Corporate & Institutional
Should You Be HIPAA Certified?
Should you be HIPAA certified?

In some industries, professional certifications have become almost a prerequisite for employment. The CPA (Certified Public Accountant), CTP (Certified Treasury Professional), and CHFP (Certified Healthcare Financial Professional), among other designations, indicate a standard of industry expertise that is meaningful to colleagues and prospective employers.

As implementation of HIPAA progresses, and the body of knowledge comprising HIPAA "expertise" solidifies, new certificates for professionals are now available. Should you be "HIPAA certified"?

The HIPAA Academy governs the standards for the CHP (Certified HIPAA Professional) and CHSS (Certified HIPAA Security Specialist) certifications. The HIPAA Academy also offers two other certifications: CHA (Certified HIPAA Administrator) and CSCS (Certified Security Compliance Specialist). The CSCS is new in the 3rd quarter of 2006 and extends into other major security arenas, such as SOX, ISO 17799, FISMA, and general security best practices. Although other organizations offer HIPAA certificates, the HIPAA Academy, having been selected to provide training for several large federal agencies, is certainly at the forefront of HIPAA training providers.

Ken Robinson, PNC’s Medical Privacy Officer and manager of PNC's HIPAA compliance program, comments on why PNC selected the HIPAA Academy's certification program. "The HIPAA Academy offered the most comprehensive certifications, including on-site classroom training. In addition, The HIPAA Academy is a certified partner for our network security software vendor. Other organizations that offer individual HIPAA certifications seem to focus primarily on either security or privacy. The HIPAA Academy certifications encompass HIPAA transactions, privacy and security."

In the healthcare industry, HIPAA certification is becoming more and more important. For financial services companies such as banks, HIPAA certification is a relatively new idea. Many financial institutions do not offer the full range of healthcare revenue cycle services that PNC offers, focusing primarily on facilitating payments. However, as more financial institutions offer healthcare transaction services, HIPAA certification may be one way to measure industry expertise and long-term commitment to the industry.

Should you be HIPAA certified? And, if so, what designation should you pursue? Providers of direct patient service (nurses, administrators, physicians and provider/subscriber relations professionals at health insurance companies) most likely would pursue the CHA certification. Those responsible for privacy/security compliance should consider the CHP/CHSS certifications. Those responsible for auditing would probably find value in studying for the CSCS certification.

What makes HIPAA certification different from the training on physical and information security already required by most companies? Robinson opines: "The objectives of the two HIPAA certifications are considerably different from the objectives of the training that all PNC employees receive. Most physical and information security training programs for employees focus primarily on awareness. HIPAA certification focuses both on knowledge of requirements and on creation of an appropriate infrastructure to support HIPAA privacy and security requirements. For example, one component of HIPAA compliance is to ensure that our employees are effectively trained. Other components include having effective policies and procedures, an information security program, a physical security program and a risk management program in place to ensure the availability, integrity and confidentiality of healthcare data processed by PNC in all formats."

What benefits can your company expect to realize as a result of having a Certified HIPAA Professional/Security Specialist on staff? Certainly, having a subject matter expert in-house can help senior management, auditors and others who need to ensure corporate HIPAA compliance. In addition, including a HIPAA expert as part of the corporate risk management team helps to ensure that all requirements related to health information are considered. For example, PNC has a special procedure for handling requests for disclosure of Protected Health Information (PHI), versus other routine requests for banking information. Finally, having a Certified HIPAA Professional on staff reassures clients and business partners that your company takes HIPAA compliance seriously.