There's No Such Thing as Total HIPAA Compliance at a Given Point in Time

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The Department of Health and Human Services (HHS) enforces the HIPAA law and regulations through its enforcement arm, the Office for Civil Rights. The Office for Civil Rights (OCR) may initiate an investigation against a HIPAA-covered entity after someone has filed a HIPAA complaint against that entity.

During the investigation, OCR may request that the HIPAA-covered entity provide documentation of its compliance with specific HIPAA rules.  The investigation may result in remedial action, ranging from technical assistance to civil monetary penalties.

A commonly asked question in HIPAA-world is, "If I have taken actions X, Y, and Z, I am completely compliant, and will not be investigated, right?" (A variation of this question is, "What specific steps do I need to take to become 100% compliant so I will not be investigated?)

There's No Such Thing as Total HIPAA Compliance at a Given Point in Time
There is no magic bullet guarantee a third-party software solution can give to a HIPAA-covered entity that will prevent the HIPAA-covered entity from potential investigation by OCR. No guarantee of "You'll be 100% compliant if you do X, Y, and Z."

Why? Because the HIPAA rules do not state that following their terms either guarantees 100% present compliance or 100% future compliance. And, because the rules nowhere state that present compliance retroactively erases past compliance deficiencies that can form the basis of a valid complaint.

There's No Such Thing as "Certification"
As HHS notes, there is no such thing as total compliance - no compliance race to be won, no compliance finish line to cross where the prize is an award of gold, 10.0, 6.0 (or whatever other "perfection" scoring measure comes to mind), and, more importantly, no such thing as self- or third-party certification of compliance. (This concept should be familiar to users of tax prep services; entities like H&R Block who provide these services never tell clients that clients are in 100% compliance, past, present, and future, with every federal tax law that conceivably is associated with those clients, or is implicated by how or what they earn).

An HHS Q&A illustrates the point:

Question: "Are we required to “certify” our organization’s compliance with the standards of the Security Rule?"

Answer: It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

Putting aside for the moment that an answer to the question of "Am I 100% compliant" inherently seeks significant legal advice, the HHS answer is a nod to the reality that no entity, and no entity working with the help of a third party, can guarantee it meets the exact, full measure of an entire regulatory scheme at any given moment at time. 

The use of compliance software that addresses the HIPAA regulations can help to strengthen a compliance program's effectiveness; an effective compliance program is one that can detect, identify, and remediate violations, irregularities, or flaws.  An effective compliance program, which requires continuous updating to maintain that effectiveness, is, by definition, not a perfect one.