HIPAA Privacy

This mandatory standard, which in v. 1.0 described the required components of a training program for the employees of covered entities, but not business associates, has been amended to apply all but subsection (d) to all entities.  Therefore, all applicants for HIPAA Privacy must have the full training components of URAC’s required training for employees, with the exception of the disclosure requirements regarding “whistleblower” and “workforce member crime victim” exceptions, which will continue to apply only to covered entities.

The full standard still reads:

The organization has policies and procedures to conduct a training program for all members of its workforce that have access to protected health information as part of their function within the organization.  The training program: (Primary)

(a)        Provides training to all existing workforce members by the date of the application submission for URAC HIPAA Privacy Accreditation; (Primary) (Applies to covered entities and business associates)

(b)        Provides training to all new workforce members within a reasonable time period; (Primary) (Applies to covered entities and business associates)

(c)        Updates training for all affected staff in the event of a material change in the organization’s privacy practices; (Primary) (Applies to covered entities and business associates)

(d)       Explains the limited circumstances under which protected health information may be disclosed under “whistleblower” and “workforce member crime victim” exceptions; and (Primary) (Applies only to covered entities)

(e)        Includes a process to document training provided to workforce members. (Primary) (Applies to covered entities and business associates)

In upgrading the HIPAA Privacy standards from v. 1.0 to v. 1.1, URAC has combined HP 8 with HP 10.  The new combined standard HP 8 will, like the v. 1.0 standards, have a weight of 5 (mandatory).  The new standard reads:

The organization (Primary)

(a)    Maintains and complies with written policies and procedures that govern its use and disclosure of protected health information; and (Primary)

(b)   Maintains a master list of all such policies and procedures which include: (Primary)

i.        Effective dates, including the date of the most recent revision; and (Primary)

ii.      Signature of reviewing and approval authority. (Primary)

The net effect of the combination is to reduce the total impact of P&P maintenance and approval on the total accreditation score.