If nothing else, HIPAA regs and security regs are dynamic. By necessity they must be. That makes maintaining a certification very difficult. I tend to think that defining and ensuring certification, before we have any idea how the OCR is going to interpret and enforce the regs, is quite premature. We, of course, need to make every effort to comply with the law as it stands but I am not confident that a certification at this point is what it is intended to be.
Kirsten Ruzic Wild, RN, BSN, MBA, CPC Corporate Compliance Community Memorial Hospital [EMAIL PROTECTED] (262) 257-3495 -----Original Message----- From: Leslie C. Bender [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 12:40 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Certifications CMS/HHS have repeatedly stated at conferences that they had and have no plans to do "certifications" pertaining to HIPAA. I often wonder if the origin of discussions about "HIPAA certifications" come from language in the proposed Security Rule that obligate a covered entity to certify, or engage outside assistance in certifying, their HIPAA compliance. On the various listservs I have seen a blur between several types of "certification" - notably CISSP which I understand is a security professional's credential and involves "certification." I have also seen folks write in with a notation after their name "HIPAA certified." When questioned, the responses about how people "earned" this elusive credential report any of the following: 1. I attended a HIPAA workshop at x,y,z location and got a HIPAA certificate at the end; or 2. Claredi did my "HIPAA certification," or 3. I am a CISSP certified professional and since we all anticipate the Security Rule will reflect the state of the industry, wouldn't a CISSP certification equal a HIPAA certification. I'm not endorsing any of these responses - just reflecting on what seems to be the folklore that is prevalent. Many trade and professional associations with covered entity and business associate members are seeking "bright lines" for responsible HIPAA implementation. They have and continue to develop educational programming to assist their membership up the formidable HIPAA curve. Because HIPAA is intentionally situational, the concepts of "compliant" or "certified" or simply "HIPAA ready" are difficult to capture and objectify -- but there seems to be concensus around the importance of trying to find them (let's hope its not like the search for the Holy Grail). Moreover, given the inherent dynamic nature of the three interlocking sets of regulations (each can, by its terms, be modified annually) I wonder if an organization was compliant with HIPAA based, for example, on the pre-August 14, 2002, version of the Privacy Rule, how it would continue to be after if its corporate culture didn't support the ability to make adjustments consistent with ongoing rulemaking. So assuming one can establish standards or criteria that if met would mean an organization was "HIPAA compliant" (and I'm not suggesting one cannot) - would there be a criterion to reflect the operational or compliance flexibility in an organization to change in accordance with the predictable rulemaking process? p.s. - to be fair I should note as well a more disturbing trend - e.g., trade or professional association designing and publishing processes to assist members in "certifying" they are "opted out" of being covered entities and thus needn't comply with HIPAA. Leslie Bender, Esq. Leslie C. Bender, P.A. 1922 Greenspring Drive, Suite 7 Timonium, Maryland 21093 Ph: 410-453-4125 Fax: 410-453-4126 www.roiWebEd.com also - Board Member and Chair, Education Committee - Mid Atlantic Health Initiative, a regional WEDi-SNIP unit ---------- Original Message ---------------------------------- From: <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> Date: Fri, 30 Aug 2002 12:57:58 -0400 >Perry, your point is very valid! > >As stated by the agencies, it isn't the role of the government to "Certify" >a product, service, or process relating to HIPAA. Certifications by their >nature certifications require a process of accreditation, credentialing, and >ideally broad support. I have no knowledge of what the vendor in question >bases their "certification" on, and without full disclosure of that basis I >view its claim as suspect, however there is at least one validly certified >training/education product in the market - certified/credentialed by a State >University System. > >However, this specific problem has resulted in the creation of a separate >body to address this issue of developing HIPAA conformance certification >standards. This activity is complementary to the work of the other HIPAA >bodies, and recognizing the urgency of this for covered entities and >industry alike, has begun and hopes to publish a significant body of work >rapidly. > >This also raises another important point - full disclosure. Some on this >listserv express offense at participants including their company names in >their replies and messages. Personally, I want to know who it is that is >expressing their opinions and who they represent, and in what capacity. I >appreciate a weblink also, making it easy to view their context. Without >this disclosure, we do not have the ability to properly weight their >credentials or perspective in these issues. Each of us needs to be able to >evaluate each posted statement and not simply take everything said as fact >or legal opinion - this one included. So I would encourage all to be candid >in their signatures for these reasons and recognize the difference between >spam commercialism and simple honest disclosure. > >Tim McGuinness, Ph.D. >President, >HIPAA Help Now Inc. >[EMAIL PROTECTED] >www.hipaahelpnow.com > >Executive Co-Chairman for Privacy, >HIPAA Conformance Certification Organization (HCCO) >www.hipaacertification.org > > > > >-----Original Message----- >From: Meyer, Perry [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, August 27, 2002 8:24 AM >To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >[EMAIL PROTECTED] >Subject: RE: WEDI SNIP Forum to be Rescheduled!!! > > >Just curious, but does CMS or OCR recognize "certified" HIPAA training? I >see no mention of this in the regs. I think we need to be very careful in >promoting something as "certified" when it comes to HIPAA. > >Perry Meyer >Senior Vice President >Iowa Hospital Association > > >The WEDI SNIP listserv to which you are subscribed is not moderated. The >discussions on this listserv therefore represent the views of the individual >participants, and do not necessarily represent the views of the WEDI Board of >Directors nor WEDI SNIP. If you wish to receive an official opinion, post >your question to the WEDI SNIP Issues Database at >http://snip.wedi.org/tracking/. >Posting of advertisements or other commercial use of this listserv is >specifically prohibited. > > ________________________________________________________________ Sent via the WebMail system at mail.theroi.com The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
