The revisions are based on the patient data privacy provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which were included in the American Reinvestment and Recovery Act of 2009. In addition, URAC has made editorial changes to the standards to clarify their intent.
As a result of the revisions, all of the privacy and security standards now apply to “business associates” in addition to healthcare organizations covered by the HIPAA and HITECH regulations, explained Christine Leyden, URAC chief accreditation officer.
URAC defines a business associate as “a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
In addition, there are seven new standards about how to handle data breaches, including breach mitigation plans and impact analysis, Leyden told Infosecurity. There are also new standards for health information exchanges, which enable the electronic transfer of healthcare information across organizations, she added.
URAC standards provide organizations with the ability to demonstrate that they can safeguard protected health information, while permitting the appropriate access of information by those who have a legitimate use, the organization explained.
“By seeking URAC accreditation, an organization is demonstrating that they have a robust [information security] system in place that includes policy and procedures, comprehensive risk assessment, breach analysis and impact”, Leyden continued.
The process for accreditation includes a workshop to review the standards, a review of the organization's documentation to identify gaps, and a site visit that includes a data privacy and security audit.
URAC has accredited 15 organizations under its HIPAA security and privacy standards. These organizations include healthcare providers, health insurance companies, and healthcare clearinghouses, as well as business associates.
The Department of Health and Human Services (HHS) recently began handing out millions of dollars in fines for HIPAA violations. Leyden said that while URAC accreditation helps organizations ensure that they are in compliance with HIPAA and HITECH privacy and security regulations, it would not mitigate an HHS fine in the case of a violation.
Comments
redspin.com says:
20 March 2011
All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. The importance of safeguarding ePHI cannot be understated. Sure, publicized breach notifications and million dollar penalties damage a healthcare organization’s reputation and bottom line. But more than that, such incidents undermine professional and public trust of electronic health records (EHR). And make no mistake about it – the widespread adoption of EHR is fundamental to future improvements in efficiency, communications and patient care.
So if security is the cornerstone to health IT transformation, what can your organization do to not only comply with the regulations but also contribute to this important mission?
Read more here: http://wp.me/pymfm-D2
Wendy says:
11 March 2011
Donations of, GTB Technologies Enterprise Data at Rest Scanners are currently underway to Non-Profit Cancer Centers in the United States. The Data at Rest Scanner is a Data Discovery tool that searches an enterprise network for HIPAA violations as well as PCI and PHI data. The system runs over the network and does not require an agent. It searches any file format on Windows and UNIX files-Shares and reports where violating files reside.
This donation is in memory of Leslie Cohen, a sister of one of the GTB founders. Leslie was diagnosed with Stage II cancer in the Spring of 2002 and unfortunately after a brutal fight, succumbed to the disease March 8, 2006, a few days shy of her 48th birthday. Leslie, as well as the entire GTB Technologies' organization have always been a supporter of various Cancer Research and Treatment causes, both before and after her diagnosis.
Earlier this month, news came out that the US Department of Health and Human Services started penalizing health care organizations for HIPAA privacy violations. So in order to help avoid any penalties and instead spend valuable funds on research and care, GTB Technologies is making this donation to help Cancer Centers with HIPAA compliance.
Any Non-Profit Cancer Center may request a free copy of the Data at Rest Scanner by emailing DARS@GTTB.COM. This donation includes all support and maintenance upgrades
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.