top of page

Do third party entities have permission or authority to certify on behalf of CMS

No, third-party entities do not have permission or authority to certify on behalf of the Centers for Medicare and Medicaid Services (CMS) regarding compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules.

CMS is responsible for administering and enforcing the HIPAA rules for certain covered entities, such as health plans, healthcare clearinghouses, and certain healthcare providers. However, CMS does not certify or endorse any particular entity as being HIPAA compliant.

The responsibility for HIPAA compliance rests with the covered entities themselves, as well as their business associates. Covered entities and business associates are required to implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).

While third-party entities can provide assessments and audits to evaluate an entity's compliance with the HIPAA rules, they cannot provide a certification of compliance that is recognized or endorsed by CMS. Instead, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for enforcing the HIPAA rules and investigating complaints related to potential violations of the rules.

8 views0 comments


bottom of page