This certification preparation program Healthcare Information Security and Privacy Practitioner (HCISPP) program is open to individuals involved in the process of implementing, managing, or assessing security and privacy controls that address the unique data protection needs of healthcare information. HCISPPs are the practitioners whose foundational knowledge and experience unite healthcare information security and privacy best practices and techniques under one credential to protect organizations and sensitive patient data against emerging threats and breaches. HCISPPs are instrumental to a variety of employers, including: hospitals, health centers and clinics, group medical practices, claims processors and regulatory agencies.

Course Duration

12 weeks, 15 hours a week

Credit to be Awarded

HealthCare Information Security & Privacy Practitioner (HCISPP) Certification

Learning method

“Blended”

General Requirement

Students must be 18 years of age, possess a high school diploma, or General Equivalency Diploma (GED), or Home School Diploma.

ISC2 Organization Certification Recommendations/ Prerequisites

HCISPP Certification candidates must have a minimum of two years of cumulative paid full-time work experience in one domain of the credential with the exception that one year of the cumulative experience must be in any combination of the first three domains in Healthcare (Healthcare Industry, Regulatory Environment, and Privacy and Security in Healthcare). The remaining one year of experience can be optionally in any of the remaining three HCISPP domains (Information Governance and Risk Management, Information Risk Assessment, and Third-Party Risk Management), and does not have to be related to the healthcare industry.

If students don’t have the required work experience they may still sit for the exam and become an Associate of (ISC)² once successfully passing the HCISPP exam. Associate of (ISC)² students will then be able to become HCISPP certified once the required work experience has been completed.

ISC2 Organization Certification Exam Requirements

To be certified, students must complete the certification exam with a minimum passing grade of 700 or higher on a scale of 1000 in the allotted 3-hour timeframe on the 125 question exam. Once students are notified that they have successfully passed the examination, students will be required to subscribe to the (ISC)² Code of Ethics and have their application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to their professional experience.

1. Healthcare Industry 
2. Regulatory Environment 
3. Privacy and Security in Healthcare 
4. Information Governance and Risk Management, and Information Risk Assessment 
5. Third Party Risk Management

Healthcare Industry

• Topic A: Understand the Healthcare Environment
• Topic B: Understand Third-Party Relationships
• Topic C: Understand Foundational Health Data Management Concepts

Regulatory Environment

• Topic A: Identify Applicable Regulations
• Topic B: Understand International Regulations and Controls
• Topic C: Compare Internal Practices Against New Policies and Procedures
• Topic D: Understand Compliance Frameworks (e.g., ISO, NIST, Common Criteria, IG Toolkit, Generally Accepted Privacy Principles [GAPP])
• Topic E: Understand Responses for Risk-Based Decision
• Topic F: Understand and Comply with Code of Conduct/Ethics in a Healthcare Information Environment

Privacy and Security in Healthcare

• Topic A: Understand Security Objectives/Attributes
• Topic B: Understand General Security Definitions/Concepts
• Topic C: Understand General Privacy Principles (e.g., OECD Privacy Principles, GAPP, PIPEDA, UK Data Protection Act 1998)
• Topic D: Understand the Relationship Between Privacy and Security
• Topic E: Understand the Disparate Nature of Sensitive Data and Handling Implications

Information Governance and Risk Management, and Information Risk Assessment

• Topic A: Understand Security and Privacy Governance
• Topic B: Understand Basic Risk Management Methodology
• Topic C: Understand Information Risk Management Life Cycles (e.g., NIST, CMS, ISO)
• Topic D: Participate in Risk Management Activities
• Topic E: Understand Risk Assessment
• Topic F: Identify Control Assessment Procedures from Within Organization Risk Frameworks
• Topic G: Participate in Risk Assessment Consistent with Role in Organization
• Topic H: Participate in Efforts to Remediate Gaps

Third Party Risk Management

•  Topic A: Understand the Definition of Third Parties in Healthcare Context
• Topic B: Maintain a List of Third-Party Organizations
• Topic C: Apply Third-Party Management Standards and Practices for Engaging Third Parties Based Upon the Relationship with the Organization
• Topic D: Determine When Third-Party Assessment Is Required
• Topic E: Support Third-Party Assessments and Audits
• Topic F: Respond to Notifications of Security/Privacy Events
• Topic G: Support Establishment of Third-Party Connectivity
• Topic H: Promote Awareness of the Third-Party Requirements (internally and externally)
• Topic I: Participate in Remediation Efforts
• Topic J: Respond to Third-Party Requests Regarding Privacy/Security Events