Navigating HIPAA Certification: The What, Why, and How [Updated 2024]

Steering an entire organization through an external HIPAA certification is no small feat. The process may look a little different depending on which auditor you partner with. But let's map out the prototypical elements that will be evaluated to understand the scope of the undertaking.


Let’s cut right to the chase. There is no official HIPAA certification. The law says nothing about HIPAA certification, and does not require any type of formal certification process. But like most things when it comes to HIPAA, it’s not quite that simple. Keep reading to learn more about what certification is, its costs, and the potential benefits of obtaining it.

Unraveling the Mystery: What is HIPAA Certification?

HIPAA: The What and the Why

HIPAA, short for Health Insurance Portability and Accountability Act, is not just a mere acronym, but a beacon of health data privacy, established by the US Congress in 1996. This piece of legislation came into existence in response to the rising need for a stringent structure to safeguard sensitive health information amidst the digital revolution.

The underlying purpose of HIPAA is simple yet profound. It is designed to protect an individual's medical data and other personal health information, restricting who can access and receive such data. In an era where personal information often floats around in cyberspace, HIPAA acts as the guardian, ensuring that health data stays confidential and only reaches authorized hands.

So, What’s This "HIPAA Certification" We're Talking About?

When we refer to "HIPAA Certification" or "PHI Certification" it can mean two distinct things – certification at an individual level or at an organizational level.

Individual HIPAA certification usually implies that a person has undergone a particular training program related to HIPAA's rules and regulations (see our article Who Needs HIPAA Training?). There are plenty of providers who offer such courses, tailored to meet the requirements of different roles, be it healthcare providers, IT professionals, or administrative staff. Once a person successfully completes this training, they receive a certificate. This document serves as tangible proof of their HIPAA competency – hence, they're deemed 'HIPAA certified.' At TeachMeHIPAA, we offer accessible, actionable, and affordable HIPAA training for individuals and for organizations.

On the flip side, when we talk about an organization achieving HIPAA certification, the conversation takes on a whole new dynamic. While there is no official organizational certification by the OCR, numerous third-party companies provide rigorous audits based on HIPAA standards. These audits scrutinize an organization's HIPAA compliance across various departments, processes, and systems. Once an organization passes this audit, they are awarded a certificate – this is what's typically referred to as 'HIPAA Certification.' This may be required to partner with specific large established healthcare entities. Though the process of obtaining organizational certification can be extremely time consuming and costly, and should be undertaken only with careful consideration.

Journey to Compliance: How an Organization Gets HIPAA Certified

Steering an entire organization through an external HIPAA certification is no small feat. The process may look a little different depending on which auditor you partner with. But let's map out the prototypical elements that will be evaluated by a third party auditor to understand the scope of the undertaking:

  1. Risk Assessment: The auditor checks if the organization has conducted a thorough risk assessment to identify potential vulnerabilities in the confidentiality, integrity, and availability of electronic protected health information (ePHI).

  2. Privacy and Security Policies: The auditor reviews the organization's privacy and security policies to ensure they're in line with HIPAA's Privacy and Security Rules.

  3. Physical Safeguards: This includes an evaluation of controls related to physical access to electronic systems and equipment storing ePHI, such as data centers and server rooms.

  4. Technical Safeguards: The auditor assesses the technical measures in place, like access control, encryption, and activity logs, to protect and control access to ePHI.

  5. Administrative Safeguards: The auditor examines the administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

  6. Breach Notification Procedures: The organization's procedures for responding to a breach of unsecured ePHI are also under the auditor's lens.

  7. Employee Training: The auditor reviews whether the organization has an effective training program in place to ensure all staff members understand HIPAA regulations.

  8. Business Associate Agreements: The auditor checks if the organization has HIPAA-compliant agreements in place with all business associates – third-party vendors with access to ePHI (see our article What is a BAA?).

  9. Incident Response Plan: The organization should have a well-structured plan to respond to incidents that could compromise the security of ePHI.

  10. Documentation: Lastly, the auditor verifies if the organization maintains proper documentation of all policies, procedures, and actions taken to comply with HIPAA rules. This documentation should be retained for at least six years from the date of creation or last effective date.

Remember, the specifics may vary based on the auditor's approach and the size and nature of the organization being audited. And to maintain this status, organizations must continue to meet HIPAA requirements and undergo regular audits, keeping the commitment to health data privacy and security alive and strong. Consider our Keys to Success for HIPAA Compliance.


So there you have it, a comprehensive answer to your question, "What is HIPAA certification, and how do I get it?" As an individual, becoming HIPAA certified is a straightforward exercise in training with a high quality educational platform like TeachMeHIPAA. Whereas becoming certified as an organization is a costly, intensive, and ongoing effort. Decide what’s right for you. But if you need help, feel free to drop us a line at [email protected]


Is HIPAA certification legally required?
HIPAA certification is not required for organizations, and there is no official HIPAA certification. For individuals, HIPAA training (often called certification) is required if employed by a Covered Entity or a Business Associate.

How long does HIPAA certification last?
For organizations, a HIPAA certification is an attestation that proper compliance infrastructure was in place at the time of certification. Frequently, companies will undergo periodic reassessment to maintain their certified status. How long any specific certification lasts is at the discretion of the specific third party auditor; there is no standard HIPAA certification expiration rule.

Can I become HIPAA certified as an individual online??
Absolutely! At TeachMeHIPAA, we offer high quality affordable HIPAA training for you and your team. And we provide a certificate at the end to prove you’ve succeeded.

You've successfully subscribed to TeachMeHIPAA compliance blog
Great! Next, complete checkout to get full access to all premium content.
Error! Could not sign up. invalid link.
Welcome back! You've successfully signed in.
Error! Could not sign in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.