Why would a Microsoft Certified Professional benefit from becoming a Certified HIPAA Privacy Security Expert? Over the last 5 years, the healthcare industry has gone through major changes in the way it uses technology through the HITECH act of 2009. With the introduction of Electronic Health Records (EHR), Health Information Exchanges (HIE), Patient portals, electronic prescribing, electronic laboratory and radiology order and results. This has made the Healthcare IT staff very busy implementing this technology and at the same time keeping up with all of the regulatory rules and new laws on how the technology has to be implemented. The biggest regulatory change has come by the way of HIPAA. HIPAA has sharpened its teeth since 2009 with very specific rules and requirements for IT departments and how to handle PHI (Protected Health Information) and PII (Personal Identifiable Information). An IT department with little or no knowledge of the HIPAA guidelines is placing its self and its organization in very severe risk, both financial and reputational.
HIPAA has two parts to its regulations, privacy, and security. The security side is very specific to IT and how technology needs to be protected. HIPAA Security requires Administrative, Physical, and Technical safeguards. Under the technical safeguards, there are very specific requirements that every IT professional in Healthcare must pay attention to. This doesn’t just apply to the IT department at a hospital or medical group. Just being a vendor with a healthcare entity (Covered Entity under HIPAA) classifies your company as a Business Associate (BA). Being a vendor or BA in the Healthcare industry holds the company and the staff at the same requirements and accountability for HIPAA compliance as a hospital or medical group. The same penalties and criminal prosecution apply to a business associate as well. The fines are very heavy, 1.5 million per incident can be accessed by either an organization or individual. Even if the organization has proper policies and procedures in place and a member of the IT department doesn’t follow the policies the individual could be found guilty of willful neglect. The Office of Civil Rights can fine this individual directly and the organization cannot cover these fines or have their insurance cover them.
I would like to use my personal career as an example of why it’s important for an MCP to become a CHPSE. I started my IT career out in 1995 working for a real estate investment trust company (REIT) and quickly obtained my MCP in 1997. My second IT job was for a large medical group in the Bay Area. This was the late 90’s and electronic medical records were not a widely adopted technology but my medical group decided to implement this. Back then there were not as many technical requirements for patient privacy. But this technology and its possibilities to improve patient care and safety quickly piqued my interest. In 2000 I moved to Southern California to start my own company. This was during the dot com heyday and startups were popping up everywhere. I started a broadband company that specialized in bringing high-speed internet to residential and commercial properties that did not have any broadband options. After I sold my company in 2003 I was eager to get back to the Healthcare industry and see if the technology had advanced any further. I was surprised to find that there was not much movement. I started working for another large multi-specialty medical group in Orange County. This group had not deployed an EHR yet but was discussing this at the board level. In 2009 the HITECH legislation was passed which incentivized a healthcare provider to adopt an EHR and it would receive incentive money for each year they attested for a 5 year period to using an EHR in a meaningful way. This also allowed them to avoid future penalties. This program was called meaningful use. I was instantly intrigued about this initiative and started reading more about it. One of the components of meaningful use was that HIPAA policies and procedures needed to be in place and the practice needed to perform a risk assessment. I started researching what was involved in a risk assessment and started to learn more about the new HIPAA guidelines. At the same time, a colleague and mentor of mine took me to lunch and told me that I should start learning more about HIPAA and that healthcare security is going to be in huge demand with all of the technology being introduced into the marketplace.
I signed up for the CHPSE (Certified HIPAA Privacy Security Expert) program through hipaatraining.net and then took my exam in 2010. I never realized at the time how this would change the direction of my career. With this newfound knowledge of HIPAA, I was quickly promoted to the Director of IT and made the HIPAA Security Officer. I quickly formed a security committee and wrote the HIPAA policy and procedures for the organization. In 2013 my medical group was acquired by a large health system and I was moved over as a director but did not have the same level of responsibility I had at my medical group and decided to accept a job as the Senior Director of Healthcare Information Services for a national RCM and Hosting provider. This position oversees a national hosting center for EHR and PM hosted access. With my passion for security, I have furthered my certification by achieving my HCISPP (Healthcare Information Security and Privacy Practitioner) and am currently enrolled in the Certified Ethical Hacker (CEH) program. Besides using my security and IT knowledge in healthcare I am involved with both federal and local law enforcement agencies in assisting law enforcement in the fight against cybercrime and privacy protection.
My advice to any IT professional in healthcare is to seek out further education regarding HIPAA and specific security certifications. So the answer to the question, why is it important for an MCP to obtain the CHPSE certification is personally it can further your career in a very lucrative and exciting industry. It will also aid you in making the right decisions when implementing new technology in healthcare, keeping the patient’s privacy at the front of every decision. This lowers your risk of a data breach and protects your organization from harm as well. Allowing you to become a member of a very important community protecting the American population’s personal and protected HealthCare information.
Scott T. Nichols, HCISPP, CHPSE, MCP