Trade groups representing computer professionals and medical information managers are joining forces to define the body of knowledge and experience expected of people charged with ensuring the security and privacy of sensitive patient data in healthcare settings.
The collaborative effort addresses the need for hospitals, physician offices and other healthcare organizations to designate a privacy official and identify a central point of security control under separate provisions of the Health Insurance Portability and Accountability Act of 1996.
Under an arrangement announced late last month, the American Health Information Management Association will develop a formal certification program for privacy officers, while the Healthcare Information and Management Systems Society will handle certification of security officers.
About 30% of the certification requirements will be common to both, recognizing that privacy officers need to understand the basics of security technology while security professionals must be versed in the medical-records confidentiality issues they're trying to resolve, said Stephen Lieber, HIMSS president and chief executive officer.
In addition, the two organizations will jointly offer a combined certification covering both disciplines, particularly for small businesses and physician practices. "In many instances the privacy officer and security officer is the same person," Lieber said.
The requirement to designate a privacy officer is included in HIPAA regulations that go into effect in April 2003. Security regulations proposed in 1998 include establishing a central authority for security functions.
HIPAA's final security mandate has not been published, but industry experts expect the final regulations to contain the security-officer provision.
With regulations calling for such officers, AHIMA and HIMSS sought to crystallize hiring objectives for healthcare executives, said Linda Kloss, AHIMA executive vice president and CEO. Besides providing guidance in hiring, certification will enable professionals to measure their competence and market themselves as a known quantity, Kloss said.
Most healthcare organizations, recognizing the importance of privacy and security issues, already have assigned responsibility for these areas to certain employees. But HIPAA introduces a broader scope of responsibility requiring expanded skills and functions, and both officers and employers have to understand what goes into performing essentially a different role in the organization, Kloss said.
In a HIMSS survey last January of 500 members in its HIPAA special-interest group, 65% said they would be interested in pursuing certification, and 85% said it would enhance their credibility with employers looking for clues that they're making the right hiring decisions, Lieber said. "It does establish their knowledge base and credibility," he said. "An assumption can be made about what they know." About 35% of the organizations represented in the HIMSS poll already had hired a security officer.
Certification guides listing the competencies measured in an examination will be published in June, Kloss said. AHIMA will begin administering the privacy exam in the fall, and HIMSS will begin to administer the security exam at its annual conference and exhibition in February 2003. The combined privacy-security exam also will be offered next February.
The combined expense of developing the programs is expected to total $150,000 in 2002 with little revenue to offset it, Kloss said.
The trade groups project they will break even in 2003 and net $100,000 each in 2004 on the programs.