HHS is not going to certify any product or individual. Moreover, you are not going to be able to hide behind someone else's "certification" when patients, regulators or trial attorneys come knocking.
For all the regulations, the best you can hope for is that the product is CAPABLE of meeting the requirements of each regulation. For example, the Privacy Rule has generated a growing number of tools that purport to meet the market's need to protect patient confidentiality. So are these policies and procedures HIPAA compliant? Maybe. But what good does that do you if you don't understand them, apply them to your specific situation or enforce them? The best they can do is offer you tools that can enable or ease your compliance tasks. The same holds true for security. These products can only enable compliance. If you need a certain level of encryption, then a product that offers that level of encryption -- if you use it -- will meet the requirements of HIPAA. HIPAA compliant may be a better term to use for these products, assuming they do what the claim. If someone claims to be certified, take a look at who did the certifying, and then make a decision about the vendor. Some consulting firms have offered this certifying service. So what you have is a third-party certifying a product -- not a government entity. The most important thing to remember: Compliance is an ongoing exercise. It never ends. Privacy and security are ongoing responsibilities and you are not going to be able to take a product, insert it into your operations and then think you have completed your task. New technologies are going to present new security and privacy challenges. These will necessarily require adjustments on your part as well. Hope this helps, Dennis Melamed Editor Health Information Privacy Alert (202) 296-3069 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 1:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: CERTIFICATION? REF: Certification Are you speaking of individuals ? Or, products ? David Sweigert, M.S., CISSP State IT Security Policy Officer Office of Statewide IT Policy Computer Services Division http://www.ohio.gov/itp "Kerri Stone" <[EMAIL PROTECTED] To: [EMAIL PROTECTED] m> cc: Subject: CERTIFICATION? 05/15/2002 12:31 PM Hello. I am not sure if this has been discussed or not, but I have been looking at a number of websites where people claim to do "certification" of HIPAA compliance. And even a few claim to have been certified by their respective states, or even the federal government. I thought there was no such thing as official HIPAA certification. I was under the impression it was self-certification. Am I wrong? I would appreciate any feedback. Thank you. Sincerely, Kerri Stone HIPAA Project Manager SCB Computer Technology (954) 234-3569 [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
