HIPAA enforcement within the U.S. officially got underway with the first sanction applied the the Department of Health and Human Resources (HHS) in July; I blogged about it here.

Providence Health & Services agreed to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

There are have been more criminal charges brought under HIPAA; the 7th criminal conviction and sentencing occurred just a few days ago; I blogged about it, and listed the other 6 cases and sentences, here.

Now that the HHS has enlisted the help of PriceWaterHouse Coopers to do compliance audits perhaps healthcare providers, insurers and clearinghouses will become more proactive in safeguarding the protected health information (PHI) with which they've been entrusted.  Time will tell.

However, it sure seems like plenty of vendors, many to most with absolutely no healthcare experience or background, have manufactured their own HIPAA "complicance certifications" that what seem like growing numbers of information security and privacy practitioners are falling for.  This is not just in the U.S.; some of my friends in the EU have said they've been getting vendors trying to sell the "HIPAA certified" compliance products and training.

It is important that healthcare practitioners know and understand that their is no such thing as HIPAA "certification" that has been endorsed or recommended by the HHS.  In fact, the HHS is so concerned about these scams, that really only provide revenue lines for the vendors providing the "certifications" instead of any value for the people obtaining them, that they have provided a warning on their site about these bogus claims that they created a page on their site to warn about them; here.

Here is the text on that page:

"Office for Civil Rights - HIPAA
What You Should Know About OCR HIPAA Privacy Rule Guidance Materials
Be aware of misleading marketing claims

The Office for Civil Rights (OCR) has made available on its website guidance materials on the Privacy Rule as a service to the public to help covered entities comply with the rule and to help consumers know how they are protected by the Privacy Rule. All items on our Educational Materials page (http://www.hhs.gov/ocr/hipaa/assist.html) have either been produced directly by OCR or have been reviewed by OCR prior to their publication. OCR also provides links to other useful sites, but does not review or endorse the materials found on those sites.

We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as "HIPAA compliant." The Privacy Rule does not require attendance at any specific seminars. All of OCR's materials are available free on our web site.

If you believe anyone is making false or misleading representations about HHS or OCR in regard to HIPAA training and compliance, please notify us via email at ocrcomplaint@hhs.gov or by postal mail at Office for Civil Rights, 200 Independence Ave, S.W., Room 509F, Washington, D.C. 20201."

Folks, if someone tries to tell you that they can certify your program as being "HIPAA compliant," or that they have "HIPAA certified" products, don't believe them!

No votes yet