HIPAA compliance and HIPPA certifications refer to two tangential – but still different – things; the U.S. government issues no official HIPAA certification, yet many organizations claim to be “HIPAA certified.”
You may see vendors claim they are “HIPAA certified,” yet that label does not equal compliance.
What does HIPAA-certified truly mean? And how do healthcare organizations verify if they meet the necessary HIPAA requirements?
At Intelligent Technical Solutions (ITS), we help healthcare organizations and their vendors understand and achieve HIPAA compliance by implementing security controls, conducting risk assessments, and offering ongoing cybersecurity support.
In this article, we’ll break down:
Insights in this guide include direct guidance from Sean Harris, Chief Security Risk Officer at ITS, and reflect practices used to support regulated organizations over two decades.
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that protects Protected Health Information (PHI) through the Privacy, Security, and Breach Notification Rules.
To be compliant you must implement administrative, physical, and technical safeguards and keep proof that those controls operate as intended.
“HIPAA compliance is about implementing real security measures to protect sensitive patient data,” Harris said. “Many businesses think they’re compliant, but without an actual audit, they could leave major gaps in their security.”
Core activities you must sustain:
HIPAA compliance is an ongoing process. You update controls, policies, and evidence as systems and threats evolve.
There is no government-backed body that certifies HIPAA compliance. Third parties may offer training or assessments and then issue a certificate of completion, but federal regulators determine compliance through investigations and audits.
As Sean Harris explained, “HIPAA certification isn’t real—at least, not in the way most people think. The government does not certify organizations as HIPAA compliant. Any certification is provided by third-party vendors, not a federal agency.”
The Office for Civil Rights (OCR) has also clarified that HIPAA compliance is determined through audits and investigations, not certifications.
That said, it’s still worth getting third-party organizations if you want an objective look at your IT infrastructure. Some third-party organizations offer training and assessments based on HIPAA regulations and then issue a certificate of completion.
One example is HITRUST: an additional, rigorous framework and attestation.
“HITRUST is an independent entity that provides certification based on HIPAA,” Harris stated. “Some organizations may require HITRUST certification if partnering with them involves PHI.”
Regulators look for controls and evidence. A certificate does not prevent penalties if your safeguards fail or are missing.
“HIPAA violations are serious business,” Harris warned, “If a breach happens, the government isn’t going to ask for your HIPAA certificate — they’re going to conduct an audit to determine if you implemented the required safeguards.”
Consequences of non-compliance can include:
A well-known example of a HIPAA violation is the Anthem data breach, where 78.8 million patient records were exposed due to poor security controls. The company paid a $16 million fine, marking one of the largest HIPAA settlements in history.
READ: HIPAA Non-Compliance: What Happens? (& Why You Should Comply)
HIPAA certifications can be worth it, depending on your needs. You might opt for third-party HIPAA certifications to:
It still does not guarantee compliance.
As Harris puts it, “Getting a certification is easy. Proving compliance in an actual audit is a different story. If you want real protection, focus on compliance, not just a piece of paper.”
Practical approach: If partners ask for “HIPAA certification,” clarify expectations. Offer your latest risk analysis summary, policy attestations, training logs, audit results where appropriate, and, if relevant to your industry relationships, a HITRUST certification plan or timeline.
If your business handles PHI, you must focus on actual compliance rather than a certification. Here’s how you meet these HIPAA standards:
A verified third-party assessment identifies vulnerabilities, likelihood, and impact so you can prioritize fixes. Perform it annually and after significant changes such as EHR migrations, cloud moves, or mergers.
“It's essential to show that your organization is proactive in conducting regular risk assessments,” Harris said. “You don't want to find yourself in a situation where overlooked risks or missed evaluations come back to haunt you.”
Action tips: Pair the assessment with vulnerability scanning, track remediation to completion, and keep dated evidence.
Encrypt PHI at rest and in transit, enforce MFA, apply least privilege with deny-by-default access, segment networks, centralize logging, and keep systems patched. Use secure email or messaging for PHI and restrict or manage personal devices with MDM.
Action tips: Review privileged access quarterly. Test backup and recovery regularly and save the test results.
Human error is one of the leading causes of HIPAA violations.
Provide annual training for all staff and role-based training for privileged users, plus phishing simulations and tabletop incident exercises.
Action tips: Track completion and test comprehension so you can demonstrate effectiveness, not just attendance.
If a data breach occurs, your organization should have a clear incident response plan to mitigate damage and report the breach promptly.
Especially since the global average cost of a data breach in 2023 was $4.45 million, a 15 percent increase over the last three years. There’s too much on the line to be caught unaware.
Action tips: Run periodic drills. After each exercise or incident, capture lessons learned and update the plan.
An experienced managed security service provider (MSSP) or managed IT service provider (MSP) can accelerate remediation and provide continuous monitoring and documentation.
“Having an experienced cybersecurity team in place makes all the difference when it comes to compliance,” Harris said. “An audit could also help while working with an MSSP/MSP, for extra reassurance.”
If you handle PHI, compliance comes first. Third-party certifications can help you educate teams and signal effort to partners, but regulators test your real safeguards and your proof, not a certificate.
Focus on assessments, controls, training, incident readiness, and documented evidence so you can demonstrate compliance on demand.
At ITS, we provide HIPAA compliance assessments, cybersecurity solutions, and employee training to help businesses meet regulatory requirements and avoid costly penalties.
Contact ITS today for a consultation and risk assessment to secure your business and stay compliant.
If you want more information about HIPAA compliance before reaching out, check out the following resources:
A: No. OCR determines compliance through investigations and audits, not certificates.
A: Not necessarily. Third-party certificates can show training or assessment, but they do not guarantee compliance. You will still need to do due diligence.
A: Some do. HITRUST is a private framework and certification that can complement HIPAA efforts for partner assurance.
A: At least annually and after major changes to systems or workflows.
A: Risk analyses, remediation records, approved policies with attestations, training logs, BAA inventory, monitoring results, backup and recovery test results, and incident response records.