Cashing In on HIPAA

IT pros need health care industry experience, not just certs, to land jobs.

When Julie Harris, IT director for Iowas Keokuk County, attended HIPAA Academy classes in January to achieve certification as a Certified HIPAA Professional, she was surprised to find herself surrounded by career changers, many of them IT professionals looking to retool themselves as health care experts.

Maybe she shouldnt have been. At a time when IT jobs are scarce, spending needed to bring health care companies into compliance with the Health Insurance Portability and Accountability Act is growing. And to many underemployed IT pros, that suggests one thing: jobs.

According to Wes Rishel, an analyst with Gartner Inc.s Healthcare practice, the average annual budget allocated by health care providers for HIPAA compliance is $1.4 million, with the total cost of compliance estimated at an average $5.7 million. Health care organizations on average are spending 21 percent of those budgets on consultants and 29 percent on internal personnel.

To help IT professionals get up to speed on HIPAA and cash in on possible jobs, training providers are stepping up to the plate. New Horizons Computer Learning Centers Inc., of Santa Ana, Calif., recently announced it is offering training to prepare students for HIPAA compliance certification exams administered by HIPAA Academy.

But can such training prepare a generic IT worker for the highly specialized work of HIPAA remediation? And, even if it can, will the jobs be there over the long term?

Harris said she thinks the answer to the second question is no. "I think theyre blowing it way out of proportion," said Harris, in Sigourney, Iowa. "The initial [stages of HIPAA] will be a lot of work, but maintaining it should not take that much besides looking over procedures, [similar to Y2K remediation work]. ... I think its going to be like Y2K."

Nor, say experts, is HIPAA training such as that from New Horizons—which costs as much as $1,500 for a three-day course—likely to turn IT professionals into sought-after health care security experts. According to Charles Emery, senior vice president and CIO of Horizon Blue Cross Blue Shield of New Jersey, if candidates for permanent jobs or consulting assignments dont have health care industry knowledge and years of experience, companies such as his arent interested.

For his part, Gene Longobardi, senior vice president of North America operations for New Horizons, said IT workers taking on HIPAA compliance projects will have to understand the structures of health care IT systems and the business issues that come into play in the industry.

But, while quick-fix HIPAA certification will not be enough to win IT professionals new job offers, they shouldnt give up on the health care field altogether, experts say. With a health care background and knowledge of data security and/or EDI (electronic data interchange), theres "tremendous opportunity" for permanent positions and consulting opportunities, according to Paul Paez, CEO of Privastaff LLC, a San Francisco-based provider of data protection consulting.

IT workers with data security or EDI skills who are looking for a career change should look into training courses in health care administration—offered by most major universities—to get industry knowledge, and they should talk to as many health care people as they can to understand what the industrys about before they start looking for HIPAA work, Paez said.

But is it already too late to enroll in health care administration classes to cash in on HIPAA? Not necessarily, said Paez. Although demand for HIPAA-related skills has been slow to date, it will pick up as compliance deadlines approach. April 14 is the deadline for privacy directives and Oct. 16 for electronic transactions.

In the meantime, many health care executives say theyre being inundated with HIPAA wannabes. Horizon Blue Cross Blue Shield of New Jerseys Emery, in Newark, said he is being plagued by two or three calls a day from HIPAA consultants. Although he has employed consultants to help the insurance company get its EDI transactions and privacy policy into shape, he sees many of the would-be HIPAA consultants as carpetbaggers. And like Keokuk Countys IT director, Harris, Emery said he believes its Y2K all over again.

While Emery is not impressed with HIPAA certification programs, for someone in the health care field, such as Harris, they make sense.

In addition to being the countys IT director, Harris was recently made HIPAA compliance officer, HIPAA security officer and HIPAA privacy officer—an impressive list of titles, but not onerous, considering the county has a population of only about 11,000 people.

Harris is trying to do most HIPAA remediation work herself, including putting audit software on the server, installing firewalls, and writing policies and procedures. Whereas the HIPAA Academy training didnt teach her to do anything as nitty-gritty as configure a firewall, it did give her a HIPAA vocabulary and a list of HIPAA to-dos. "Training just tells you what you need," Harris said. "It doesnt tell you how to do it."

Senior Writer Lisa Vaas is at