Industry insiders say don't bother with HIPAA certs

If you've been consulting in the healthcare field, by now you are fully immersed in HIPAA. Most of our sources say you needn't bother with HIPAA certifications. Do you agree?

HIPAA certifications are designed to do one thing: separate you from your money, according to Bernard (Bernie) Cowens, vice president of security services at Rainbow eSecurity. Cowens, a Certified Information Systems Security Professional (CISSP), is a security expert with over 15 years of experience in designing, developing, managing, and protecting complex and sensitive information systems and networks. He said that every time a new technology, regulation, or fad-du-jour comes along, a certification is sure to follow. He compared many certifications to multi-level marketing.

“Once an individual gets a particular certification, it is in his or her best interest to rabidly promote that certification,” he said. “The more people who get a particular certification, the more legitimate it must be, right?”

Cowens isn’t alone in his opinion of the certifications. While consultants have seen the Health Insurance Portability and Accountability Act (HIPAA) as a potential bright spot during the past few years, several experts we contacted cast doubt on the value of HIPAA-related certifications.

The HIPAA Academy has developed three HIPAA certifications:

Certified HIPAA Associate (CHA) is a one-day course in which students examine HIPAA from the perspective of end users, such as nurses and administrators, who are responsible for delivering and supporting health-care related services.
Certified HIPAA Professional (CHP) is a three-day course for executive- and manager-level health care workers that provides a “base line to launch HIPAA implementation initiatives.”
Certified HIPAA Security Specialist (CHSS) is a two-day certification course that covers the core elements for defining the framework of HIPAA’s security compliance. Candidates must have passed the CHP exam to take the CHSS course.

A full course description for each course is available at the HIPAA Academy Web site, or at the sites of other training organizations that have partnered with the Academy to offer the courses, such as New Horizons Computer Learning Centers or Thomson Learning.

The three certs correspond with the three main components of HIPAA regulations: transaction simplification, privacy rules, and security rules. However, Cowens said that the requirements for the majority of the certifications are a subset of the skills many IT consultants already have, and most of the skills required for privacy and security certs are covered by most legitimate security consultants.

“The fact that they are only a subset of the skills necessary to properly process and safeguard private health information should raise a red flag,” he said.

Dennis Melamed agreed with Cowens, especially in the security arena. Melamed is the publisher of Health Information Privacy Alert, a trade publication focused on HIPAA and health data privacy and security issues. He said that from an IT security perspective, HIPAA certification seems unnecessary because HIPAA’s security rules simply represent general good business practices, so IT pros should just focus on more general certification in security issues.

“Security is security is security, regardless of whether it is provoked by HIPAA regulations or the market,” Melamed said. He added that “…trying to dress up resumes with ‘HIPAA-compliant’ credentials may provoke more suspicion than trust.”

Big changes for HCOs and HIPAA legislation
Because HIPAA requires healthcare organizations to rethink—and in some cases, redesign—their business processes, it takes the teamwork approach, according to George F. McNulty, a consultant with Caveo Technology Inc. in Minneapolis, MN.

“No one person can possess the knowledge to address all parts of HIPAA for an organization, and no single certificate can prepare an individual for this complex task,” McNulty said.

While the CHP, CHA, and CHSS certs are informative, they only address portions of HIPAA compliance and not the overall picture, he said. This may leave the HCOs with “a false sense of security” in their certified consultant. The consultant may be certified, but that means they probably only have experience in their area of knowledge and cannot address HIPAA compliance from the other perspectives. For example, McNulty said, there is no Electronic Data Interchange (EDI) specialist certification that’s specific to healthcare.

Additionally, McNulty said HIPAA regulations haven’t been completed and are sure to change. So, a certification can only address a “snapshot in time of the regulations.”

“To really be effective, one would have to renew their certification regularly. Something that is difficult to achieve,” McNulty said.

Acceptance by the health care industry
Richard Van Luvender is a senior instructor and product development manager at The Training Camp, an IT training company that offers the HIPAA cert courses. His view of certifications differs from those held by most of the other people we talked to. Van Luvender said that the HCA certification wouldn’t be of use to IT consultants, but that the HCP and HSCC certifications might be somewhat beneficial. However, he said a lot depends on the certifications’ reception by the health care industry.

“While the knowledge required to obtain the…certifications demonstrates…an intimate understanding of the HIPAA legislation, if the certifications remain unrecognized by the health care industry, they alone will not provide a shortcut to new opportunities for consulting,” he said.

In the end
HIPAA consultant Luba Halich, a principal at healthcare consulting firm ZoriaMed, Inc. said she’s not planning to pursue any HIPAA certifications. Instead, she plans to attend HIPAA-based conferences to learn about what others are doing. She said she believes that in the end, the certifications are “of little value” to clients.

“You can read and understand the HIPAA regulations until your head is about to burst, but can you apply them?” she asked. “Only experience and industry knowledge will allow you to apply them successfully.”

Weigh in on HIPAA certifications

Are you planning to pursue any HIPAA certifications? If so, why? If not, why not? Send us an e-mail or post your comments in the discussion below.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

Industry insiders say don’t bother with HIPAA certs