IT

As a part of its reworking of the information management standard, now known as "Core 13", URAC proposes a new standard on Information Confidentiality and Security.  It would read:

The organization provides for data confidentiality and security of its information system(s) (electronic and paper) by implementing policies and procedures that address: (--)
(a) Assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of information systems; (3)
(b) Prevention of confidentiality and security breaches; (M)
(c) Detection, containment and correction of confidentiality and security violations. (M)

This is a significantly more detailed standard than the current Core 13 (b): "The organization implements information system(s) (electronic or paper) to collect, maintain, and analyze information necessary for organizational management that. . . provides for data confidentiality and security."  We'll have a much better sense of the practical impact of the changes once the standards are adopted and the new accreditation guide is published, but we can hazard a few guesses even before then.  In the documentation submitted on accreditnet, applicants will need to provide explicit documentation in the form of P&Ps on all three of the elements of this standard (assessment, prevention, and detection-containment-correction).  Additionally, they are likely to be required to submit, either in the application stage or during the onsite review, reports demonstrating that they have engaged in a formal risk assessment process.  Finally, it would not be surprising if any reports addressing security breaches that have happened would be required, most likely during the onsite review.

The scoring changes merely boost the significance of this category of standards, by doubling the number of mandatory standards associated with IT privacy and confidentiality. 

Big changes are afoot regarding Core 13, the Information Management Standard.  In the proposed revision, URAC adds some much-needed heft to the standards and separates it into three distinct standards.  So, components that are now in Core 13 (confidentiality, security, and disaster recovery) will be split off from Core 13 into two new standards.  What will be left is the following:

The organization implements information system(s) (electronic and paper) to collect, maintain, and analyze information necessary for organizational management that: (No wt stem)
(a) Provides for data integrity; (Wt = M)
(b) Includes a plan for storage, maintenance and destruction. (Wt = 2)
(c) Includes a plan for interoperability: (Wt = L)
  (i) Between internal information systems; (--)
  (ii) With external entity information systems. (--)

There's much to talk about here.  First, URAC proposes to make clearer what has long been true but widely misunderstood (see my blog from 12/5/07), that this standard applies to electronic and paper information systems.  By moving this explanation from the interpretive information to the standard itself, URAC is signaling that it really wants to get the attention of applicants:  paper counts, too!   And, it counts not only for storage, maintenance and destruction, but also for data integrity.

What do you mean by data integrity?  Another old issue for URAC applicants, as you can see in my blog from 8/6/06.  Currently, URAC defines this term in the interpretive information accompanying Core 13, but in the revision, URAC proposes to make it a defined term:

The quality or condition of being accurate, complete and valid, and not altered or destroyed in an unauthorized manner.

URAC then takes the relatively unusual step of citing its source: www.ecommercepki.com/cps/glossary.htm. 

This is a modest change from URAC's current view of "accuracy and traceability."

The other big change here is the addition of a new section on interoperability.  URAC would define the term as meaning:

Ability of two or more systems or components to exchange information and to use the information that has been exchanged.

This is the first of the proposed revisions to carry the new scoring designation of "L".  An "L" standard is a "Leading Indicator," a "non-weighted, optional element highlighting effective practices not yet widely adopted in health care."  You lose no points for missing such a standard, but, under certain circumstances, you may be able to use your compliance with the standard to distinguish yourself from other URAC-accredited companies.  Click here to see the full URAC explanation of this at my blog on the topic. 

At the 2008 Summit, URAC staff members explained that the applicant will get credit for this standard with merely an approved plan, regardless of the stage of implementation of that plan.

This element is driven by the "Four Cornerstones" for health care improvement of the US Department of Health and Human Services.