Don't Let Vendors Fool You. Magic Carpets (HIPAA Certified) Do Not Exist.

"HIPAA Certified" is not something a vendor can assure you they provide with the purchase of their product.  This is because there is no such thing as "HIPAA Certified".  There is no stamp, no seal or certification.... There is no spoon.  What they MEAN is they offer all of the necessary standards and implementation specs required to allow for compliance.  You still need to do the work to assure coverage in your environment.  Certification is not something that can be sold, bought or processed.  A SOC 2 Type II is a trending accreditation that aids in demonstrating compliance, but it's not a HIPAA certification.   A Covered Entity's and Business Associate's ability to prove its meets all of the requirements of the HIPAA Security Rules relies on each organization to Perform a Risk Assessment and apply appropriate controls.  Just because a system is capable of performing auditing, doesn't mean you actually perform audits on authentication.  You cannot know how to protect an asset until you know the risks, and when ePHI is concerned, you are required to perform this.  Risk is contextual; it's specific to each organization. Don't let a vendor or your own organization side-step its responsibility to perform it a Risk Assessment by believing something is certified.