HIPAA Compliance: Can You Become HIPAA Certified?

Many organizations assume they need HIPAA certification to handle protected health information (PHI), but no official HIPAA certification exists. HIPAA is a federal law, not a program with a certifying body—meaning businesses must comply by implementing security controls, maintaining proper documentation, and training employees on privacy and security rules.

For companies in healthcare and adjacent industries, HIPAA compliance is a business necessity. Failure to follow its regulations can result in fines, legal risks, and lost customer trust. 

This guide breaks down what HIPAA compliance entails, the role of third-party training and assessments, and the steps organizations must take to meet regulatory requirements. By the end, you’ll have a clear path to ensuring HIPAA compliance—without the confusion around certification.

Quick Refresh: What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law designed to safeguard sensitive patient health information. Enacted in 1996, HIPAA sets strict guidelines on how healthcare providers, insurers, and their business partners handle protected health information to prevent unauthorized access, fraud, and data breaches.

HIPAA is built around a set of rules that dictate how organizations must protect patient data:

• Privacy Rule: Establishes a patient’s right to control their health information. It limits unnecessary data sharing, ensures individuals can access their medical records, and requires organizations to disclose how they use PHI. This rule is the foundation of patient trust in the healthcare system.

• Security Rule: Brings the Privacy Rule into the digital sphere. It mandates safeguards like encryption, access controls, and activity logs to keep electronic PHI (ePHI) secure from cyber threats and internal misuse.

• Breach Notification Rule: Ensures transparency when things go wrong. If PHI is compromised, affected individuals, regulators, and in some cases, the media must be informed. This rule holds organizations accountable and allows patients to take necessary precautions.

• Enforcement Rule: Lays out the consequences of failing to comply. HIPAA violations can result in fines ranging from $100 to $50,000 per violation, with total penalties reaching millions in severe cases.

• Omnibus Rule: Expands HIPAA’s reach by making business associates directly liable for compliance. Previously, only covered entities were held accountable, but the Omnibus Rule extends enforcement to third-party vendors handling PHI. It also strengthens patients' rights, including the ability to request electronic copies of their records and restrict disclosures to health plans for out-of-pocket payments.

HIPAA applies to covered entities like healthcare providers, health plans, and clearinghouses  as well as business associates that handle PHI on their behalf. This includes cloud service providers, billing companies, and software vendors—all of whom must meet the same security and privacy requirements.

HIPAA compliance builds a culture of security, protecting both organizations and the individuals who entrust them with their most personal information.

HIPAA Certification: What is It?

You might be searching for HIPAA certification, assuming it’s a requirement for handling protected health information. The reality is that there’s no official HIPAA certification. HIPAA is a federal law, not a certification program, meaning there is no government-issued credential that proves compliance.

Some third-party organizations offer HIPAA certification services, claiming to verify an organization’s compliance with HIPAA’s Security Rule. While these certifications can help demonstrate that a company has taken steps to meet HIPAA requirements, they do not replace legal compliance obligations. As the U.S. Department of Health and Human Services (HHS) explicitly states:

"HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such “certifications” do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."

In other words, a third-party HIPAA certification may offer reassurance to customers and partners, but it carries no legal weight. If a data breach occurs, regulators won’t ask for a certificate—they’ll look at your security policies, risk assessments, and breach response plans.

So what can you do? While certification isn’t an option, you can still take steps to show that your organization meets HIPAA’s requirements:

• Achieve HIPAA compliance. The real goal is compliance, not certification. This means implementing security, privacy, and breach notification safeguards that align with HIPAA’s rules. Regulators assess compliance through audits and investigations, not a formal certification process.

• Undergo voluntary compliance assessments. Some companies opt for third-party HIPAA compliance audits to identify gaps and strengthen their security programs. These assessments build trust with customers and partners but do not replace regulatory oversight.

• Train your workforce. Employees are often the weakest link in security. A single misstep, like sending PHI over an unencrypted email or failing to recognize a phishing attempt, can lead to a costly breach. Training should cover proper data handling, security best practices, and real-world scenarios to ensure compliance becomes second nature. Organizations must also document training efforts to prove they are actively reducing risks.

Rather than chasing a certification that doesn’t exist, focus on making HIPAA compliance part of your daily operations. A strong compliance program will do far more to protect your organization than any third-party certificate.

HIPAA Compliance Requirements

HIPAA compliance is an ongoing responsibility that requires organizations to follow strict policies, implement security safeguards, and ensure that protected health information remains confidential and secure. 

The law applies differently to healthcare providers, covered entities, and business associates, but each group must take specific actions to stay compliant.

For Healthcare Professionals and Administrators

Doctors, hospitals, clinics, and healthcare administrators play a direct role in protecting PHI. They must control who accesses patient data and ensure that information is only used for treatment, billing, or operational purposes. The HIPAA Privacy Rule requires providers to give patients a Notice of Privacy Practices (NPP) outlining how their health information is handled. 

Beyond patient communication, organizations must follow strict record retention policies and securely dispose of PHI when it’s no longer needed. Any disclosures outside of treatment, payment, or healthcare operations require patient authorization, reinforcing the importance of consent and data control.

For Covered Entities

HIPAA defines covered entities as healthcare providers, health plans, and clearinghouses that process PHI. These organizations are responsible for ensuring full compliance with both the Privacy Rule and the Security Rule. 

Maintaining compliance requires administrative, physical, and technical safeguards. Administrative measures include regular risk assessments, employee training, and internal audits to identify and address vulnerabilities. Physical safeguards protect data at the hardware level, requiring secure workstations, controlled facility access, and proper disposal methods for PHI. On the technical side, organizations must enforce data encryption, authentication controls, and system activity monitoring to detect unauthorized access. 

Additionally, covered entities must have a formal breach response plan in place. If PHI is exposed, they have to notify affected individuals, the HHS, and in some cases, the media.

For Business Associates

Organizations that handle PHI on behalf of covered entities—such as cloud storage providers, billing companies, and IT vendors—are considered business associates under HIPAA. These companies must sign a Business Associate Agreement (BAA) before they can access PHI, ensuring they are legally bound to follow HIPAA regulations. 

Business associates are required to take proactive steps to secure patient data, including implementing access controls, encrypting sensitive information, and regularly assessing their security measures. If a breach occurs, they must report it to the covered entity immediately, which then determines whether it meets the criteria for HIPAA’s Breach Notification Rule. 

HIPAA Certification Training and Education Courses

HIPAA compliance depends on people as much as it depends on policies and technology. Employees who handle protected health information need proper training to understand their responsibilities under HIPAA and avoid mistakes. While HIPAA does not mandate a specific training program, covered entities are obligated to:

1. As stated in the HIPAA Privacy Rule, “train all members of its workforce on policies and procedures (…) as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

2. As stated in the HIPAA Security Rule, “implement a security awareness and training program for all members of its workforce (including management).”

Several third-party organizations and government resources offer HIPAA training, covering everything from basic compliance awareness to advanced security protocols. Below are some of the most widely recognized training providers:

HealthIT.gov

HealthIT.gov provides a comprehensive free training curriculum and Health IT Playbook designed to educate healthcare professionals, IT administrators, and educators on the intersection of health information technology (Health IT) and compliance. While not exclusively HIPAA-focused, these resources help organizations understand electronic health record (EHR) security, risk management, and regulatory compliance, including HIPAA.

Health IT Curriculum Resources for Educators Features

• A structured curriculum for educators to teach Health IT, privacy, and security principles.

• Includes interactive lectures, case studies, and assessments covering EHR security, HIPAA compliance, and emerging technology risks.

• Tailored for universities, training programs, and healthcare organizations to develop workforce knowledge.

• Modules cover health information exchange, clinical workflows, and legal considerations for patient data management.

Health IT Playbook Features

• A detailed guide for healthcare providers implementing or managing health IT solutions while maintaining compliance.

• Covers EHR adoption, patient privacy, HIPAA compliance, and cybersecurity best practices.

• Provides real-world case studies on improving data security and reducing compliance risks.

• Includes actionable checklists, federal guidelines, and best practices for ensuring data protection in healthcare settings.

HIPAA Training

HIPAATraining.com offers self-paced, online HIPAA training courses for individuals and organizations. Their training covers HIPAA Privacy, Security, and Breach Notification Rules for various roles, including healthcare workers, business associates, and IT professionals. Upon completion, they also provide certificates that can be used as documentation for internal compliance efforts.

Pricing varies from $29.99 for individual awareness and security training to $49.99 for training bundles to $149.99 for privacy officer training. You can purchase group training packages at discounted rates.

Features:

• 24/7 online access to courses, allowing employees to complete training at their convenience.

• Free retakes if employees fail the exam.

• Customizable enterprise solutions for organizations training multiple employees.

• Training is available for individuals, covered entities, and business associates.

HIPAA Associates

HIPAA Associates provides online HIPAA training courses for healthcare providers, business associates, and IT professionals. Their training covers HIPAA Privacy and Security Rules so that participants understand how to handle protected health information securely and in compliance with the law.

Pricing starts at $30.95 for individual HIPAA compliance courses, with specialized training available for IT professionals, business associates, and clinical trial professionals.

Features:

• Comprehensive curriculum covering HIPAA Privacy and Security Rules.

• Self-paced online modules allow users to complete training at their convenience.

• Expert-led instruction designed by compliance professionals with real-world experience.

• Completion certificates serve as proof of HIPAA training, which organizations can use for documentation and audits.

HIPAA Exams

HIPAA Exams provides International Accreditors for Continuing Education and Training (IACET)-accredited, online HIPAA training courses for individuals and businesses in the healthcare, insurance, and IT sectors. Their training covers HIPAA Privacy, Security, and Breach Notification Rules, with specialized courses for medical professionals, business associates, and IT security personnel.

Pricing starts at $24.99 for individual courses, with bundle options and corporate solutions available.

Features:

• IACET-accredited courses, ensuring high-quality and industry-recognized training.

• Self-paced, mobile-friendly modules accessible anytime.

• Certificates of completion available immediately after passing the exam.

• Custom training solutions for businesses and healthcare organizations.

American Health Training

American Health Training offers an online HIPAA Training Certification course designed for healthcare professionals, business associates, and organizations aiming to ensure compliance with HIPAA. The course is self-paced, allowing participants to complete it at their convenience, typically within 1.5 hours. 

Features:

• Participants can access the course materials anytime.​

• The course is designed to be completed at the learner's own pace, with an estimated completion time of 1.5 hours.​

• Upon successful completion, participants receive a digital certification card and document that can be downloaded or printed immediately.​

• Organizations can benefit from group enrollment discounts.

• The course is accessible on several devices, including mobile phones and tablets, allowing for flexible learning environments.​

6 Steps to HIPAA Compliance

HIPAA compliance isn’t a one-time task. Organizations handling protected health information need a structured approach to meet regulatory requirements and keep data secure. That means building a compliance program that covers everything from risk assessments to employee training. 

Here’s how to get there.

1. Assign Ownership of HIPAA Compliance

HIPAA requires organizations to safeguard patient data, but compliance doesn’t happen on its own. A dedicated compliance function—whether a single officer or a cross-functional team—helps manage policies, security measures, and internal audits. 

This group is responsible for staying on top of regulatory changes, overseeing employee training, and ensuring PHI is handled properly at every level of the organization.

2. Conduct a Risk Assessment

Every organization covered by HIPAA must perform a risk assessment to identify vulnerabilities in how PHI is accessed, stored, and transmitted. This includes reviewing physical security, employee access, IT systems, and third-party vendors. The HealthIT.gov Security Risk Assessment Tool can help organizations evaluate compliance gaps and document their findings.

Download Your HIPAA Compliance Checklist

New to HIPAA? We’ve created a HIPAA compliance checklist resource to help you kick off your compliance journey. 

Download HIPAA Compliance Checklist PDF

3. Develop Written Policies and Procedures

A strong compliance program is built on documented policies that outline how PHI is protected. This includes:

• Access controls to determine who can view or modify PHI.

• Incident response plans to address potential data breaches.

• Training requirements to ensure employees understand their responsibilities.

• Vendor agreements that hold business associates accountable for HIPAA compliance.

Policies should be reviewed regularly and updated as new risks emerge.

4. Implement Security Safeguards

HIPAA requires organizations to put administrative, physical, and technical safeguards in place to protect patient data, including:

• Administrative safeguards: Conduct risk assessments, train employees, and enforce access controls.

• Physical safeguards: Restrict access to workstations, secure paper records, and dispose of PHI properly.

• Technical safeguards: Encrypt data, use multi-factor authentication (MFA), and monitor system activity.

A compliance program is only as strong as its enforcement. Security controls must be monitored and tested to confirm they’re working as intended.

5. Establish Vendor Agreements

Any third party that handles PHI—whether a cloud storage provider, IT vendor, or billing company—is considered a business associate under HIPAA. Organizations must have Business Associate Agreements (BAAs) in place before sharing PHI, outlining each party’s security responsibilities. Without a signed agreement, the covered entity could be held liable for any vendor-related HIPAA violations.

6. Have a Breach Response Plan

Even with strong security measures, breaches happen. When they do, HIPAA’s Breach Notification Rule requires organizations to act fast:

• For breaches affecting 500+ individuals, notifications must go out to affected parties, HHS, and in some cases, the media within 60 days.

• For smaller breaches, organizations must report incidents to HHS in an annual report.

Failure to notify the right parties on time can lead to steep fines and reputational damage. A documented incident response plan ensures that teams know how to detect, investigate, and report breaches without delay.

Automate Your HIPAA Compliance with Drata

HIPAA compliance calls for ongoing monitoring, security safeguards, and documentation. For many organizations, managing these requirements manually is both time-consuming and error-prone. 

Drata’s compliance automation platform helps you stay HIPAA-compliant with real-time security monitoring, automated evidence collection, and continuous risk assessments. Instead of tracking policies, access controls, and vendor agreements manually, you can use our automated workflows to streamline compliance efforts.

Book a demo today to see how Drata simplifies HIPAA compliance.

HIPAA Certification and Compliance Frequently Asked Questions (FAQs)

Still have questions about HIPAA certification and compliance? We answer the most common queries below.

Who Enforces HIPAA Compliance?

The U.S. Department of Health and Human Services (HHS) enforces HIPAA compliance through its Office for Civil Rights (OCR). The OCR investigates complaints, conducts compliance reviews, and issues fines for violations. State attorneys general also have the authority to bring enforcement actions for HIPAA breaches that affect residents in their states.

What's the Difference Between HIPAA Compliance and HIPAA Training Certificates?

HIPAA compliance refers to an organization-wide effort to meet HIPAA’s rules. This includes implementing security safeguards, conducting risk assessments, and training employees.

A HIPAA training certificate, on the other hand, is proof that an individual has completed HIPAA education. While training is required under HIPAA, a training certificate alone does not mean an organization is HIPAA compliant. Regulators will look for policies, security controls, and breach response plans—not just certificates—when assessing compliance.

What Are the Benefits of HIPAA Compliance Training?

HIPAA training helps prevent accidental data breaches, reduces the risk of noncompliance penalties, and ensures employees understand how to handle protected health information. Well-trained employees are less likely to fall for phishing scams, misplace records, or share PHI improperly. Regular training also helps organizations demonstrate due diligence in the event of an audit or investigation.

Can a Business be HIPAA Certified?

While HIPAA doesn't offer official certification, HITRUST provides a recognized certification that combines multiple regulatory requirements, including HIPAA, into a single, comprehensive framework. HITRUST certification integrates standards from various regulatory bodies, such as HIPAA, HITECH, GDPR, and PCI DSS, offering a holistic approach to compliance. 

This certification demonstrates an organization's commitment to robust security, data protection, and regulatory compliance. It not only streamlines the process of meeting various industry standards but also helps build trust with clients, partners, and stakeholders by showcasing a consistent commitment to safeguarding sensitive data. 

Achieving HITRUST certification requires a thorough assessment of an organization's security controls and practices, ensuring that they meet rigorous requirements for protecting personal health information and other sensitive data.

What Happens If an Organization Fails to Comply with HIPAA?

HIPAA violations can lead to significant penalties, ranging from $100 to $50,000 per violation, depending on the severity. If a breach affects 500 or more individuals, the organization must notify affected parties, HHS, and sometimes the media. Willful neglect of HIPAA rules can result in millions of dollars in fines and even criminal charges in extreme cases.