HIPAA certification business for software vendors a good idea?

A reader recently asked:

Is there a group that ‘hipaa certifies’ online healthcare vendors/providers as Verisign does for security? It would be a neat business idea because I keep reading stats about 50% or lower compliance levels.

While I do lots of HIPAA work, I thought I’d invite a buddy of mine who knows even more about the subject to respond to the question. Bob Burns, who’s been working on healthcare IT systems for almost as long as I’ve been alive [he’s gonna kill me for saying that ;-)], wrote back:

I don’t know of any agency that is granting any such “licenses” or certification. There are companies that offer to certify folks as CHP (Certified HIPAA Professional) and the like but they have no official standing. Verisign got its trust by offering certificates and authority in the early days of the Internet. And, it’s pretty easy to create, sign, and authenticate digital certificates for browsers. However, it might be difficult to replicate their success in our industry given the complexity of the solutions that HIPAA covers. Having vendors be HIPAA certified is a good idea, but I am not sure how you would get any standing. HHS is not going to do it, perhaps an affiliation with JCAHO. I guess we could replicate what has already been done and just issue a certificate on our own and assert its accuracy.

What do you think about the idea of a HIPAA certification authority? Is such a thing even possible? If you’re a software vendor, would you use the service?