The revisions are based on the patient data privacy provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which were included in the American Reinvestment and Recovery Act of 2009. In addition, URAC has made editorial changes to the standards to clarify their intent.
As a result of the revisions, all of the privacy and security standards now apply to “business associates” in addition to healthcare organizations covered by the HIPAA and HITECH regulations, explained Christine Leyden, URAC chief accreditation officer.
URAC defines a business associate as “a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
In addition, there are seven new standards about how to handle data breaches, including breach mitigation plans and impact analysis, Leyden told Infosecurity. There are also new standards for health information exchanges, which enable the electronic transfer of healthcare information across organizations, she added.
URAC standards provide organizations with the ability to demonstrate that they can safeguard protected health information, while permitting the appropriate access of information by those who have a legitimate use, the organization explained.
“By seeking URAC accreditation, an organization is demonstrating that they have a robust [information security] system in place that includes policy and procedures, comprehensive risk assessment, breach analysis and impact”, Leyden continued.
The process for accreditation includes a workshop to review the standards, a review of the organization's documentation to identify gaps, and a site visit that includes a data privacy and security audit.
URAC has accredited 15 organizations under its HIPAA security and privacy standards. These organizations include healthcare providers, health insurance companies, and healthcare clearinghouses, as well as business associates.
The Department of Health and Human Services (HHS) recently began handing out millions of dollars in fines for HIPAA violations. Leyden said that while URAC accreditation helps organizations ensure that they are in compliance with HIPAA and HITECH privacy and security regulations, it would not mitigate an HHS fine in the case of a violation.