What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996, a US federal law. People reach for the name to mean "the rules about protecting health data," and that is the part most software teams deal with: HIPAA sets out how health information must be safeguarded, who is responsible for safeguarding it, and what has to happen when it is exposed.
The first thing to be clear about is what HIPAA is not. It is not a certification. The US Department of Health and Human Services (HHS) does not issue a HIPAA certificate, and no government body audits you and stamps you "compliant." You determine your own compliance against the law, and you have to be able to demonstrate it if asked. Anyone selling you a "HIPAA certified" badge is selling their own attestation, not a government one — and the law itself has no such thing.
What does exist is enforcement. The HHS Office for Civil Rights (OCR) investigates complaints, audits, and reported breaches, and can impose civil monetary penalties. So the practical bar is not "did you pass an exam" but "if OCR looked, could you show that you take this seriously and have the safeguards and records to prove it."
"Compliant" vs "certified"
These get used loosely, so it is worth being precise. There is no official HIPAA certification, so a vendor cannot truthfully claim to be "HIPAA certified" the way one can be ISO 27001 certified. What organizations can do is be, and demonstrate that they are, HIPAA compliant: covered by the right agreements, running the required safeguards, and holding the documentation that shows it. Third parties sometimes offer their own HIPAA attestations or training, which can be useful, but none of them is a government certificate and none of them replaces your own obligation under the law.