ISC2 has decided to Sunset the HCISPP certification. Please do not take this training if your end goal is to get certified as HCISPP. The last date to take the HCISPP exam was Dec 1, 2023

If you are looking to gain knowledge from the HCISPP course, feel free to register for it. If you are taking this course for HIPAA compliance, do consider the CHPSE course.


HCISPP Onsite Online and Classroom Course

HealthCare Information Security and Privacy Practitioner (HCISPP)

HCISPP or HealthCare Information Security and Privacy Practitioner is a professional education course to get a certification from the International Information Systems Security Certification Consortium (ISC2) and intended to communicate to the audiences about the basic structures, the essentiality of legal basis and the information as well as issues of the security and privacy particulars within the explained circumstance of the American healthcare delivery system.  The main part of this course is to prepare the attendee for the examination to get the ISC2 certification.

With the rapid growth of the healthcare industry, they are facing increasing challenges to keep all the personal health information secured and protected, and thus, where it needs to ensure knowledgeable and experienced security as well as privacy of practitioners to protect such sensitive information of the people. HCISPP works as a defense in protecting such health information. HCISPP credential confirms that a practitioner’s experience and core knowledge in privacy and security can control personal health information with proper care and safety.

HCISPP Course Overview:

With the HCISPP certification course, you can gain knowledge and experience in the privacy and security controls for personal health information in an official ISC2 course certification. With our certification course, you can polish your skills and knowledge related to healthcare security and also helps you a lot in preparing for the HCISPP exam. You will also learn legal, and regulatory requirements as well as a concept for the security privacy concept for healthcare information as it is really necessary to understand your organizations and how they manage all information risk assessment practices and procedures.

The training course will help candidates review and refresh their healthcare-related information, security, and privacy knowledge and also help them to identify the area for which they need to study and focus more on HCISPP exams. Our course is your one-source exam preparation which includes:

  • The official guide to the HCISPP Common Body of knowledge
  • Official HCISPP FlashCards
  • Official HCISPP Training Student Handbook
  • HCISPP Certification Exam Voucher
  • Collaboration with Classmates
  • Taught by an Authorized Instructor
  • Real-world learning activities and scenarios. 

HCISPP Training Learning Objectives:  In-depth coverage of six domains required to pass the HCISPP exam for ISC2 certification:

  • Healthcare Industry
  • Regulatory Environment
  • Information Risk Assessment
  • Information Governance and Risk Management
  • Third-Party Risk Management
  • Security and Privacy Control in Healthcare
  • Able to describe the associated practices, importance, and value to another person, mainly for their coworkers and supervisors.
  • Be able to evaluate vulnerabilities, mitigations, risks, and trade-offs while assessing third-party sourced risks to healthcare contractual arrangements.

Our HCISSP training course prepares all its students for:

  1. Have the concept of diversity in the healthcare industry. To achieve this, the learner needs to gain knowledge from different types of health organizations with various types of technologies, information, and dataflow, and also how to manage, and exchange data with the protection levels to keep the data safe.
  2. Identify the relevant legal and regulatory needs related to healthcare information. It will be required in order to ensure that the policies and procedures of any organization are in observance and follow the proper data exchange procedures.
  3. Have to describe the security as well as privacy concept as they are related to the Healthcare industry and also learners need to understand the relationship of security and privacy and how to handle and manage all the information properly.
  4. Need to describe the risk assessment and risk assessment procedures for an organization.
  5. Also, identify how organizations are managing the risk and what type of security and privacy governance is required.
  6. Identify the concepts to manage third-party relationships. Learners can gain knowledge regarding the concepts to use their information, know about third-party assessment, security, and privacy events, and also recognize the improvement process of third-party risks.

Several different types of activities are being used throughout the course to strengthen all the topics and increase knowledge retention. The activities may start with open-ended questions from the instructors to the students, poll questions and matching, open or closed questions, group discussions, and group activities too. This is a great way of interactive learning technique which is based on adult learning theories.

1. Healthcare Industry: In this, you need to understand the Healthcare environment, foundational health data management, and also third-party relationships.

2.  Regulatory Environment: The outline of this course is:

  • a. Identify the applicable regulations
  • b. Need to understand the international regulations and controls
  • c. Understand compliance frameworks.
  • d. Compare the internal practices with new policies and procedures
  • e. Need to understand the responses to risk-based decisions.
  • f. Comply with the code of ethics in Healthcare information.

3.  Information Risk Assessment: In this domain, you need to understand the risk assessment and identify the control assessment procedures within the organizational risk frameworks. Also, need to participate in the risk assessment which consists of the role in the organization. Make proper efforts to remediate gaps.

4. Information Governance and Risk Management:

  • a. This domain is needed to understand the security and privacy of governance.
  • b. Also, require knowledge about the basic risk management methodology.
  • c. Understand the information risk management life cycles and also need to participate in the risk management activities.

5.  Third-Party Risk Management: The outline course of this domain includes:

  1. Definition of third parties in Healthcare concept.
  2. Determine or be willing to know when the third-party assessment would be required.
  3. Maintain the lists of the third-party organizations
  4. Support their assessments and audits
  5. Support the establishment of third-party connectivity.
  6. Respond to the notification of privacy and security events.
  7. Need to promote awareness of the requirement of such organizations internally as well as externally too.
  8. Participate in remediation efforts.

6. Security and Privacy Control in Healthcare: This is one of the most important domains of this course where you need to understand the security attributes or objectives. Also,

  • Get knowledge of general security concepts.
  • Need to understand general privacy principles.
  • Should understand the nature of sensitive data handling implications.
  • d. Understand the relationship between privacy and security.

Course Outline for HCISPP

The draft outline for this course makes allowance for the six domains of the HCISPP as described in the ISC2 Official CBK Guide (sourcebook and accompanying text) for the material, with slide counts varying according to the quantity of information to be delivered in each domain’s module; outlined as

Introduction and Overview

Domain 1: Healthcare Industry

  • Understand the Healthcare environment
    • Types of Organizations in the Healthcare Sector (e.g. providers, pharma, payers, business associates)
    • Health Information Technology (e.g., computers, medical devices, networks, health information exchanges, Electronic Health Records [EHR], Personal Health Records [PHR]
    • Health Insurance (e.g., claims processing, payment models)
    • Coding (e.g., SNOMED CT, ICD-9/10)
    • Billing, Payment, and Reimbursement
    • Workflow Management
    • Regulatory Environment (e.g., security, privacy, oversight)
    • Public Health Reporting
    • Clinical Research (e.g., process)
    • Healthcare Records Management
  • Understand Third-party relationships
    • Vendors
    • Business Partners
    • Data Sharing
    • Regulators
  • Understand foundational health data management concepts
    • Information Flow and Life Cycle in the Healthcare Environments
    • Health Data Characterization (e.g. classification, taxonomy, analytics)
    • Data interoperability and Exchange (e.g. HL7, HIE, DICOM)
    • Legal Medical Records

Domain 2: Regulatory Environment

  • Identify applicable regulations
    • Legal issues that Pertain to Information Security and Privacy for Healthcare Organizations
    • Data Breach Regulations
    • Personally Identifiable Information
    • Information Flow Mapping
    • Jurisdiction Implications
    • Data Subjects
    • Data Owners/Controllers/Custodians/Processors
  • Understand international regulations and controls
    • Treaties (e.g., Safe Harbor)
    • Regulations
    • Industry-Specific Laws
    • Legislative (e.g., EU Data Privacy Directive, HIPAA/HITECH)
  • Compare internal practices against new policies and procedures
    • Policies (information security and privacy)
    • Standards (information security and privacy)
    • Procedures (information security and privacy)
  • Understand compliance frameworks
  • Understand responses to risk-based decision
    • Compensating Controls
    • Control Variance Documentation
    • Residual Risk Tolerance
  • Understand and comply with the Code of Conduct/Ethics in HealthCare information

    • Organizational Code of Ethics
    • (ISC)2 Code of Ethics

Domain 3: Privacy and Security in Healthcare

  • Understand security objectives/attributes
    • Confidentiality
    • Integrity
    • Availability
  • Understand general security definitions/concepts
    • Access Control
    • Data Encryption
    • Training and Awareness
    • Logging and Monitoring
    • Vulnerability Management
    • Systems Recovery
    • Segregation of Duties
    • Least Privilege (Need to Know)
    • Business Continuity
    • Data Retention and Destruction
  • Understand general privacy principles
    • Consent/Choice
    • Limited Collection/Legitimate Purpose/Purpose Specification
    • Disclosure Limitation/Transfer to Third Parties/Trans-Border Concerns
    • Access Limitation
    • Security
    • Accuracy, Completeness, Quality
    • Management, Designation of Privacy Officer, Supervisor Re-authority, Processing Authorization, Accountability
    • Transparency, Openness
    • Proportionality, Use, and Retention Use Limitation
    • Access, Individual Participation
    • Notice, Purpose Specification
    • Additional Measures for Breach Notification
  • Understand the relationship between privacy and security
    • Dependency
    • Integration
  • Understand the disparate nature of sensitive data handling implications
    • Personal and Health Information protected by Law
    • Sensitivity mitigation (e.g., de-identification, anonymization)
    • Categories of sensitive data (e.g., mental health)
    • Understand Security and Privacy Terminology Specific to Healthcare

Domain 4: Information Governance and Risk Management

  • Understand Security and Privacy Governance
    • Information governance
    • Governance structures
  • Understand basic risk management methodology
    • Approach (e.g., qualitative, quantitative)
    • Information Asset Identification
    • Asset Valuation
    • Exposure
    • Likelihood
    • Impact
    • Threats
    • Vulnerability
    • Risk
    • Controls
    • Residual Risk
    • Acceptance
  • Understand information risk management life cycles
  • Participate in risk management activities
    • Remediation Action Plans
    • Risk Treatment (e.g. mitigation/remediation, transfer, acceptance, avoidance)
    • Communications
    • Exception Handling
    • Reporting and Metrics

Domain 5: Information Risk Assessment

  • Understand risk assessment
    • Definition
    • Intent
    • Lifecycle/Continuous Monitoring
    • Tools/Resources/Techniques
    • Desired Outcomes
    • Role of Internal and External Audit/Assessment
  • Identify control assessment procedures from within organizational risk frameworks
  • Participate in risk assessment consistent with a role in the organization
    • Information Gathering
    • Risk Assessment Estimated Timeline
    • Gap Analysis
    • Corrective Action Plan
    • Mitigation Actions
  • Participate in efforts to remediate gaps
    • Types of Controls
    • Controls Related to Time

Domain 6: Third-party Risk Management

  • Understand the definition of third parties in the Healthcare context
  • Maintain a list of third-party organizations
    • Health Information Use (e.g., processing, storage, transmission)
    • Third-Party Role/Relationship With the Organization
  • Apply Third-Party Management Standards and Practices for Engaging Third Parties Based upon the relationship with the organization
    • Relationship Management
    • Comprehend Compliance Requirements
  • Determine when the third-party assessment is required
    • Organizational Standards
    • Triggers of Third-Party Assessment
  • Support third-party assessments and audits
    • Information Asset Protection Controls
    • Compliance with Information Asset Protection Controls
    • Communication of Findings
  • Respond to notifications of security/privacy events
    • Internal Process for Incident Response
    • Relationship between Organization and Third-Party Incident Response
    • Breach Recognition, Notification, and Initial Response
  • Support the establishment of third-party connectivity
    • Trust Models for Third-Party Interconnections
    • Technical Standards (e.g., physical, logical, network connectivity)
    • Connection Agreements
  • Promote awareness of the third-party requirements (internally and externally)
    • Information Flow Mapping and Scope
    • Data sensitivity and classification
    • Privacy Requirements
    • Security Requirements
    • Risks Associated with Third Parties
  • Participate in remediation efforts
    • Risk Management Activities
    • Risk Treatment Identification
    • Corrective Action Plans
    • Compliance Activities Documentation
  • Respond to third-party requests regarding privacy/security event
    • Organizational Breach Notification Rules
    • Organizational Information Dissemination Policies and Standards
    • Risk Assessment Activities
    • Chain of Custody Principles

Domain 7: Practice Questions

Who Can Attend the Course?

This training course is mainly preferred for those who have at least 2 years of experience or have full-time professional work experience in one or more of the above 6 domains of the HCISPP course and also those who are taking the training and certification course of HCISPP to implement, manage and assess the appropriate privacy and security controls of healthcare. Ideally, the candidate must already hold CISSP certification from ICS2 but it would not be required for the material to be available to the attendee. The training course is ideal for those working in such positions but not limited to:

  • HealthCare Compliance Officers
  • Information security Officers
  • Privacy Officers of HealthCare companies
  • Auditors
  • Risk Managers/Analyst
  • Information Technology Manager
  • Privacy and Security Consultant
  • Practice Manager
  • Medical Records Supervisors

Three learning Methods for HCISPP Credential Training:

Online Anytime HCISPP Certification Training

Many busy individuals cannot spend 4 days in classroom-based or private on-site seminars. This option is great for candidates who cannot take time off of work to attend the classroom seminar.  This is the most cost-effective option.

Course Duration: 22 Hours

Cost: $1,200

Special Discount of $600 if bought with a CHPSE Package of $1700
FINAL PRICE AFTER DISCOUNT: $600 (when bought with a CHPSE package of $1700)

Additional products and services to buy (Official ISC2 manual: $100, Two-hour Instructor’s time by Phone: $250, CHPSE package which includes CHPSE Course, Printed Manuals, and Unlimited CHPSE exam attempts: $1700)

Register Now for Online Self-Paced HCISPP Certification Course

Instructor-led Classroom HCISPP Seminar

This is a 4 days class that offers 8 hours of sessions with breaks in between. Registration cost includes the official HCISPP manual and breakfast, lunch, and snacks during the training.  This training is ideal if you are a hands-on learner, like to interact with your instructor and classmates in a live setting, or want to finish the training by dedicated full 4-5 days for training and exam then this is an ideal option for you.

Cost: $2,500

Course Duration: 4 days class offered in 8 hours session

Register Now for Instructor-led Classroom HCISPP Course

Training Dates:

Online Live with Instructor-led Course for HCISPP Credential

This is a 4-day class offered in 5-7 hour sessions with breaks in between. You are the ONLY student with the instructor in this training. Registration cost includes the official HCISPP manual.  This training is ideal if you want the convenience of being in your office and doing the training with the instructor and getting personalized training to meet your specific goals.

Cost: $2,800

Course Duration: 4-day class offered in 5-7 hour session

Register Now for Online Live with Instructor-led HCISPP Course

Customized Onsite Training for HCISPP

We offer customized on-site training that saves money and time. The program can be scheduled at your location on a date that is convenient for you. We deliver training of 4 to 5 days depending on your training goals and learning objectives. We can also combine CHPSE and HCISPP course training if needed. Our course outline is flexible and can be customized to meet your requirements.

The training program can also be tailored to meet your specific requirements ensuring that your employees gain the fundamental knowledge required to meet your organization’s specific goals and objectives of compliance and audit.

The dates for the training are flexible, based on instructor availability. Our instructors have backgrounds in healthcare background with many combined years of expertise in HIPAA, and IT security and are HIPAA consultant who helps our clients with their compliance processes. Our training is updated for the HITECH Act, and Omnibus rule, and is regularly updated as HIPAA privacy and security rules change.

Contact us for more details to discuss which option is best suited to meet your learning objectives. Call Bob Mehta at 515-865-4591 or email

Offer Only for Past Students:

Take the online HCISPP course (22 hours of $1200) for only $600, if you have taken CHPSE or CHSE training course through us. Ask for Coupon Code.