HIPAA certifications are designed to do one thing: separate you from your money, according to Bernard (Bernie) Cowens, vice president of security services at Rainbow eSecurity. Cowens, a Certified Information Systems Security Professional (CISSP), is a security expert with over 15 years of experience in designing, developing, managing, and protecting complex and sensitive information systems and networks. He said that every time a new technology, regulation, or fad-du-jour comes along, a certification is sure to follow. He compared many certifications to multi-level marketing.
“Once an individual gets a particular certification, it is in his or her best interest to rabidly promote that certification,” he said. “The more people who get a particular certification, the more legitimate it must be, right?”
Cowens isn’t alone in his opinion of the certifications. While consultants have seen the Health Insurance Portability and Accountability Act (HIPAA) as a potential bright spot during the past few years, several experts we contacted cast doubt on the value of HIPAA-related certifications.
The HIPAA Academy has developed three HIPAA certifications:
- Certified HIPAA Associate (CHA) is a one-day course in which students examine HIPAA from the perspective of end users, such as nurses and administrators, who are responsible for delivering and supporting health-care related services.
- Certified HIPAA Professional (CHP) is a three-day course for executive- and manager-level health care workers that provides a “base line to launch HIPAA implementation initiatives.”
- Certified HIPAA Security Specialist (CHSS) is a two-day certification course that covers the core elements for defining the framework of HIPAA’s security compliance. Candidates must have passed the CHP exam to take the CHSS course.
A full course description for each course is available at the HIPAA Academy Web site, or at the sites of other training organizations that have partnered with the Academy to offer the courses, such as New Horizons Computer Learning Centers or Thomson Learning.
The three certs correspond with the three main components of HIPAA regulations: transaction simplification, privacy rules, and security rules. However, Cowens said that the requirements for the majority of the certifications are a subset of the skills many IT consultants already have, and most of the skills required for privacy and security certs are covered by most legitimate security consultants.
“The fact that they are only a subset of the skills necessary to properly process and safeguard private health information should raise a red flag,” he said.
Dennis Melamed agreed with Cowens, especially in the security arena. Melamed is the publisher of Health Information Privacy Alert, a trade publication focused on HIPAA and health data privacy and security issues. He said that from an IT security perspective, HIPAA certification seems unnecessary because HIPAA’s security rules simply represent general good business practices, so IT pros should just focus on more general certification in security issues.
“Security is security is security, regardless of whether it is provoked by HIPAA regulations or the market,” Melamed said. He added that “…trying to dress up resumes with ‘HIPAA-compliant’ credentials may provoke more suspicion than trust.”
Big changes for HCOs and HIPAA legislation
Because HIPAA requires healthcare organizations to rethink—and in some cases, redesign—their business processes, it takes the teamwork approach, according to George F. McNulty, a consultant with Caveo Technology Inc. in Minneapolis, MN.
“No one person can possess the knowledge to address all parts of HIPAA for an organization, and no single certificate can prepare an individual for this complex task,” McNulty said.
While the CHP, CHA, and CHSS certs are informative, they only address portions of HIPAA compliance and not the overall picture, he said. This may leave the HCOs with “a false sense of security” in their certified consultant. The consultant may be certified, but that means they probably only have experience in their area of knowledge and cannot address HIPAA compliance from the other perspectives. For example, McNulty said, there is no Electronic Data Interchange (EDI) specialist certification that’s specific to healthcare.
Additionally, McNulty said HIPAA regulations haven’t been completed and are sure to change. So, a certification can only address a “snapshot in time of the regulations.”
“To really be effective, one would have to renew their certification regularly. Something that is difficult to achieve,” McNulty said.
Acceptance by the health care industry
Richard Van Luvender is a senior instructor and product development manager at The Training Camp, an IT training company that offers the HIPAA cert courses. His view of certifications differs from those held by most of the other people we talked to. Van Luvender said that the HCA certification wouldn’t be of use to IT consultants, but that the HCP and HSCC certifications might be somewhat beneficial. However, he said a lot depends on the certifications’ reception by the health care industry.
“While the knowledge required to obtain the…certifications demonstrates…an intimate understanding of the HIPAA legislation, if the certifications remain unrecognized by the health care industry, they alone will not provide a shortcut to new opportunities for consulting,” he said.
In the end
HIPAA consultant Luba Halich, a principal at healthcare consulting firm ZoriaMed, Inc. said she’s not planning to pursue any HIPAA certifications. Instead, she plans to attend HIPAA-based conferences to learn about what others are doing. She said she believes that in the end, the certifications are “of little value” to clients.
“You can read and understand the HIPAA regulations until your head is about to burst, but can you apply them?” she asked. “Only experience and industry knowledge will allow you to apply them successfully.”
Weigh in on HIPAA certifications
Are you planning to pursue any HIPAA certifications? If so, why? If not, why not? Send us an e-mail or post your comments in the discussion below.