Policies and Procedures

The proposed 2.1 version of Core 3 reads as follows:

The organization: (--)

(a) Maintains and complies with written policies and procedures that govern core business processes of its operations related to the scope of the accreditation; (Wt = M)

(b) Maintains the ability to produce a master list of all such policies and procedures; (Wt = 2)

(c) Reviews policies and procedures no less than annually and revises as necessary; (Wt = 3)

(d) Includes the following on the master list or on all policies and procedures: (Wt = 2)

(i) Effective dates, review dates, including the date of the most recent revision; and

(ii) Identification of approval authority. 

This proposed revision of Core 3 has two substantive components:

• URAC has made subsection (b) more flexible, by including the phrase “the ability to produce” a master list of P&Ps.  This acknowledges the fact that some organizations keep their P&Ps in electronic form, and don’t have an already-printed master list (but could create one with the push of a button).
• URAC eliminated subsection (e) from this standard, seeing as redundant with an element of Core 8.

So, nothing revolutionary here – just a combination of common sense and good housekeeping.  In my view, any time you can make a standard more reflective of operational reality and get rid of duplication, all in the same breath, you’ve done a good thing.

In upgrading the HIPAA Privacy standards from v. 1.0 to v. 1.1, URAC has combined HP 8 with HP 10.  The new combined standard HP 8 will, like the v. 1.0 standards, have a weight of 5 (mandatory).  The new standard reads:

The organization (Primary)

(a)    Maintains and complies with written policies and procedures that govern its use and disclosure of protected health information; and (Primary)

(b)   Maintains a master list of all such policies and procedures which include: (Primary)

i.        Effective dates, including the date of the most recent revision; and (Primary)

ii.      Signature of reviewing and approval authority. (Primary)

The net effect of the combination is to reduce the total impact of P&P maintenance and approval on the total accreditation score.

Core 3 provides:

The organization:
(a) Maintains and complies with written policies and procedures that govern all
aspects of its operations;
(b) Maintains a master list of all such policies and procedures;
(c) Reviews policies and procedures no less than annually and revises as necessary;
and
(d) Includes the following on all policies and procedures:
(i) Effective dates, review dates, including the date of the most recent revision;
and
(ii) Identification of approval authority.

There are several things to note about this standard. First, it is mandatory. Mess up subsection (a), the only primary element of the standard, and you will do no better than a Conditional Accreditation.

Second, it applies "to the key services and internal programs established by the applicant. For purposes of accreditation, the policies and procedures that cover primary health care-related program services will be examined for compliance with these standards." So, while its scope is broad, many organizations will have a number of policies and procedures that are not affected by the requirements of the standard. As the Program Guide notes, "Policies and procedures covering general personnel, accounting, office management, and other such support services for the organization are not required as evidence for meeting these standards."

Third, mere maintenance of policies and procedures will not suffice. One of the most powerful two-word phrases in all of the URAC standards is subsection (a)'s "and complies". The effect of this phrase is to transform all your organization's policies and procedures into accreditation standards. In other words, even if you are complying with a particular URAC standard, if you are not in compliance with your own policy and procedure on the topic, you may run afoul of Core 3(a). And that would be very bad.

Fourth, one of the more frequently missed elements of this standard is Core 3(d)(i). While it may not be evident from the language of the standard, "review" and "revision" can be two entirely different events happening on entirely different dates. For example, if you review a policy without revising, your policy and procedure and/or your master list of P&Ps will need to indicate both dates, not simply the most recent day that somebody in authority looked at the policy. Therefore, either your P&P or your master list should have one place for the effective date, another place for the most recent revision, and another place for the most recent review.

So, don't merely mind your p's and q's, mind also your P&Ps.

One of the halmarks of the URAC accreditation process is the reliance on policies and procedures. Anyone who has glanced at URAC's Core standards can tell you that there is an entire standard (Core 3) dedicated to the care and feeding of P&Ps. The standards don't stop there, though, in their reverence for P&Ps: Core 6, 8, 16, 18, 20, 24 all explicitly reference policies, as do dozens of other standards scattered throughout the modules. I venture to say that the most frequent word used in the "Evidence for Desktop Review" sections of the URAC standards is "policy" (although I haven't actually counted).

However, if I stopped there, I still would not have conveyed how utterly important it is to have your P&Ps in order, fully reflecting the requirements of the standards. It is almost universally true that the requirements of the URAC standards must be reflected somewhere in a written policy. It seldom seems to matter if your organization's actual behavior is fully compliant with the requirements of the URAC standard. In addition to actual compliance with the requirements, you generally have to have a policy and procedure that requires that full compliance.

The rationale, as I understand it, is fairly straightforward and arguably reasonable: Just because you are compliant today does not mean you are compliant as a matter of policy. You could just be temporarily, and even accidentally, compliant. However, if you have a policy and procedure, and are complying with Core 3's requirement that you regularly review and implement your P&Ps, you are more likely to be compliant with the standard tomorrow, and tomorrow, and tomorrow.

You might argue that a flawless record of compliance (e.g., 30 out of 30 selected files are fully compliant) is demonstration that you have and have implemented a policy -- albeit a tacit one -- that complies with the standard. Save those arguments for social scientists and trial lawyers -- they won't fly here. And, probably, rightfully so.

So, the lesson to be learned here is simple -- don't rely on the mere fact that you are playing by the rules and conducting your business in full compliance of URAC's standards. Instead, play it safe and make sure all of the requirements of the URAC standards that apply to your organization are reflected not only in your behavior but also in your policies and procedures.

Over the years, many applicants have taken the sound approach of borrowing language directly from URAC to use in their policies and procedures (P&Ps). Tracking URAC's language closely often can help you avoid quibbling with reviewers.

However, cribbing URAC language may not be sufficient. More often than not, URAC language is written at the "policy" level, with not much procedure attached. URAC reviewers have been known to reject such high-level statements of policy, under the theory that a proper P&P should guide your staff on how to implement that policy.

So, then, what should go in the P&P? Well, it varies from one standard to the next, but the best rule of thumb is, in my opinion, to reference the program guide as much as possible, particularly the sections under the standard called "Evidence for Meeting the Standard", "Interpretive Information/Commentary", and "Points to Remember". If you can weave some of the comments from those sections into an explanation of how you implement your policy, and do so in such a way that a new employee would have a pretty good idea as to what he or she needs to do in order to implement that policy, then you've probably hit a URAC home run. If not, you may get the P&P returned to you in the Desktop Review Summary with a comment indicating that the P&P is not sufficiently detailed to demonstrate compliance with the intent of the standard.