NCQA, JCAHO to offer business associate certification

URAC releases standards for security accreditation

The National Committee for Quality Assurance (NCQA) and the Joint Commission on Accreditation of Healthcare Organizations announced recently they jointly will offer a Privacy Certification Program for Business Associates. The move is in response to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which establishes specific expectations for "covered entities" and "business associates" in limiting access to protected health information (PHI).

The planned program would evaluate applicant business associates to determine whether they are meeting standards for safeguarding PHI based on the HIPAA privacy regulation, says Margaret E. O’Kane, NCQA president.

"Collaborating with the Joint Commission on this program will promote efficient, consistent privacy oversight across diverse sectors of the health care system," O’Kane says. "All of us in health care bear the responsibility of keeping protected health information safe, and a collaborative effort will help more organizations meet their end of the privacy bargain."

NCQA released draft standards for a privacy certification program in December 2002, and Joint Commission representatives served on the advisory committee that developed those standards. The final standards for the program, scheduled for release this month, will track closely with the final HIPAA privacy regulations. O’Kane says program requirements will relate to privacy protections for oral, written, and electronic PHI; processes and practices for the storage, use, and disclosure of PHI; employee training in PHI protections; consumer access to PHI; and contracting between covered entities and their business associates.

Any business associate that handles PHI for health plans, providers, or health care clearinghouses would be eligible for the program. Such entities include, but are not limited to, software firms; health care information technology firms; data collection, analysis, and processing firms; practice-management firms; third-party administrators; disease management organizations; and survey vendors.

URAC also released a draft set of HIPAA Security Accreditation standards for public comment. When completed later this year, the new program will enable health care organizations to display a commitment to information security and demonstrate that they have adopted the necessary policies and procedures to ensure health information security in accordance with HIPAA, says Garry Carneal, URAC president and CEO.

"The purpose of this accreditation program is to verify that an organization has put in place the necessary infrastructure and implemented the necessary processes to comply with HIPAA," he says.

Carneal says URAC HIPAA Security Accreditation will provide value to health care organizations by providing a guide for internal verification of HIPAA security compliance efforts, providing a source of documented and demonstrated due diligence, and allowing organizations to treat the URAC accreditation as an evaluation by external reviewers, among other benefits.

"This accreditation program is designed to be relevant to all health care organizations expected to comply with the HIPAA Security Rule," Carneal says. "These include covered entities, business associates, and organizations that, while not legally subject to HIPAA, still wish to validate their HIPAA compliance program. Since different organization types need to comply with certain HIPAA requirements, we intend to take a situational approach in determining which of the HIPAA Security Accreditation standards apply."

[For more information, contact:

Joint Commission on Accreditation of Healthcare Organizations, One Renaissance Blvd., Oakbrook Terrace, IL 60181. Telephone: (630) 792-5000.

National Commission for Quality Assurance, 2000 L St. N.W., Suite 500, Washington, DC 20036. Telephone: (202) 955-3500.]