HIPAA Regulatory Alert: URAC accreditation standards out for comment

Standards to provide a guide for internal verification

URAC has released a draft set of HIPAA Security Accreditation standards for public comment. Once the program is completed, it will enable health care organizations to display a commitment to information security and demonstrate that they have adopted the necessary policies and procedures to ensure health information security in accordance with the HIPAA security rule, says URAC president Garry Carneal.

According to Carneal, the purpose of the accreditation program is to "verify that an organization has put in place the necessary infrastructure and implemented the necessary processes to comply with the HIPAA security rule. URAC supports fair information practices and recognizes the value that health information security adds to the health care process."

Source of due diligence

He says URAC HIPAA security accreditation will provide value to health care organizations by:

  • providing a guide for internal verification of HIPAA security compliance efforts;
  • providing a source of documented and demonstrated due diligence; providing a convenient source of industry security practices;
  • facilitating collaboration with trade associations, government agencies, and the regulated industry in the compilation of security practices, threats, vulnerabilities, and advances in security technology;
  • allowing organizations to treat the URAC accreditation as an evaluation by external reviewers; allowing accreditation by an independent, third-party organization; assuring customers/ patients that appropriate steps are being taken to protect health information;
  • demonstrating to current and potential business partners good-faith efforts to meet HIPAA security requirements; reducing potential penalties/sentences for organizations that have an effective compliance program; supporting organization risk management efforts;
  • allowing an organization to demonstrate to regulators and other stakeholders that the organization has taken reasonable steps to achieve compliance with the HIPAA security rule.

"This accreditation program is designed to be relevant to all health care organizations expected to comply with the HIPAA security rule," Carneal said. "That includes covered entities, business associates, and organizations that, while not legally subject to HIPAA, still wish to validate their HIPAA compliance program. Since different organization types need to comply with certain HIPAA requirements, we intend to take a situational approach in determining which of the HIPAA security accreditation standards apply."

URAC HIPAA security accreditation will last for two years, at which time an accredited organization can submit a reaccreditation application and be reviewed by URAC before accreditation is granted for another two years.

[Editor’s note: Obtain a copy of the draft accreditation standards from www.urac.org. Contact URAC at (202) 216-9010.]