undefined | Better HN

0 pointsmanv13y ago0 comments

Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.

Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:

https://aws.amazon.com/compliance/hipaa-eligible-services-re...

Here's google's:

https://cloud.google.com/security/compliance/hipaa-complianc...

In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant.

HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up.

0 comments

dragonwriter3y ago

> Well, HIPAA can be self-certified, but that probably won't stand up in court

The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.

https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...

j / k navigate · click thread line to collapse