URAC Core 22 -- Confidentiality of Individually-Identifiable Health Information

Core 22 is what I call the "mini-HIPAA" standard, even though it predates HIPAA's privacy rules. It reads:

The organization establishes and implements a policy and procedure to protect the confidentiality of individually-identifiable health information that:
(Primary)
(a) Identifies how individually-identifiable health information will be used; (Primary)
(b) Specifies that individually-identifiable health information is used only for purposes necessary for conducting the business of the organization, including evaluation activities; (Primary)
(c) Addresses who will have access to individually-identifiable health information collected by the organization; (Primary)
(d) Addresses oral, written, or electronic communication and records that are transmitted or stored; (Primary)
(e) Address the responsibility of organization employees, committee members, and board members to preserve the confidentiality of individually-identifiable health information; and (Primary)
(f) Requires employees, committee members, and board members of the organization to sign a statement that they understand their responsibility to preserve confidentiality. (Primary)

Your HIPAA P&Ps and evidence of training on those P&Ps will suffice for purposes of the AccreditNet submission. However, one word of caution -- make sure that you don't limit this to employees. The most common mistake we've seen in our clients' applications is to have the privacy P&Ps apply to employees only, leaving out members of the governing board and/or non-employee members of committees (e.g., quality management and credentialing). Note that subsections (e) and (f) are quite specific about this.

One other thing about (f) -- this refers to patient confidentiality, not the confidentiality associated with proprietary information.  Make sure your documentation -- particularly the training and signed statements -- is clear on this point. 

The onsite review will involve an interview with the privacy officer, a close examination of signed confidentiality statements from employees, committee members, and board members, and training and other documentation regarding implementation of your privacy P&Ps.

Note that this is a mandatory standard -- no getting accredited without this one!