HIPAA

Health Web Site standard 4 provides:

The Web site discloses to users: (Primary)
(a) What information is collected about users after the user opts-in to the information collection
and how it is used (including the use of passive tracking mechanisms); (Primary)
(b) The use of passive tracking mechanisms to users and the purpose(s) for which the passive
tracking mechanism will be used; (Primary)
(c) To whom personally-identifiable information may be disclosed, and for what purpose;
(Primary)
(d) How long personally-identifiable information is retained; (Primary)
(e) The rights of users with respect to their personally-identifiable information, including all the
rights enumerated in section IV of these standards; (Primary)
(f) The entity that maintains personally-identifiable information; (Primary)
(g) How users can access, supplement, and amend user-provided personally-identifiable
information and personal health information; and (Primary)
(h) Any limitations on amendment, deletion, or removal of information. (Primary)

The standard, like all of URAC's privacy/confidentiality-related standards, is a mandatory standard.  

It's important to note that Personally Identifiable Information ("PII") is defined as "Any information that can be tied to an individual identifier."

This disclosure requirement is a prerequisite for WS 24, the opt-in requirement for personally-identifiable information PII).  The notion underlying this pair of standards, of course, is that full disclosure is required for true choice.

The disclosures required by this standard are usually on a page called "Privacy Policy," and must be obviously displayed.  We recommend that this be a persistent link in the overall template of the Web site.

Another important issue in connection with this standard has to do with the use of 3rd parties that might collect and use PII, such as a health risk assessment tool.  URAC provides guidance for this scenario in its "Points to Remember" section of the Program Guide.  The essence of that guidance is that the applicant Web site is held to a high standard regarding privacy disclosure, and does not get off the hook by delegating PII-collection to a contractor.

The submission for this standard has the same form as most: a P&P that clearly describes the PII policy, coupled with an easily-locatable link to a comprehensive disclosure page.  

As a part of its reworking of the information management standard, now known as "Core 13", URAC proposes a new standard on Information Confidentiality and Security.  It would read:

The organization provides for data confidentiality and security of its information system(s) (electronic and paper) by implementing policies and procedures that address: (--)
(a) Assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of information systems; (3)
(b) Prevention of confidentiality and security breaches; (M)
(c) Detection, containment and correction of confidentiality and security violations. (M)

This is a significantly more detailed standard than the current Core 13 (b): "The organization implements information system(s) (electronic or paper) to collect, maintain, and analyze information necessary for organizational management that. . . provides for data confidentiality and security."  We'll have a much better sense of the practical impact of the changes once the standards are adopted and the new accreditation guide is published, but we can hazard a few guesses even before then.  In the documentation submitted on accreditnet, applicants will need to provide explicit documentation in the form of P&Ps on all three of the elements of this standard (assessment, prevention, and detection-containment-correction).  Additionally, they are likely to be required to submit, either in the application stage or during the onsite review, reports demonstrating that they have engaged in a formal risk assessment process.  Finally, it would not be surprising if any reports addressing security breaches that have happened would be required, most likely during the onsite review.

The scoring changes merely boost the significance of this category of standards, by doubling the number of mandatory standards associated with IT privacy and confidentiality. 

Core 22 is what I call the "mini-HIPAA" standard, even though it predates HIPAA's privacy rules. It reads:

The organization establishes and implements a policy and procedure to protect the confidentiality of individually-identifiable health information that:
(Primary)
(a) Identifies how individually-identifiable health information will be used; (Primary)
(b) Specifies that individually-identifiable health information is used only for purposes necessary for conducting the business of the organization, including evaluation activities; (Primary)
(c) Addresses who will have access to individually-identifiable health information collected by the organization; (Primary)
(d) Addresses oral, written, or electronic communication and records that are transmitted or stored; (Primary)
(e) Address the responsibility of organization employees, committee members, and board members to preserve the confidentiality of individually-identifiable health information; and (Primary)
(f) Requires employees, committee members, and board members of the organization to sign a statement that they understand their responsibility to preserve confidentiality. (Primary)

Your HIPAA P&Ps and evidence of training on those P&Ps will suffice for purposes of the AccreditNet submission. However, one word of caution -- make sure that you don't limit this to employees. The most common mistake we've seen in our clients' applications is to have the privacy P&Ps apply to employees only, leaving out members of the governing board and/or non-employee members of committees (e.g., quality management and credentialing). Note that subsections (e) and (f) are quite specific about this.

One other thing about (f) -- this refers to patient confidentiality, not the confidentiality associated with proprietary information.  Make sure your documentation -- particularly the training and signed statements -- is clear on this point. 

The onsite review will involve an interview with the privacy officer, a close examination of signed confidentiality statements from employees, committee members, and board members, and training and other documentation regarding implementation of your privacy P&Ps.

Note that this is a mandatory standard -- no getting accredited without this one!