
And the bigger probelm is that organization doesn't have the authority to stamp something as "HIPAA-certified" because there is no such government-issued certification. Instead, the best they can do is show that according to their expertise, the company they are auditing meets all requirements. The audits and certifications aren't necessarily useless, as they can be done by experts in the field, but they should be treated with a degree of skepticism. Any certifications obtained through this method are not from a government-accredited authority and don't necessarily mean that the company is currently meeting all standards.
The United States Department of Health and Human Services (HHS) goes as far as to say "HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation".
Since there is no HIPAA certification, mentioning "HIPAA-certified" could indicate that the company is either ignorant about the actual requirements or willfully manipulative to attract more customers, especially if they don't go into detail about what that means specifically.
How does HIPAA compliance work then?
Because there are several related terms and no actual HIPAA certification, compliance is more open-ended and requires organizations to meet the requirements of the HIPAA Security Rule.
These include a number of Administrative, Physical, and Technical Safeguards as well as documentation and risk management requirements.
Some of the stated requirements include:
- "Implement electronic mechanisms to corroborate that electronic
protected health information has not been altered or destroyed in an
unauthorized manner" - "Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored."
- "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate."
- "Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information."
Since these are vague requirements, there are many ways to achieve them. For instance, PGP encryption is an electronic protection mechanism because of the encryption keys and digital signatures. Using AS2 with MDNs is another option that could work.
Whereas other compliance standards might specify one concrete requirement, currently, HIPAA does not. However, this could change if the proposed 2025 HIPAA rule changes go into effect.
In the meantime, there is leeway for how the requirements are met, which gives both flexibility and uncertainty on whether or not they are actually enough.
What's the best way to make sure a vendor or company meets HIPAA requirements?
If you're looking to work with an organization that meets HIPAA standards, instead of searching for "HIPAA certified" (since such a thing doesn't currently exist), or combing through the semantics of specific word choices, look for these traits:
- Mentions of HIPAA-ready or being HIPAA-compliant on the company website.
- Talk about PHI, PII, or other terms used in HIPAA legislation.
- State that they will sign a BAA. If a company mentions they can serve HIPAA customers and will include a BAA, they likely have an appropriate process in place.
- Talk about specific methods and safeguards used.
- Go into specifics about how they meet HIPAA compliance and what steps they have taken to ensure the standards are met.
These companies are less likely to mention being "HIPAA-certified" and will likely use terms like "HIPAA-ready" or have a "HIPAA-compliant service/framework" instead.
Couchdrop is a HIPAA-ready secure file transfer platform
Couchdrop is a secure file transfer platform that has a separate, dedicate HIPAA-ready infrastructure. This infrastructure has additional security and all data processing stays within the United States. For more information about this infrastructure or how Couchdrop works with HIPAA data, email our team at sales@couchdrop.io or book a meeting now.