There's No Such Thing as Total HIPAA Compliance at a Given Point in Time

Modified on Thu, 31 Oct at 12:52 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


The Department of Health and Human Services (HHS) enforces the HIPAA law and regulations through its enforcement arm, the Office for Civil Rights. The Office for Civil Rights (OCR) may initiate an investigation against a HIPAA-covered entity after someone has filed a HIPAA complaint against that entity.

During the investigation, OCR may request that the HIPAA-covered entity provide documentation of its compliance with specific HIPAA rules.  The investigation may result in remedial action, ranging from technical assistance to civil monetary penalties.


A commonly asked question in HIPAA-world is, "If I have taken actions X, Y, and Z, I am completely compliant, and will not be investigated, right?" (A variation of this question is, "What specific steps do I need to take to become 100% compliant so I will not be investigated?)

There's No Such Thing as Total HIPAA Compliance at a Given Point in Time
There is no magic bullet guarantee a third-party software solution can give to a HIPAA-covered entity that will prevent the HIPAA-covered entity from potential investigation by OCR. No guarantee of "You'll be 100% compliant if you do X, Y, and Z."

Why? Because the HIPAA rules do not state that following their terms either guarantees 100% present compliance or 100% future compliance. And, because the rules nowhere state that present compliance retroactively erases past compliance deficiencies that can form the basis of a valid complaint.

There's No Such Thing as "Certification"
As HHS notes, there is no such thing as total compliance - no compliance race to be won, no compliance finish line to cross where the prize is an award of gold, 10.0, 6.0 (or whatever other "perfection" scoring measure comes to mind), and, more importantly, no such thing as self- or third-party certification of compliance. (This concept should be familiar to users of tax prep services; entities like H&R Block who provide these services never tell clients that clients are in 100% compliance, past, present, and future, with every federal tax law that conceivably is associated with those clients, or is implicated by how or what they earn).

An HHS Q&A illustrates the point:

Question: "Are we required to “certify” our organization’s compliance with the standards of the Security Rule?"

Answer:
 It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

No entity, either through its own efforts, working with the help of a third party, can guarantee it meets the exact, full measure of an entire regulatory scheme at any given moment at time. To give a brief example, take the disaster recovery plan requirement: At any given moment, a natural or man-made disaster can strike. An organization cannot guarantee that its disaster recovery plan has the exact precise components needed to provide 100%, perfect protection against the disaster. The plan components invariably must be adapted and modified as the disaster unfolds. Another example: risk assessments. Risk assessments must be conducted continuouslyin response to environmental or operational changes affecting the security of electronic protected health information.

The use of compliance software that addresses the HIPAA regulations can help to strengthen a compliance program's effectiveness; an effective compliance program is one that can detect, identify, and remediate violations, irregularities, or flaws.  An effective compliance program, which requires continuous updating to maintain that effectiveness, is, by definition, not a perfect one. There is no numerical rating that separates an effective program from one that is not effective. Establishing and maintaining a compliance program over time, is the best way to ensure its effectiveness.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article