Doing Right is Not Enough: Having a Policy to Do It Right is Required, Too

One of the halmarks of the URAC accreditation process is the reliance on policies and procedures. Anyone who has glanced at URAC's Core standards can tell you that there is an entire standard (Core 3) dedicated to the care and feeding of P&Ps. The standards don't stop there, though, in their reverence for P&Ps: Core 6, 8, 16, 18, 20, 24 all explicitly reference policies, as do dozens of other standards scattered throughout the modules. I venture to say that the most frequent word used in the "Evidence for Desktop Review" sections of the URAC standards is "policy" (although I haven't actually counted).

However, if I stopped there, I still would not have conveyed how utterly important it is to have your P&Ps in order, fully reflecting the requirements of the standards. It is almost universally true that the requirements of the URAC standards must be reflected somewhere in a written policy. It seldom seems to matter if your organization's actual behavior is fully compliant with the requirements of the URAC standard. In addition to actual compliance with the requirements, you generally have to have a policy and procedure that requires that full compliance.

The rationale, as I understand it, is fairly straightforward and arguably reasonable: Just because you are compliant today does not mean you are compliant as a matter of policy. You could just be temporarily, and even accidentally, compliant. However, if you have a policy and procedure, and are complying with Core 3's requirement that you regularly review and implement your P&Ps, you are more likely to be compliant with the standard tomorrow, and tomorrow, and tomorrow.

You might argue that a flawless record of compliance (e.g., 30 out of 30 selected files are fully compliant) is demonstration that you have and have implemented a policy -- albeit a tacit one -- that complies with the standard. Save those arguments for social scientists and trial lawyers -- they won't fly here. And, probably, rightfully so.

So, the lesson to be learned here is simple -- don't rely on the mere fact that you are playing by the rules and conducting your business in full compliance of URAC's standards. Instead, play it safe and make sure all of the requirements of the URAC standards that apply to your organization are reflected not only in your behavior but also in your policies and procedures.