HIPAA Certifications vs. HIPAA Compliance: What’s the Difference?

HIPAA compliance and HIPPA certifications refer to two tangential – but still different – things; the U.S. government issues no official HIPAA certification, yet many organizations claim to be “HIPAA certified.”

You may see vendors claim they are “HIPAA certified,” yet that label does not equal compliance.  

What does HIPAA-certified truly mean? And how do healthcare organizations verify if they meet the necessary HIPAA requirements? 

At Intelligent Technical Solutions (ITS), we help healthcare organizations and their vendors understand and achieve HIPAA compliance by implementing security controls, conducting risk assessments, and offering ongoing cybersecurity support. 

In this article, we’ll break down: 

• key differences between HIPAA certification and HIPAA compliance,
• why compliance matters,  
• if getting HIPAA certifications is worth it, and,  
• how businesses can achieve HIPAA compliance. 

Insights in this guide include direct guidance from Sean Harris, Chief Security Risk Officer at ITS, and reflect practices used to support regulated organizations over two decades. 

What is HIPAA Compliance?  

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that protects Protected Health Information (PHI) through the Privacy, Security, and Breach Notification Rules.  

To be compliant you must implement administrative, physical, and technical safeguards and keep proof that those controls operate as intended. 

“HIPAA compliance is about implementing real security measures to protect sensitive patient data,” Harris said. “Many businesses think they’re compliant, but without an actual audit, they could leave major gaps in their security.” 

Core activities you must sustain: 

• Perform regular risk assessments  
• Implement security controls (e.g., encryption, access controls, network security)  
• Develop policies and procedures for handling PHI  
• Train employees on data protection best practices  
• Have an incident response plan in case of a breach 

HIPAA compliance is an ongoing process. You update controls, policies, and evidence as systems and threats evolve.

What is HIPAA Certification?  

There is no government-backed body that certifies HIPAA compliance. Third parties may offer training or assessments and then issue a certificate of completion, but federal regulators determine compliance through investigations and audits. 

As Sean Harris explained, “HIPAA certification isn’t real—at least, not in the way most people think. The government does not certify organizations as HIPAA compliant. Any certification is provided by third-party vendors, not a federal agency.”

The Office for Civil Rights (OCR) has also clarified that HIPAA compliance is determined through audits and investigations, not certifications.

That said, it’s still worth getting third-party organizations if you want an objective look at your IT infrastructure. Some third-party organizations offer training and assessments based on HIPAA regulations and then issue a certificate of completion.

One example is HITRUST: an additional, rigorous framework and attestation. 

“HITRUST is an independent entity that provides certification based on HIPAA,” Harris stated. “Some organizations may require HITRUST certification if partnering with them involves PHI.” 

Why Does HIPAA Compliance Matter More Than HIPAA Certifications?  

Regulators look for controls and evidence. A certificate does not prevent penalties if your safeguards fail or are missing. 

“HIPAA violations are serious business,” Harris warned, “If a breach happens, the government isn’t going to ask for your HIPAA certificate — they’re going to conduct an audit to determine if you implemented the required safeguards.”

Consequences of non-compliance can include: 

• Civil penalties ranging from $100 to $50,000 per violation
• Criminal charges for willful neglect of HIPAA rules  
• Public disclosure on the OCR’s “Wall of Shame”, which lists significant data breaches involving PHI 

A well-known example of a HIPAA violation is the Anthem data breach, where 78.8 million patient records were exposed due to poor security controls. The company paid a $16 million fine, marking one of the largest HIPAA settlements in history. 

READ: HIPAA Non-Compliance: What Happens? (& Why You Should Comply)  

Are HIPAA Certifications Still Worth It?  

HIPAA certifications can be worth it, depending on your needs. You might opt for third-party HIPAA certifications to: 

• Objectively evaluate your IT network   
• Train employees on HIPAA best practices  
• Show due diligence when working with healthcare partners  
• Market yourself as HIPAA-certified for partner organizations  

It still does not guarantee compliance. 

As Harris puts it, “Getting a certification is easy. Proving compliance in an actual audit is a different story. If you want real protection, focus on compliance, not just a piece of paper.”

Practical approach: If partners ask for “HIPAA certification,” clarify expectations. Offer your latest risk analysis summary, policy attestations, training logs, audit results where appropriate, and, if relevant to your industry relationships, a HITRUST certification plan or timeline. 

How Do You Make Your Business Truly HIPAA Compliant? 

If your business handles PHI, you must focus on actual compliance rather than a certification. Here’s how you meet these HIPAA standards:  

1. Conduct a HIPAA Risk Assessment  

A verified third-party assessment identifies vulnerabilities, likelihood, and impact so you can prioritize fixes. Perform it annually and after significant changes such as EHR migrations, cloud moves, or mergers. 

“It's essential to show that your organization is proactive in conducting regular risk assessments,” Harris said. “You don't want to find yourself in a situation where overlooked risks or missed evaluations come back to haunt you.” 

Action tips: Pair the assessment with vulnerability scanning, track remediation to completion, and keep dated evidence. 

2. Implement Strong Security Measures  

Encrypt PHI at rest and in transit, enforce MFA, apply least privilege with deny-by-default access, segment networks, centralize logging, and keep systems patched. Use secure email or messaging for PHI and restrict or manage personal devices with MDM. 

Action tips: Review privileged access quarterly. Test backup and recovery regularly and save the test results. 

3. Train Employees on HIPAA Compliance  

Human error is one of the leading causes of HIPAA violations. 

Provide annual training for all staff and role-based training for privileged users, plus phishing simulations and tabletop incident exercises. 

Action tips: Track completion and test comprehension so you can demonstrate effectiveness, not just attendance. 

4. Develop an Incident Response Plan  

If a data breach occurs, your organization should have a clear incident response plan to mitigate damage and report the breach promptly.

Especially since the global average cost of a data breach in 2023 was $4.45 million, a 15 percent increase over the last three years. There’s too much on the line to be caught unaware.  

Action tips: Run periodic drills. After each exercise or incident, capture lessons learned and update the plan. 

5. Work with a HIPAA-Compliant MSSP or MSP  

An experienced managed security service provider (MSSP) or managed IT service provider (MSP) can accelerate remediation and provide continuous monitoring and documentation. 

“Having an experienced cybersecurity team in place makes all the difference when it comes to compliance,” Harris said. “An audit could also help while working with an MSSP/MSP, for extra reassurance.”  

Which should you prioritize? 

If you handle PHI, compliance comes first. Third-party certifications can help you educate teams and signal effort to partners, but regulators test your real safeguards and your proof, not a certificate.

Focus on assessments, controls, training, incident readiness, and documented evidence so you can demonstrate compliance on demand. 

Need help to achieve HIPAA compliance?  

At ITS, we provide HIPAA compliance assessments, cybersecurity solutions, and employee training to help businesses meet regulatory requirements and avoid costly penalties.

Contact ITS today for a consultation and risk assessment to secure your business and stay compliant.

If you want more information about HIPAA compliance before reaching out, check out the following resources: 

• 7 Best Security Practices for HIPAA Compliance [Updated]  
• 10 Ways MSPs Help with HIPAA Compliance  
• How Much Does HIPAA Compliance Cost?  

FAQs (Frequently Asked Questions)

Q: Is there an official HIPAA certification from the U.S. government?  

A: No. OCR determines compliance through investigations and audits, not certificates. 

Q: If a vendor is “HIPAA certified,” does that mean they are compliant?  

A: Not necessarily. Third-party certificates can show training or assessment, but they do not guarantee compliance. You will still need to do due diligence. 

Q: Do partners ever require certifications like HITRUST?  

A: Some do. HITRUST is a private framework and certification that can complement HIPAA efforts for partner assurance. 

Q: How often should you run a HIPAA risk assessment?  

A: At least annually and after major changes to systems or workflows. 

Q: What evidence should you maintain to prove compliance?  

A: Risk analyses, remediation records, approved policies with attestations, training logs, BAA inventory, monitoring results, backup and recovery test results, and incident response records.