An Overview of a HIPAA Attestation of Compliance

If you’re in an organization that handles protected health information (PHI), you might be asked to complete a HIPAA attestation. 

What is a HIPAA attestation?

A HIPAA attestation is a statement or letter describing how your health organization handles PHI, and assures compliance with the Health Insurance Portability and Accountability Act (HIPAA). It’s an important step for any organization that processes or stores PHI, including medical practitioners who need to document the patient information they collect from patients.

Though an attestation does not guarantee full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), it helps you demonstrate your commitment to protecting patient privacy and understanding what you must do to maintain complete confidentiality.

A HIPAA attestation is also known as a Business Associate Agreement (BAA) or Business Associate Contract (BAC).

The Purpose of a HIPAA attestation

Understanding what a HIPAA attestation does and doesn’t do can help you determine if one is needed in your organization.

A HIPAA attestation confirms that you have completed the necessary steps to comply with the HIPAA Security Rule, but it does not replace the HIPAA Security Rule. The attestation process is required for all covered entities and business associates of Covered Entities (CEs/CAs) by law.  The attestation also provides assurance that you are aware of the requirements of HIPAA and that you have implemented policies and procedures to protect sensitive health information (SHI) from unauthorized access and disclosure.

However, a HIPAA attestation does not replace compliance with other laws and regulations, or the need for a business associate agreement (BAA). Even though you might be able to complete an attestation successfully, if your business associate agreements aren’t up-to-date or there are other issues in place, like firewalls that haven't been updated yet, this could result in repercussions later on down the road when auditors come around looking for violations of policy.

Also, the attestation is not intended as a substitute for an audit by an outside party. Rather, it should be used in conjunction with other forms of verification, such as an annual compliance report or third-party review.

Looking for an experienced CPA firm to certify HIPAA compliance? Contact Johanson Group today

Who writes the HIPAA attestation letter?

A HIPAA attestation statement should be made by an individual within your organization responsible for overseeing compliance with the HIPAA Security Rule.

In most cases, it will be your Privacy Officer or equivalent.

In addition to signing and reviewing the attestation, this person should also have access to all documents used to support your compliance efforts, including: 

  • policies and procedures

  • descriptions of data systems

  • information about existing business associates

  • incident reports; 

  • audit reports

  • consent agreements if applicable

  • any related corrective action plans or other documents that describe what you are doing about any problems identified during those reviews.

Keys to writing a HIPAA attestation of compliance

To develop an effective HIPAA attestation, every organization must take a few key steps:

  1. The statement should be written by someone familiar with your organization's policies and procedures.

  2. The statement should be reviewed by someone familiar with HIPAA regulations like an experienced and licensed CPA firm.

  3. The attestation should be signed by someone who has the authority to certify compliance with HIPAA regulations as stipulated by the AICPA.


In summary, it is important to understand the purpose of a HIPAA attestation and what it does not do. The statement in the HIPAA attestation should be made by an individual within your organization who has responsibility for overseeing compliance with the Security Rule. 

If you have questions about conducting a HIPAA attestation, you should seek advice from a CPA professional with experience in HIPAA compliance.


Services offered by Johanson Group:

Previous
Previous

SOC 2 vs. ISO 27001: Which to Choose

Next
Next

IT Audit Checks: What You Need To Know