HCISPP- HealthCare Information Security and Privacy Practitioner

  1. Home
  2. HCISPP- HealthCare Information Security and Privacy Practitioner

The HealthCare Information Security and Privacy Practitioner (HCISPP) is the most suitable certification for candidates with core understanding and experience required to implement, maintain the relevant security and privacy controls of a healthcare establishment. HCISPP presents confirmation of a practitioner’s experience of best practices and methods to guard organizations and sensitive data against emerging warnings and breaches.

  • The HCISPP exam is a certification from the International Information Systems Security Certification Consortium. Further, the certification exhibits expertise in the chief areas of knowledge on privacy and security of healthcare information.
  • HCISPP is one of the recent (ISC)2 credentials introduced in 2013. 
  • Lastly, HCISPP exam puts higher emphasis on healthcare regulatory issues, data governance and risk management. Most of the principles in the HCISPP exam are specific to healthcare. In other words, there is also a lot more emphasis placed on privacy rather than security.

Intended Audience:

The HCISPP is excellent for information security professionals entrusted with guarding protected health information (PHI), including those in the following positions:

  • Compliance Officer
  • Information Security Manager
  • Privacy Officer
  • Compliance Auditor
  • Risk Analyst
  • Medical Records Supervisor
  • Information Technology Manager
  • Privacy and Security Consultant
  • Health Information Manager
  • Practice Manager


Prerequisites are an important part of any exam. Therefore, make sure that you go through the following:

  • Firstly, the candidate must have a minimum of two years of work experience in knowledge areas of the HCISPP.
  • Secondly, a candidate that doesn’t have the required experience may become an Associate of (ISC)² bypassing the HCISPP examination. After that, the Associate of (ISC)² will have three years to earn the two years of the required experience.
Experience Required: 
  • Candidates must have a minimum of two years combined paid work expertise in one or more knowledge areas of the HCISPP Common Body of Knowledge (CBK) that includes security, compliance and privacy.
  • The legal practice may be replaced for compliance and information management background may be substituted for privacy. Of the two years of expertise, one of those years must be in the healthcare business.

HCISPP Exam Format

  • HCISPP is the ideal examination with the core information to implement security and privacy controls of a healthcare organization. In addition, HCISPP exam offers confirmation of a practitioner’s knowledge of best practices and methods.
  • The HCISPP exam comprises 125 multiple choice and multi-responsive questions.
  • A candidate needs to score 700 or more points in a time period of 3 hours. Further, the HCISPP Exam Questions are available in English language only.
  • Above all, the HCISPP Exam Fee is 195 USD.
HCISPP exam details

HCISPP Exam Outline

HCISPP exam includes a broad spectrum of topics which ensures its relevancy across all disciplines in the field of information security. Therefore, the HCISPP Exam Difficulty is quite high. Moreover, successful candidates are competent in the following seven domains:

HCISPP course Outline
Domain 1: Healthcare Industry 
  • Understanding the Healthcare Environment Components 
    • Types of Organizations in the Healthcare Sector 
    • Health Insurance 
    • Coding  International Classification of Diseases (ICD) 10)
    • Revenue Cycle 
    • Workflow Management 
    • Regulatory Environment 
    • Public Health Reporting 
    • Clinical Research 
    • Healthcare Records Management
  • Understanding Third-Party Relationships 
    • Vendors 
    • Business Partners 
    • Regulators 
    • Other Third-Party Relationships
  • Understanding Foundational Health Data Management Concepts
    • Information Flow and Life Cycle in the Healthcare Environments 
    • Health Data Characterization 
    • Data Interoperability and Exchange, International Health Exchange (IHE), Digital Imaging and Communications in Medicine (DICOM)) 
    • Legal Medical Records

(ISC)2 Reference: Healthcare Security and Privacy

Domain 2: Information Governance in Healthcare 
  • Understanding Information Governance Frameworks 
    • Security Governance 
    • Privacy Governance
  • Identifying Information Governance Roles and Responsibilities
  • Aligning Information Security and Privacy Policies, Standards and Procedures
    • Policies 
    • Standards 
    • Processes and Procedures
  • Understanding and Comply with the Code of Conduct/Ethics in a Healthcare Information Environment 
    • Organizational Code of Ethics 
    • (ISC)² Code of Ethics

(ISC)2 Reference: HCISPP Experience Requirements

Domain 3: Information Technologies in Healthcare
  • Understanding the Impact of Healthcare Information Technologies on Privacy and Security 
    •  Increased Exposure Affecting Confidentiality, Integrity and Availability (e.g., threat landscape) 
    • Oversight and Regulatory Challenges 
    • Interoperability 
    • Information Technologies
  • Understanding Data Life Cycle Management (e.g., create, store, use, share, archive, destroy) 
  • Understanding Third-Party Connectivity 
    • Trust Models for Third-Party Interconnections 
    • Technical Standards (e.g., physical, logical, network connectivity) 
    • Connection Agreements (e.g., Memorandum of Understanding (MOU), Interconnection Security Agreements (ISAs))


Domain 4: Regulatory and Standards Environment
  • Identifying Regulatory Requirements 
    • Legal Issues that Pertain to Information Security and Privacy for Healthcare Organizations 
    • Data Breach Regulations 
    •  Protected Personal and Health Information (e.g., Personally Identifiable Information (PII), Personal Health Information (PHI))
    • Jurisdiction Implications 
    • Data Subjects 
    • Research
  • Recognizing Regulations and Controls of Various Countries
    •  Treaties 
    • Laws and Regulations (e.g., European Union (EU) Data Protection Directive, Health Insurance Portability and Accountability Act /Health Information Technology for Economic and Clinical Health (HIPAA/HITECH), General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA))  
  • Understanding Compliance Frameworks 
    • Privacy Frameworks (e.g., Organization for Economic Cooperation and Development (OECD) Privacy principles, Asia-Pacific Economic Cooperation (APEC), Generally Accepted Privacy Principles (GAPP)) » 
    • Security Frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Common Criteria (CC))


Domain 5: Privacy and Security in Healthcare
  • Understanding Security Objectives/Attributes 
    • Confidentiality 
    • Integrity 
    • Availability
  • Understanding General Security Definitions and Concepts
    • Identity and Access Management (IAM) 
    • Data Encryption 
    • Training and Awareness 
    • Logging, Monitoring and Auditing 
    • Vulnerability Management
    • Segregation of Duties 
    • Least Privilege (Need to Know) 
    • Business Continuity (BC) 
    • Disaster Recovery (DR) 
    • System Backup and Recovery
  • Understanding General Privacy Definitions and Concepts 
    • Consent/Choice 
    • Limited Collection/Legitimate Purpose/Purpose Specification 
    • Disclosure Limitation/Transfer to Third-Parties/ Trans-border Concerns 
    • Access Limitation 
    • Accuracy, Completeness and Quality 
    • Management, Designation of Privacy Officer, Supervisor Re-authority, Processing Authorization and Accountability
    • Training and Awareness 
    • Transparency and Openness 
    • Proportionality, Use and Disclosure, and Use Limitation 
    • Access and Individual Participation 
    • Notice and Purpose Specification 
    • Events, Incidents and Breaches
  • Understanding the Relationship Between Privacy and Security
    • Dependency 
    • Integration
  • Understanding Sensitive Data and Handling 
    • Sensitivity Mitigation 
    • Categories of Sensitive Data 

(ISC)2 Reference: Privacy

Domain 6: Risk Management and Risk Assessment 
  • Understanding Enterprise Risk Management 
    • Information Asset Identification 
    • Asset Valuation 
    • Exposure 
    • Likelihood 
    • Impact 
    • Threats
    • Vulnerability 
    • Risk 
    • Controls 
    • Residual Risk 
    • Acceptance
  • Understanding Information Risk Management Framework (RMF) 
  • Understanding the Risk Management Process
    • Definition 
    • Approach (e.g., qualitative, quantitative) 
    • Intent 
    • Life Cycle/Continuous Monitoring
    • Tools/Resources/Techniques 
    • Desired Outcomes 
    • Role of Internal and External Audit/Assessment
  • Identifying Control Assessment Procedures Utilizing Organization Risk Frameworks 
  • Participating in Risk Assessment Consistent with the Role in Organization
    • Information Gathering 
    • Risk Assessment Estimated Timeline 
    • Gap Analysis
    • Mitigating Actions 
    • Avoidance 
    • TransferAcceptance 
    • Communications and Reporting 
  • Understanding Risk Response 
  • Utilizing Controls to Remediate Risk 
    • Administrative 
    • Physical 
    • Technical 
  • Participating in Continuous Monitoring

(ISC)2 Reference: Risk Assessment Clarification

Domain 7: Third-Party Risk Management
  • Understanding the Definition of Third-Parties in the Healthcare Context
  • Maintaining a List of Third-Party Organizations 
    • Third-Party Role/Relationship with the Organization 
    • Health Information Use 
  • Applying Management Standards and Practices for Engaging Third-Parties 
    • Relationship Management
  • Determining When a Third-Party Assessment Is Required 
    • Organizational Standards 
    • Triggers of a Third-Party Assessment 
  • Supporting Third-Party Assessments and Audits 
    • Information Asset Protection Controls 
    • Compliance with Information Asset Protection Controls 
    • Communication of Results 
  • Participating in Third-Party Remediation Efforts
    • Risk Management Activities
    • Risk Treatment Identification
    • Corrective Action Plans 
    • Compliance Activities Documentation
  • Responding to Notifications of Security/Privacy Events 
    • Internal Processes for Incident Response 
    • Relationship Between Organization and Third-Party Incident Response 
    • Breach Recognition, Notification and Initial Response 
  • Responding to Third-Party Requests Regarding Privacy/Security Events 
    • Organizational Breach Notification Rules 
    • Organizational Information Dissemination Policies and Standards 
    • Risk Assessment Activities 
    • Chain of Custody Principles 
  • Promoting Awareness of Third-Party Requirements 
    • Information Flow Mapping and Scope 
    • Data Sensitivity and Classification 
    • Privacy and Security Requirements 
    • Risks Associated with Third-Parties

(ISC)2 Reference: Third-Party Risk Management in Healthcare

The Whole Certification Process

1. Book the Exam

Booking your (ISC)² exam is the first step in building a successful and long-term security career. Moreover, earning an (ISC)² certification validates your skills as a security professional in the eyes of hiring managers and your peers.

Registering for your (ISC)² exam is easy. Follow the steps below:

  1. Firstly, create an account with Pearson VUE, the exclusive global administrator of all (ISC)² exams.
  2. Secondly, select the (ISC)² certification exam you are pursuing.
  3. Thirdly, schedule your exam and testing location with Pearson VUE.
2. Request for Special Accommodation

For instance, if you require special accommodations for the exam, you can request one through (ISC)².

Reasonable and appropriate accommodations for the exam are only provided to people who have demonstrated a need for test accommodations. Therefore, if you wish to request an accommodation, complete the accommodation form and return it to (ISC)² prior to registering for your exam. All you need is a list of the following:

  • Firstly, an explanation of the accommodations you need
  • Secondly, documentation supporting the accommodation
  • Further, the exam you want to take
  • Lastly, the exam location
3. Reschedule the Exam

You can reschedule your HCISPP exam if you failed to take it on the scheduled date and time. In order to reschedule or cancel your exam appointment, contact Pearson VUE:

  • Online at least 48 hours before the exam
  • By phone at least 24 hours before the exam

Above all, Pearson VUE charges a reschedule fee of USD$50 and a cancellation fee of USD$100.

4. Recertification of the Exam

HCISPP certification like every other certification requires maintenance. To clarify, HCISPP certification requires to be recertified in order to maintain its status.

You can recertify the exam if you’ve become decertified due to:

  • Firstly, not meeting your required number of continuing professional education credits.
  • Secondly, having the time limit on your endorsement expires.

Exam Policies

HCISPP provides exam policies to support the candidates by providing every detail related to the certification program. However, candidates studying for the HCISPP exam should first go through and understand the HCISPP Certification exam policies. On this page, the candidates will get information about after the exam or before exam procedures. This includes the exam retaking process, rules to be followed during exam time, and other information about the exams and their testing centers.

While preparing for the HCISPP exam you will be solely responsible for understanding and complying with HCISPP exam policies, together with the specified exam delivery provider’s policies and procedures.  

For More Queries: Visit the HCISPP FAQ Page

HealthCare Information Security and Privacy (HCISPP) Practitioner Interview Questions

Now, let us look at some HealthCare Information Security and Privacy (HCISPP) Practitioner Interview Questions.

 HealthCare Information Security and Privacy (HCISPP) Practitioner Interview Questions.

Preparation Guide for the Exam

To succeed in your journey, and achieve your desired goal, preparation resources always come in handy. All the resources mentioned here will allow the candidate to build a stronger foundation for the exam. This way there are more chances of them to qualify with the desired result. If you yearn for the perfect score, below mentioned HCISPP Exam Preparation resources is all you need to qualify the HCISPP exam.  Lets get started with the HCISPP Exam Guide

1. Review all the Exam Objectives

Your first step in the preparation guide is to review all the exam objectives. And, to do so, make sure to visit the Official Website of HCISPP exam. As this is the most authentic site for obvious reasons. By doing so, you’ll have a clear view of each and every information related to the HCISPP exam. So, make sure, to begin with, this step.

2. Download Exam skill Outline

After this, you must download the exam skill outline available on the official website itself. Downloading the outline will provide you with the updated exam outline. All the domains and their subtopics are listed down in the outline. Keep in mind not to rely on any other website except the official website itself. Since the exam is updated after every few years hence the official website is your door to reliable information.

3. Official (ISC)² Guide to the HCISPP

The Official (ISC)² Guide to the HCISPP supplies an authoritative review of the key concepts and requirements of the HCISPP. This guide encompasses all the knowledge elements to demonstrate competency in healthcare security and privacy. Also, covers all the seven domains starting from Healthcare Industry to Third Party Risk Management.

4. Official HCISPP Flash Cards

With Official CCSP Flash Cards, CCSP aspirants can study anytime and anywhere for their exam. Likewise, HCISPPI Flash Cards allows the candidates to study anytime and anywhere. HCISPP Flash Cards while performing gives you immediate feedback about whether your answer is correct or not. It has the ability to flag individual cards for a separate study. Remember, these cards are sectioned for each domain to make learning easier.

5. Books to consider

Books are always a good learning resource to gain knowledge. Moreover, Microsoft has their own press store. So, never try to limit your knowledge. Therefore, we highly recommend the following-

  • HCISPP HealthCare Information Security and Privacy Practitioner All-in-One Exam Guide by Sean Murphy
  • Official (ISC)2 Guide to the HCISPP CBK by Steven Hernandez.

6. Join a Study Group/Online Forum

Online forums and study groups are a great way to prepare for the HCISPP exam. Therefore, feel free to get in touch with other candidates through study forums or online groups to ask a question related to the topic you’re having difficulty with. However, it’s not something you have to join. It’s just something very subjective. Not to mention, these online groups help you stay equated with the other people who are also walking through the same path as yours. Moreover, you can also ask a question related to the topic you’re having difficulty with.

7. HCISPP Practice Tests

In the age of the Internet, practice tests have gone digital. In other words, pen and paper have left behind and you can perform practice tests sitting in your living room. Tests have more value than you can ever imagine Therefore, you are recommended to perform HCISPP Practice Exams and evaluate yourself.

Candidates who see their practice tests as learning opportunities make the biggest scoring leaps. Therefore, Testprep Training is your one-stop destination. In other words, Testprep Training provides exclusive practice tests which help you clear the exam with proper preparation and training.