Health Information Compliance Alert

Published on Fri Jan 04, 2013 PDF

Riding the HIPAA compliance train can be  bumpy for many covered entities, but health care  accrediting giant URAC hoped to keep CEs from  derailing when it announced the creation of two new  HIPAA accreditation programs.

The Utilization Review Accreditation  Commission (URAC) Jan. 16 announced its plans  to create a compliance program specifically addressing  many of the provisions of the Health  Insurance Portability  and Accountability Act. URAC’s new “HIPAA strategy” will offer two new accreditation programs: HIPAA Privacy Accreditation  and HIPAA Security Accreditation, the organization  announced.

Organizations can seek either one of the  programs or both, and URAC says it is designing its  programs to accommodate all types of CEs, including  business associates. URAC president and CEO  Gary Carneal said health care organizations have invested vast amounts of their resources in their efforts to become compliant with HIPAA, and claims URAC’s new certification program will “assure customers they have followed good practices to protect patient information.”

The certification programs will look for the existence of policies and procedures CEs have in place with regard to HIPAA compliance. URAC will scrutinize those policies and procedures.

Take the security rule, for example. Although the requirements may change with the muchanticipated release of the final rule, the fundamental fact is that the draft rules ask CEs to implement ongoing security risk management within their organizations, says Lisa Gallagher, URAC senior vice president for Information and Technology Accreditation.

“That’s really what we’re going to look at. Are those [risk management] policies in place as a fundamental process on an ongoing basis to support their HIPAA compliance?” Gallagher asks.

That’s the key inquiry URAC’s accreditation assessment teams will ask: Has the CE implemented policies and procedures that will support ongoing HIPAA compliance? That goes for both for privacy and security matters. In other words, if you have the fundamental systems in place to continually support your compliance needs, you’re in great shape for certification.

But accreditation comes with a cost. Gallagher says the process will naturally be scalable to account for the specific needs, including the size, of a CE seeking accreditation in one or both of the programs. She tells Eli that small providers could expect to pay several thousand dollars for certification, while larger CEs could receive a bill for $10,000 or more.

URAC isn’t wasting any time with getting its program operational. The organization hopes to be ready to begin its programs in early February. “We’ll release copies of the [privacy rule] standards
on [Feb. 10], and for the security standards, we’re aiming for the end of February,” Gallagher anticipates.