URAC Releases Revised HIPAA Privacy and Security Standards

Share Article

Revised Standards Exceed Regulatory Requirements; Protects Patients and Facilitates Communication Through the Patient Centered Health Care Home URAC, a leading health care accreditation and education organization, has released revisions to its Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Standards. These revisions are based upon the privacy provisions in the American Reinvestment and Recovery Act (ARRA). Various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act contained within ARRA have gone into effect since the previous version. In addition, URAC has taken into account the real world experience of organizations applying for these accreditations, leading to editorial changes to clarify the intent of the standards.

URAC, a leading health care accreditation and education organization, has released revisions to its Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Standards. These revisions are based upon the privacy provisions in the American Reinvestment and Recovery Act (ARRA). Various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act contained within ARRA have gone into effect since the previous version. In addition, URAC has taken into account the real world experience of organizations applying for these accreditations, leading to editorial changes to clarify the intent of the standards.

The URAC HIPAA Privacy and Security accreditations are designed to be relevant to a broad range of health care organizations requiring compliance with HIPAA regulations. This includes covered entities, business associates, and other organizations that, while not legally subject to HIPAA, still want to validate their privacy compliance program against HIPAA standards. In certain areas the URAC standards are more stringent and provide more clarity with regard to organizational compliance requirements in the areas of assessments, training, policies and procedures management, and Security Official assignment and designation of their minimum duties.

URAC HIPAA Privacy and Security standards provide organizations with the ability to demonstrate that they can safeguard protected health information (PHI) and e-PHI, while permitting the appropriate access of information by those who have a legitimate use. Further, the URAC standards have been developed in a manner that affords organizations the ability to demonstrate compliance not only with HIPAA and the associated HITECH requirements, but with other privacy and security programs and standards as well.

Whether an organization is a Covered Entity or Business Associate, URAC’s HIPAA Privacy and Security accreditations can:

  •     Demonstrate good faith efforts in meeting HIPAA requirements to current and potential business partners.
  •     Help assure customers and patients that appropriate steps are being taken to safeguard PHI.
  •     Support a risk management strategy.
  •     Build stakeholder trust in operations.
  •     Differentiate an organization from their competition.

“URAC's highly respected HIPAA Privacy Accreditation program provides a great opportunity for Business Associates eager to implement HIPAA Privacy best practices. URAC Accreditation remains in synch with emerging regulations,” said Sue Padgett, Senior Vice President, Chief Compliance Officer, Associated Third Party Administrators. “They continuously enhance their Accreditation program, seminars and webinars dealing with HIPAA Privacy Standards, which are all invaluable for any Privacy Officer dedicated to ensuring compliance with these important regulations.”

Such privacy and security concerns are becoming even more important with the growth of new care coordination models such as medical homes. URAC’s Patient Centered Health Care Home (PCHCH) Program Toolkit educates and guides practices, and/or their sponsoring health plans, insurers, and pilot programs, on how to transform themselves into truly patient centered health care home. Standards within the PCHCH program are designed for practices to maintain written policies and documented procedures that address confidentiality, privacy and security; provide a comprehensive privacy policy for electronic communications portal; evaluate electronic communication contracts prior to purchase or executing for security features; hold the business partners to the same or higher privacy and security practices related to individually identifiable health information and protected health information; and ensure electronic prescribing system includes unique provider electronic identifier and promotes consistency with security standards.

Overview of the Standards Revisions
As part of this revision, all of the URAC HIPAA Privacy standards will apply to business associates, which affects attorneys, third party administrators, regional health information exchanges, data analysts, claims processors, billing benefits managers and others that fall within that category. In addition, the Privacy revisions require organizations to have individuals "opt in" to authorize the use of their information for fundraising purposes, which is a more stringent requirement than the “opt out” required by the HITECH Act.

Key Revisions to URAC HIPAA Privacy Standards, v3.0

  •     HIPAA Privacy Business Associate and Covered Entity programs have been combined into one URAC HIPAA Privacy Standards accreditation program.
  •     The background and training needed to assume the responsibilities of a “Privacy Official” have been clarified.
  •     New standard language has been added requiring that organizations offer individuals an electronic copy of their health information contained within a designated record set or to have that information forwarded to a third party of their choice.

Key Revisions to URAC HIPAA Security Standards, v3.0

  •     The background and training needed to assume the responsibilities of a “Security Official” have been clarified.
  •     Clarification around the need to update policies and procedures prior to the effective date of changes to the Security Rule and law or regulation affecting the Security Rule, as well as application for accreditation.
  •     Applicant organization must maintain an archive of superseded policies and procedures for at least six (6) years, which is the same for privacy documentation.

“URAC accreditation ensures that organizations are protecting patient information whether delivering traditional care coordination, innovative technology that supports the patient centered health care home, an interactive personal health record or telemedicine that improves access to health care services,” said Alan P. Spielman, URAC President and CEO. “This can both serve to ensure consumer rights in their health care decisions and allow health information technology to be used appropriately in making their health care decisions in a private and secure manner.”

For more information about these revised standards please contact businessdevelopment(at)urac(dot)org or go to http://www.urac.org.

About URAC
URAC, an independent, nonprofit organization, is well-known as a leader in promoting health care quality through its accreditation, education and measurement programs. URAC offers a wide range of quality benchmarking programs and services that keep pace with the rapid changes in the health care system, and provide a symbol of excellence for organizations to validate their commitment to quality and accountability. Through its broad-based governance structure and an inclusive standards development process, URAC ensures that all stakeholders are represented in establishing meaningful quality measures for the entire health care industry. For more information, visit http://www.urac.org.

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Matthew Kratz
URAC
(202) 326-3978
Email >
Visit website