|
|
|
|
|
|
by manv1
1196 days ago
|
|
|
Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big. Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific: https://aws.amazon.com/compliance/hipaa-eligible-services-re... Here's google's: https://cloud.google.com/security/compliance/hipaa-complianc... In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant. HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up. |
|
|
The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:
Are we required to “certify” our organization’s compliance with the standards of the Security Rule?
Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.
https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...