HIPAA Regulatory Alert

URAC unveils revisions to its health information standards

Risk assessment and training highlighted

Washington, DC-based URAC, an independent, nonprofit accreditation organization, has unveiled significant revisions to its health information technology standards. The changes affect health web site accreditation and URAC's HIPAA Privacy and Security standards.

For example, the HIPAA standards have been revised to emphasize the need for annual workforce training. They also clarify notice of privacy practices to consumers, including notice of material changes in privacy practices. (URAC was originally incorporated under the name "Utilization Review Accreditation Commission, " but the name was shortened to "URAC" in 1996.)

URAC-accredited organizations also are now required to conduct a risk assessment, which must include an analysis of the use of portable media such as USB drives and laptop computers.

Given how long it has been since HIPAA was passed, and the fact that URAC initiated HIPAA standards in 2000, why did the organization feel such revisions were necessary at this time? "As an accrediting body, we slowly develop and enhance our standards to raise awareness," explains Christine Leyden, vice president and chief accreditation officer at URAC. "For example, we made some revisions so that training would be a little more advanced, due to some of our more recent research findings. We found the need to strengthen the ability to ensure that whether handled in-house or with a contractor, staff training was a continuous process."

URAC's training expectations

In addition to requiring annual workforce training, who does URAC feel should be trained, and what should that training comprise? "You should have training for all employees, physicians that come out to the facility, as well as vendors who are on-site at the hospital that may have access to personal health information — like subcontractors on pharmacy staffs," says Leyden.

She adds that training should consist of a number of key elements, including the organization's privacy practices, what might be disclosed under whistle-blower protection, work force member crime victim exceptions, and the need for documentation of the training. "Most importantly, the staff should be aware of hospital sanctions that may occur if there is inappropriate release of PHI [personal health information] — be it termination, retraining, and so forth," notes Leyden.

Training program must-haves

The following is a more complete description of what a training program should consist of, according to URAC:

• The organization has a clearly defined organizational structure outlining direct and indirect oversight responsibility throughout the organization.

• The organization has an ongoing training program that includes:

(a) Initial orientation and/or training for all staff before assuming assigned roles and responsibilities;

(b) Ongoing training, at a minimum annually, to maintain professional competency;

(c) Training in current URAC standards as appropriate to job functions;

(d) Training in state and regulatory requirements as related to job functions;

(e) Conflict of interest;

(f) Confidentiality;

(g) Training on identification and prevention of fraud and abuse, as appropriate to job functions;

(h) Delegation oversight, if necessary;

(i) Documentation of all training provided for staff.

Documentation through risk assessment

One of the key standards that was enhanced, says Leyden, was documentation through risk assessment. "You can't have [HIPAA] compliance without it," she argues. "For example, if patients in your hospital enter through the ED, or through the admission process, does that [electronic] chart go with them? What are the areas of possible breaches? How are claims sent to insurance companies? How are they handled in your medical claims department? It is through risk assessment that you can try to mitigate any areas of breaches."

Karen Trudel, deputy director of the Centers for Medicare & Medicaid Services Office of e-Health Standards and Services, agrees. In a prepared statement that coincided with URAC's release of its new standards, she noted that risk assessment is a basic expectation of HIPAA compliance. "You cannot have a security plan unless you know where the risks are and where they will come from, the potential severity of them, and the likelihood that the risk will occur," she said. "That is absolutely critical and basic to developing a security plan."

There was an important security reason for adding portable media to the revised risk assessment plan, says Leyden. "We know of high-profile breaches that have occurred due to this type of media," she explains. "For example, many people now use hand-held devices; how do you secure them? Do they prohibit access to the Internet, so there is no risk of tapping into the mainframe or accessing medical records?"

Flash drives, USB drives, and laptops all have "high vulnerability," Leyden adds. "You've got to ask yourself if they're encrypted; there is encryption software available so that if something is stolen, after several attempts by the thief to log in, it will be wiped out." Some software, she adds, also enables the organization to wipe out confidential information if it is reported lost. "That's why training is so important," she emphasizes, "so the staff will know what to do when equipment is lost or stolen."

Quality structure critical

In order for HIPAA training to be successful, URAC maintains, a quality structure should be in place to educate the staff. "The quality structure is responsible for several different areas: how the organization will monitor any potential complaints from users or consumers; how changes in privacy practices are pushed out to the organization as well as to the consumer; and how the organization will react when a breach does occur," says Leyden. "For example, do they do an analysis and walk through the process, workflow it, and re-educate the staff?" This oversight body, often headed by the chief privacy officer, must monitor all these processes, she explains.

"You must understand that education is a continuous process; it's not even enough to require annual training," Leyden continues. "It's important to do spot checks of the system because problems can be caused inadvertently. For example, one department may decide a software change is desirable, but if they do not report this change to the privacy department, it can make them vulnerable."

[For more information, contact:

• URAC, 1220 L Street NW, Suite 400, Washington, DC 20005. Phone: (202) 216-9010. Fax: (202) 216-9006. Web site: www.urac.org.]