Confidentiality

As a part of its reworking of the information management standard, now known as "Core 13", URAC proposes a new standard on Information Confidentiality and Security.  It would read:

The organization provides for data confidentiality and security of its information system(s) (electronic and paper) by implementing policies and procedures that address: (--)
(a) Assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of information systems; (3)
(b) Prevention of confidentiality and security breaches; (M)
(c) Detection, containment and correction of confidentiality and security violations. (M)

This is a significantly more detailed standard than the current Core 13 (b): "The organization implements information system(s) (electronic or paper) to collect, maintain, and analyze information necessary for organizational management that. . . provides for data confidentiality and security."  We'll have a much better sense of the practical impact of the changes once the standards are adopted and the new accreditation guide is published, but we can hazard a few guesses even before then.  In the documentation submitted on accreditnet, applicants will need to provide explicit documentation in the form of P&Ps on all three of the elements of this standard (assessment, prevention, and detection-containment-correction).  Additionally, they are likely to be required to submit, either in the application stage or during the onsite review, reports demonstrating that they have engaged in a formal risk assessment process.  Finally, it would not be surprising if any reports addressing security breaches that have happened would be required, most likely during the onsite review.

The scoring changes merely boost the significance of this category of standards, by doubling the number of mandatory standards associated with IT privacy and confidentiality. 

Core 22 is what I call the "mini-HIPAA" standard, even though it predates HIPAA's privacy rules. It reads:

The organization establishes and implements a policy and procedure to protect the confidentiality of individually-identifiable health information that:
(Primary)
(a) Identifies how individually-identifiable health information will be used; (Primary)
(b) Specifies that individually-identifiable health information is used only for purposes necessary for conducting the business of the organization, including evaluation activities; (Primary)
(c) Addresses who will have access to individually-identifiable health information collected by the organization; (Primary)
(d) Addresses oral, written, or electronic communication and records that are transmitted or stored; (Primary)
(e) Address the responsibility of organization employees, committee members, and board members to preserve the confidentiality of individually-identifiable health information; and (Primary)
(f) Requires employees, committee members, and board members of the organization to sign a statement that they understand their responsibility to preserve confidentiality. (Primary)

Your HIPAA P&Ps and evidence of training on those P&Ps will suffice for purposes of the AccreditNet submission. However, one word of caution -- make sure that you don't limit this to employees. The most common mistake we've seen in our clients' applications is to have the privacy P&Ps apply to employees only, leaving out members of the governing board and/or non-employee members of committees (e.g., quality management and credentialing). Note that subsections (e) and (f) are quite specific about this.

One other thing about (f) -- this refers to patient confidentiality, not the confidentiality associated with proprietary information.  Make sure your documentation -- particularly the training and signed statements -- is clear on this point. 

The onsite review will involve an interview with the privacy officer, a close examination of signed confidentiality statements from employees, committee members, and board members, and training and other documentation regarding implementation of your privacy P&Ps.

Note that this is a mandatory standard -- no getting accredited without this one!