What is the HCISPP? Healthcare Information Security & Privacy Practitioner

Aroosa Ashraf
May 13, 2017 by
Aroosa Ashraf

The worldwide healthcare sector is expected to be one of the fastest-growing employers for the next 10 years. With the growth of the healthcare industry, the risks and consequences of keeping health information protected and secure are increasing. Thus, the need for qualified professionals with the necessary competence to secure and protect health information is also increasing. Healthcare employers are looking for such personnel to help them protect vital patient information.

The HCISPP certification aids both the job seekers and the employers to demonstrate their abilities and commitment towards privacy and security of healthcare data.

A healthcare information security and privacy practitioner (HCISPP) is a certified professional who earned his/her certification from the International Information Systems Security Certification Consortium [(ISC)2]. The certification identifies these professionals as having expertise in the chief areas of knowledge on privacy and security of healthcare information. (ISC)2 is a non-profit organization that is the largest IT security organization in the world.

Get certified with an Exam Pass Guarantee

Get certified with an Exam Pass Guarantee

Looking to get certified? Many of our boot camps are backed by an Exam Pass Guarantee, ensuring you leave with the certification you want.

(ISC)2 is working continuously on improving IT security; it has created the HCISPP certification to assist healthcare employers with industry conventions regarding health information privacy and security.

The HCISPP certification contains tests on six "domains," including third-party risk management, information governance, and healthcare regulatory environment. This certification also comes with attached job prerequisites, such as that the applicant must have two years of prior work experience in a related position.

An HCISPP certification can be regarded as a part of the preparation of individuals looking to deal with sensitive information about patient health. The HCISPP certification is offered because of the new regulations from the government and the complexity of healthcare IT resources, which require advanced knowledge of the individuals dealing with directing IT strategy to the healthcare-related businesses.

HCISPP-certified professionals are at the forefront of patient health information protection. They have the experience and foundational knowledge to protect the security and privacy of healthcare information. They also have the techniques and the credentials for protecting sensitive patient data in healthcare organizations from emerging threats and breaching techniques.

The healthcare industry is rapidly evolving and facing increasingly tougher challenges to keep patient health information protected from malicious attacks. The growing volume of electronic health records, new regulations from the government, and a more intricate landscape of IT security have compounded the need for securing patient health information. Thus, there is a growing need for experienced, knowledgeable, and credentialed privacy or security professionals to protect this sensitive patient health information.

HCISPP-certified professionals offer the frontline defense to protect health data. HCISPP certification is governed by (ISC)2, a world-acclaimed, not-for-profit organization, which is considered the gold standard for certifications in information security. An HCISPP certification confirms core knowledge and experience of a professional in controlling security and privacy of personal health information.

Who Should Earn the HCISPP?

HCISPP professionals are regarded as being at the forefront of securing patient health information because the certification shows that its holder has foundational knowledge and experience in the privacy and security of healthcare information. It certifies knowledge of the advanced techniques and best practices for the security practitioner to use in securing the sensitive patient data and protecting health organizations against increasing threats and breaches. Professionals with HCISPP certification are instrumental in various job functions, such as:

  • Risk analyst
  • Privacy officer
  • Privacy and security consultant
  • Practice manager
  • Medical records supervisor
  • Information technology manager
  • Information security manager
  • Health information manager
  • Compliance officer
  • Compliance auditor

Why Become an HCISPP?

The HCISPP Certification Helps Health Information Security Professionals in Many Ways:

  • It validates the knowledge, skills, experience, and commitment of a health information security professional.
  • It demonstrates qualifications to assess, manage, and implement apt privacy and security measures for the healthcare organizations.
  • The certification helps in the advancement of a security professional’s career by certifying the knowledge, competency, and experience in best practices of health information security and privacy.
  • It enables professionals to enhance and differentiate their marketability and credibility as health information security practitioners, because the credential is backed by (ISC)2, recognized globally as the gold standard in the certification of information security.
  • It confirms the commitment of the health security professionals to sustain competence in the most advanced and current health security practices.

HCISPPs Can Help Employers By:

  • Solidifying the frontline defense against malicious attacks to protect sensitive healthcare information.
  • Demonstrating proactive commitment of the organization to minimize the risk of data breaches.
  • Increasing the confidence of patients and of those within the organization.
  • Mitigating risk through the exchange of protected health information (PHI) with third parties that employ HCISPPs.
  • Increasing the organization’s credibility while working with vendors and clients.
  • Ensuring that the security and privacy professionals have up-to-date knowledge and are capable of maintaining CPE credit requirement of HCISPPs.

HCISPPs Are Essential for Health Information Security

It is important to solidify a frontline defense system with the help of qualified, credentialed, and experienced healthcare information security professionals. HCISPPs are helpful for various healthcare organizations, including:

  • Regulatory agencies
  • Privacy and security consulting firms
  • Hospitals
  • Health clearing houses
  • Health centers and clinics
  • Group practices
  • Claims processors

Experience Needed to Be an HCISPP

HCISPP candidates should have at least two years of experience in any of the knowledge areas. These credentials are privacy, compliance, and security. Compliance experience can be replaced by legal experience; similarly, privacy experience can be replaced by information management experience. However, of the two years experience, one year has to be in the healthcare industry.

The six domains of HCISPP CBK

Healthcare Industry

Understanding the healthcare industry diversity, types of technologies involved, information flow, and protection levels.

  • Third-party relationships
  • Healthcare environment
  • Health data management concepts

Regulatory Environment

Entailing the identification and understanding of related regulatory and legal requirements, ensuring policies of the organizations and compliance procedures.

  • International regulations and controls
  • Internal practices compared to new policies and procedures
  • Compliance frameworks, generally accepted privacy principles
  • Applicable regulations

Privacy & Security in Healthcare

Providing a basic understanding of the concepts and principles of healthcare security and privacy, information types to be protected.

  • Security objectives/attributes
  • Relationship between privacy and security
  • General security concepts
  • General privacy principles
  • Disparate nature of sensitive information and its implications

Information Governance and Risk Management

How to manage information risk of organizations through the governance of security and privacy, lifecycles of risk management, and principle risk activities expected to support.

  • Security & privacy governance
  • Risk management activities
  • Information risk management lifecycles
  • Basic risk management methodology

Information Risk Assessment

Understanding the concept of risk assessment, identifying and participating in risk assessment practices and processes.

  • Understand risk assessment
  • Risk assessment consistent with the role
  • Identifying the control assessment procedures
  • Efforts to remediate gaps

Third-Party Risk Management

Identifying suitable third-party based information use, helping to manage relationships with third parties, determining when the requirement of additional security and privacy assurances are essential.

  • Third-party requirements
  • Third-party management standards
  • Third-party connectivity
  • Third-party assessments & audits
  • Security/privacy events
  • Remediation efforts
  • Healthcare definition of the third parties

The Facility of Engagement While Acquiring the Experiences

For new graduates and other candidates who have the required knowledge, but not the two years experience to qualify for the HCISPP credential, (ISC)2 has an option to confer a status of “Associate of (ISC)2” after someone passes the HCISPP examination successfully. This status is particularly useful to information security professionals who have experience in other domains and want to shift into healthcare. This will also help the young, knowledgeable graduates who, after passing the HCISPP examination, can subscribe to the (ISC)2 code of ethics and plan to earn the two-year experience. These candidates will be given the HCISPP credential once they show the proof of their experiences. However, the two years of experience has to be gained within three years of passing the examination.

The annual maintenance fee of US$35 applies to all candidates, who have to earn CPE Credits every year after passing the examination to maintain their good standing.

The HCISPP Certification Requirements

Over the years, concerns about the privacy and security of personal health information have increased rapidly. Countries around the world have tried to manage this issue with priority and attempted to improve the controls on security and privacy effectively by implementing various regulations, laws, and best practice. However, not much progress could be achieved in reducing the number of breaches. Agencies are now imposing severe penalties, including heavy fines as well as criminal prosecution in some cases. Therefore, the magnitude of risk has increased tremendously for the entities responsible for handling patient health information. This results in even more meticulous and strong efforts by the healthcare industry to protect the sensitive patient information.

Electronic health records make the task of protecting data even more challenging and complex. Advances in technology, although they have helped greatly in the progress of health care, have also contributed to the accelerated exposure of information in malicious hands. Even though new technology has increased the risk to the organization, human errors remain the main cause of PHI breaches. Healthcare employers around the world have therefore started to recognize the importance of risk mitigation through improvements in the practice of hiring and training talented information security professionals. This approach will ensure that security and privacy professionals are qualified to perform their jobs well. Until now, HCISPP has been the only credentialing program available to validate the qualification, skill, and knowledge of a health information security professional to protect and secure the vital information in health care.

Passing the HCISPP Examination

The HCISPP examination comprises 125 multiple choice questions. Each question has four options to select from. The duration of the examination is three hours and you have to score 700 or more points to pass.

Endorsement Process Completion

After passing the HCISPP examination, you need to subscribe to the ISC2 code of ethics and endorse the application before the credential is awarded. Unless you have an attested proof of your two years of experience you will become an ISC2 associate. You need to be certified within nine months after your examination, failing which you have to retake the exam to be certified.

Maintaining the HCISPP Certification

Every three years, candidates are required to be recertified by meeting every renewal requirement:

  • Earning and submitting a minimum of 20 CPE credits for every year of three-year certification cycle
  • Maintaining an overall of 60 CPE credits at the conclusion of the three-year certification cycle
  • Paying the annual maintenance fee of US$65 is necessary each year of the three-year certification cycle. The total amount to be paid for the three years is US$195.
  • Abiding by the ISC2 Code of Ethics

Get certified with our Exam Pass Guarantee

Get certified with our Exam Pass Guarantee

Many of our boot camps come with an Exam Pass Guarantee: if you fail on your first attempt, we'll invite you to re-sit the course for free and cover the cost of your second exam.


Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.