Does That HIPAA Seal Really Indicate HIPAA Compliance?
Do you or someone you love have a taste for luxury? If so, you may have shelled out for a bag from a high-end designer—Gucci, Kate Spade, Coach, Louis Vuitton, and the like. But of course, these can go for thousands of dollars, so in many cases, it makes more sense to instead indulge in a cheaper knock-off. It looks basically like the real deal, so there’s no problem, right?
Unfortunately, HIPAA compliance does not work that way—while there may be some that purport to be “HIPAA compliant,” in fact, they may not be and, for the sake of information security, it’s critical to know the difference and who is truly HIPAA compliant. As very experienced HIPAA assessors who are very familiar with what passes a HIPAA audit and what doesn’t, we’re going to explain what we mean.
In this article, we’ll break down the source of the confusion surrounding HIPAA compliance, what it truly means, and how seeing a HIPAA seal somewhere isn’t an automatic indication. We’ll also explain how you can truly demonstrate your organization is compliant with this very important regulation so that you can better assure your customers that their information is secure.
What is “HIPAA Compliant?”
What can make determining who and what is HIPAA compliant tricky is that the U.S. Department of Health and Humans Services (HHS)—the federal agency charged with overseeing the Health Insurance Portability and Accountability Act (HIPAA)—does not formally define the term “HIPAA Compliant.”
Still, it’s generally defined as complying with each of the applicable requirements of the standards of the HIPAA Privacy, Security, and Breach Notification Rules.
However, you may have seen the phrases “HIPAA Compliant” or “HIPAA Certified” appear in various marketing materials and on websites—in fact, these terms are not recognized by HHS:
- There is no HIPAA certification process.
- No company has the authority to certify HIPAA compliance.
- As such, these “HIPAA certifications” do not necessarily affirm an organization’s fulfillment of its legal obligations under HIPAA.
Not only do these “seals of compliance” you’ve probably seen not mean anything, but they could also get the organization displaying them in trouble for false advertising—if you experience a breach or a compliance violation while displaying a “HIPAA Compliant” or “HIPAA Certified” seal, the Federal Trade Commission (FTC) will consider it consumer fraud.
What’s more, this has already happened a few times. Recently, several businesses have been cited with consumer fraud for displaying a “HIPAA Compliant” seal—though these organizations falsely claimed to be HIPAA compliant, after experiencing breaches, investigations found them to be anything but:
Organization Displaying a HIPAA Seal
SkyMed, a provider of travel emergency services
SkyMed displayed a ‘HIPAA Compliant’ seal on each page of its website, leading consumers to believe that the company had reviewed its privacy policies and met the security and privacy requirements of HIPAA.
However, SkyMed was cited and subsequently settled with the FTC in December 2020 after a data breach and the subsequent investigation revealed:
While no financial penalty was assessed, SkyMed agreed to a consent order requiring a 20-year monitored compliance program.
GoodRx, a telehealth and prescription drug discount provider
On February 1, 2023, the FTC announced GoodRx had violated the FTC’s Health Breach Notification Rule after the organization’s unauthorized disclosures of consumers’ personal health information to third-party advertisers and other companies.
Further, the FTC alleged that GoodRx violated the FTC Act, having misrepresented its HIPAA compliance by displaying a seal on its telehealth homepage that falsely suggested it complied with the law—in fact, they’d failed to implement “sufficient formal, written, or standard privacy or data sharing policies or compliance programs.”
BetterHelp, a mental health and online counseling platform
BetterHelp displayed a HIPAA compliance seal but also shared consumers’ sensitive health data and other personal information with third-party advertising platforms without first obtaining affirmative consent, violating certain privacy representations.
After the FTC investigated, it was found that no government agency or other third party had ever reviewed BetterHelp’s privacy or information security practices nor determined that they met HIPAA’s requirements.
On March 2, 2023, the FTC announced that it had reached a $7.8 million settlement with BetterHelp.
Don’t make the same mistake as the above organizations—if you use one of these “HIPAA Compliant” seals on your website or marketing, it’d be smart to remove it now.
How to Prove Your HIPAA Compliance
Removing a seal as a precaution doesn’t, however, mean you can scrap HIPAA compliance entirely, and since there’s no formal certification program, you may be wondering how you can prove compliance to your patients or clients. Moreover, if you are considering engaging a vendor that tells you they’re HIPAA compliant, how do you know what they really mean?
Without a formal HIPAA Certification program, it’s up to each organization to provide robust proof of compliance, both to their customers and external regulators—your vendors included. To do that—to prove HIPAA compliance—you must thoroughly evaluate your organization against the regulations.
First, you should use the HHS Office of Civil Rights (OCR) HIPAA Audit Protocol, which outlines the expected policies and procedures for HIPAA compliance. Once you’re confident that your policies and procedures meet the HIPAA requirements and that these policies have been fully implemented, you can seek a HIPAA compliance review, which can be performed internally or by an independent external organization:
- Should you opt for internal review, ensure it’s performed by someone qualified and independent from the processes being reviewed and that they include documented evidence supporting the conclusions reached.
- External HIPAA reviews are done by a professional services organization that should provide you with similar documentation you can offer to your clients regarding your HIPAA compliance status.
- For example, at Schellman, we can perform a detailed audit of your operations through our HIPAA Express service that follows the OCR HIPAA Audit Protocol as our audit baseline. We then provide you with a formal report outlining your status regarding each of the HIPAA standards and implementation specifications, which can then be used to provide evidence of compliance with the HIPAA rules and regulations.
- Given the robust support and independence provided by an external audit, your clients are likely to only accept a third-party report.
Though that guidance is geared toward healthcare organizations (or covered entities), business associates similarly benefit from having an independent third party perform HIPAA audits, as you’ll get the same kind of evidence you can use to set yourself apart from your competitors and reduce the time you spend responding to security questions from your clients.
(In fact, covered entities utilizing business associates will likely require the latter to provide evidence of an independent audit report illustrating HIPAA compliance.)
Moving Forward with Complete HIPAA Compliance
All that to say, HIPAA compliance is not like a knockoff Birkin bag—you can’t settle for less than the real deal, and you shouldn’t advertise any kind of “HIPAA certification” either, as such a thing does not exist.
While you’re being wary of promoted seals elsewhere, understand that HIPAA compliance is a journey, not a destination. It requires corrections and adjustments—on any given day you might not be compliant, but that’s why it must be an ongoing process to periodically reevaluate your status. (We recommend revalidating the results of your HIPAA audit at least annually.) Failure to be proactive and address any gaps in compliance can result in significantly increased fines in the event of a breach or other OCR investigation.
But now that you understand an internal or external HIPAA compliance review is the only real way to go, you can move forward more confidently. To further simplify your journey, check out our other articles that can help:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.