There is no standard or implementation specification in the law that requires a covered entity to "certify" compliance. The "evaluation standard" (see ¤ 164.308(a)(8)) requires covered entities to perform a periodic technical and nontechnical evaluation that establishes the extent to which an entity's security policies and procedures meet the security requirements.

The evaluation can be performed internally by the covered entity. There are also external organizations that provide evaluations or "certification" services. A covered entity may make the business decision to have an external organization perform these types of services.

It is important to note that HHS does not endorse or otherwise recognize private organizations' "certifications" and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a "certification" by an external organization does not preclude HHS from subsequently finding a security violation.

ATG's LiveVault online and recovery backup solutions, can provide secure, continuous, automatic backup solutions that provide exact, readily retrievable copies of EPHI with 100% guaranteed recovery.