Case Study: How a Healthcare Technology Vendor Achieved URAC Health Care Management Certification in Five Months

Last updated: April 2026

A healthcare technology organization providing care coordination support tools and population health analytics to URAC-accredited managed care organizations engaged IHS to navigate URAC Health Care Management (HCM) Certification from initial gap analysis through certification award. The organization had no prior URAC history and faced a contracting deadline from a key health plan partner requiring demonstrated external quality validation. Here is how we did it.

Client Profile

  • Organization Type: Healthcare technology vendor — care coordination support platform and population health analytics services
  • Clients Served: URAC-accredited managed care organizations and self-funded employer groups
  • Credential Pursued: URAC Health Care Management (HCM) Certification
  • Prior Credential Status: None — first-time URAC applicant
  • Key Challenge: Contracting deadline from a key health plan partner requiring demonstrated external quality validation within six months; no existing URAC-compliant policy infrastructure
  • Timeline Constraint: Health plan partner contract renewal required credential documentation within six months of engagement start

The Challenge

The organization faced four critical obstacles to achieving URAC HCM Certification on a compressed timeline:

Obstacle 1: No Existing URAC-Compliant Policy Infrastructure

The organization had never pursued external quality validation of any kind. Its operational policies had been built organically as the business grew — functional for internal purposes, but not structured to demonstrate compliance against externally auditable standards. No policies addressed URAC's specific requirements for delegation oversight documentation, quality management committee structure, consumer complaint escalation pathways, or security and privacy program governance. The gap between existing documentation and HCM Certification requirements was substantial, and the contracting deadline left no margin for a slow remediation process.

Obstacle 2: Quality Management System Existed in Name Only

The organization had a "Quality Improvement" section in its employee handbook. It did not have a functioning quality management program: no quality management committee with a formal charter and documented meeting cadence, no defined performance measures with baseline data, no documented improvement actions linked to performance findings, and no corrective action tracking process. URAC's Performance Monitoring and Improvement standards require demonstrated operational quality management — not a paragraph in a handbook. This was the highest-risk domain for the engagement.

Obstacle 3: Delegation Oversight Documentation Gap

The organization subcontracted several operational functions — data security monitoring, member outreach support, and certain administrative services — to third-party vendors. Delegation agreements existed for two of the three vendor relationships. None of the three relationships had documented delegation oversight audit records: no periodic audit logs, no issue identification and corrective action documentation, no formal delegation oversight calendar. URAC's Operations and Infrastructure standards require ongoing documented oversight of delegated activities — not just executed agreements.

Obstacle 4: Consumer Communication Standards Underestimated

The organization's leadership initially categorized Consumer Protection and Empowerment as a low-risk domain — reasoning that the organization did not interact directly with health plan members. The Standard-by-Standard Review identified this assumption as incorrect: the organization's analytics outputs informed clinical decisions affecting members, its care coordination tools were used by case managers communicating directly with members, and its service agreements with health plan clients included complaint escalation provisions that required documented consumer protection processes on the vendor side. The consumer communication and complaint handling requirements were more extensive than the organization had anticipated.

The IHS Approach

IHS structured the engagement across five phases with the certification deadline as the fixed constraint. Every deliverable was sequenced to begin building operational evidence on day one — the organization could not afford to spend the first months in planning mode and the final months in remediation mode.

Phase 1: Standard-by-Standard Review (Weeks 1–3)

IHS conducted a systematic review of the organization's operations, contracts, policies, and existing documentation against each HCM Certification standard across all four Foundational Focus Areas. The Standard-by-Standard Review was structured as a line-by-line gap analysis — not a high-level maturity assessment, but a specific determination of whether each standard requirement was met, partially met, or not met, with documentation of the specific gap and a remediation action.

Key findings from the Standard-by-Standard Review:

  • Risk Management: Security and privacy policies existed but lacked documented business continuity and disaster recovery testing evidence; incident classification taxonomy was undefined; no documented security audit cycle
  • Operations and Infrastructure: Policies addressed core functions but did not reflect actual operational workflows in several areas; two of three vendor delegation agreements were executed but none had oversight audit documentation; job descriptions lacked qualifications language aligned to URAC staffing standards; no documented training completion tracking
  • Performance Monitoring and Improvement: No functioning quality management committee; no defined performance measures with baseline data; no documented improvement cycle; the "QI section" in the handbook was not a compliance-grade quality management program
  • Consumer Protection and Empowerment: No formal complaint and grievance process documentation; consumer-facing output templates (analytics reports, care coordination tool outputs) had not been reviewed for health literacy compliance; no documented escalation pathway for consumer-affecting issues identified through vendor operations

The Standard-by-Standard Review produced a prioritized remediation roadmap: 23 specific gaps mapped to the responsible operational owner, with a sequenced action plan and milestone dates calibrated to the certification deadline.

Phase 2: Policy Development and Process Engineering (Weeks 3–12)

IHS drafted and revised compliance documentation across all four Foundational Focus Areas. The approach was operational-first: before drafting any policy, IHS conducted working sessions with operational staff to understand how the organization actually functioned, then built policies that were both standards-compliant and operationally accurate. Policies written to satisfy a standards checklist without reflecting actual operations create a surveyable gap — staff cannot describe a procedure they do not follow.

Key deliverables in Phase 2:

  • Risk Management: Security and privacy policy suite with documented annual review cycle; business continuity and disaster recovery plan with documented tabletop exercise protocol; incident classification taxonomy with escalation triggers and response timeline requirements; security audit calendar with vendor assessment inclusion
  • Operations and Infrastructure: Revised operational policy suite reflecting actual workflows across care coordination support, analytics delivery, and administrative functions; third delegation agreement executed for the previously undocumented vendor relationship; delegation oversight audit templates and calendar for all three vendor relationships; revised job descriptions with URAC-aligned qualifications language; training completion tracking system with documented curriculum for each role
  • Performance Monitoring and Improvement: Quality Management Committee charter with defined membership, quarterly meeting cadence, voting procedures, and escalation authority; set of six performance measures with baseline data collection initiated; Quality Management Program documentation including improvement cycle, corrective action tracking template, and annual program evaluation structure; initial QMC meeting conducted with documented minutes and action items
  • Consumer Protection and Empowerment: Formal complaint and grievance policy with receipt, investigation, response, and escalation timeline requirements; consumer-affecting issue identification and escalation protocol for vendor-side operations; review and revision of analytics output templates and care coordination tool output formats for health literacy compliance; documented escalation pathway from vendor operations to health plan client for member-affecting issues

The organization began operating under new procedures at the point each policy was finalized — building operational evidence from week three onward rather than waiting until the submission was assembled.

Phase 3: Mock Survey (Weeks 13–15)

IHS conducted a two-round mock survey simulating the URAC review process. In the first round, IHS reviewed all documentation against HCM Certification standards and conducted structured interviews with eight staff members — operations leads, the quality management committee chair, the security officer, and customer-facing account managers — on their operational areas, escalation procedures, complaint handling processes, and delegation oversight responsibilities.

The first mock survey round identified four remaining gaps:

  • The Quality Management Committee had met once — minutes were documented, but one performance measure had no baseline data yet collected (a data pipeline delay)
  • One vendor delegation oversight audit had been completed; two were in progress but not yet documented
  • Two staff members could not accurately describe the complaint escalation process during structured interviews — indicating the policy had been written but not yet operationalized at the staff level
  • The business continuity plan tabletop exercise had been scheduled but not yet conducted

All four gaps were remediated before the second mock survey round. The second round confirmed full documentation compliance and staff operational alignment across all four Foundational Focus Areas. The organization was cleared for AccreditNet submission.

Phase 4: AccreditNet Submission (Week 16)

IHS assembled the full submission package — 47 documents across the four Foundational Focus Areas — and organized the AccreditNet upload with clear standard-by-standard mapping. Every document was labeled with the standards it satisfied, with cross-references for documents satisfying multiple standards. Explanatory context was included for non-obvious standard mappings to guide reviewers to the right evidence without requiring them to interpret document applicability independently.

The submission was organized to communicate a coherent narrative: a healthcare technology organization that had built a systematic, externally-auditable quality management framework appropriate to its operational scope, demonstrated through documented policies, operational evidence, and functioning quality management infrastructure.

Phase 5: URAC Review and RFI Response (Weeks 17–20)

URAC's review team issued two RFIs following the initial submission review:

  • RFI 1 (Operations and Infrastructure): URAC requested additional documentation of the delegation oversight audit process — specifically, evidence that the audit findings were reviewed and that corrective action had been taken or documented as not required. The initial submission included the audit templates and completed audit records for two of three vendors; URAC sought the documented review and disposition process.
  • RFI 2 (Performance Monitoring and Improvement): URAC requested documentation of how the Quality Management Committee's performance findings were linked to organizational improvement actions — the connection between identified performance gaps and the corrective actions taken in response.

IHS drafted both RFI responses within five business days. RFI 1 was resolved with a supplemental document showing the delegation oversight audit review process — a one-page template logging audit findings, disposition (corrective action required / not required), responsible party, and resolution date — completed for all three vendor audits. RFI 2 was resolved with a revised QMC minutes template demonstrating the explicit linkage between performance measure findings and improvement actions, plus a retrospective documentation of the linkage for the initial QMC meeting.

Both RFIs were resolved in a single response round. No second-round follow-up was required.

Outcome

  • Certification awarded: URAC Health Care Management Certification — three-year term
  • Total timeline: Five months from initial engagement to certification award
  • RFIs issued: Two — both resolved in a single response round
  • Contracting outcome: Health plan partner contract renewed with URAC HCM Certification documented as the quality validation credential
  • Operational outcome: Functioning quality management committee, documented performance measurement program, delegation oversight audit cycle for all three vendor relationships, and consumer protection documentation framework — all operational and producing evidence at the time of certification award

What This Engagement Illustrates

The Consumer Protection Assumption Is Almost Always Wrong

Every engagement involving a healthcare technology vendor or subcontracted health operations organization begins with the same assumption from the client: Consumer Protection and Empowerment is a low-risk domain because we do not interact directly with members. The Standard-by-Standard Review consistently identifies this assumption as incorrect. Any organization whose outputs, tools, or services influence decisions affecting health plan members — directly or indirectly — has Consumer Protection and Empowerment obligations. The scope of those obligations requires a specific assessment, not a categorical assumption.

Quality Management Systems Cannot Be Constructed in the Final Weeks Before Survey

The Performance Monitoring and Improvement standards require evidence of a functioning quality management system — committees that have met, performance data that has been collected and analyzed, improvement actions that have been taken in response to findings. None of this can be manufactured in the weeks before AccreditNet submission. Building a functioning QM system requires calendar time: you cannot compress three months of QMC meeting cadence into one month. This is why IHS begins building QM infrastructure in the first weeks of every engagement rather than the final weeks.

Delegation Oversight Is a Documentation Problem, Not a Relationship Problem

The organization had functional working relationships with all three subcontractors. The delegation oversight gap was not a relationship quality issue — it was a documentation issue. URAC does not evaluate whether vendor relationships are functioning; it evaluates whether the organization has documented oversight of those relationships in a way that demonstrates ongoing governance. Executed delegation agreements are the starting point, not the finish line. The audit records, issue logs, and corrective action documentation are what URAC's surveyors are looking for.

RFIs Are Manageable When the Initial Submission Is Well-Organized

This engagement produced two RFIs — a low number for a first-time URAC applicant. Both were substantive clarification requests rather than fundamental compliance gaps. The low RFI volume was a direct product of AccreditNet submission organization: clear standard mapping, cross-references, and explanatory context reduced the number of places where a reviewer was left to interpret document applicability. Well-organized submissions get cleaner reviews. This is not a stylistic preference — it materially affects RFI volume and review timeline.

Start Your HCM Certification Engagement

IHS works with healthcare technology vendors, subcontracted health operations companies, care coordination platforms, and other healthcare organizations pursuing URAC Health Care Management Certification for the first time or managing renewal cycles. Every engagement begins with a discovery conversation to assess organizational readiness, confirm credential fit, and scope the consulting engagement.

Thomas G. Goddard, JD, PhD — former Chief Operating Officer and General Counsel of URAC — leads every IHS engagement. There is no cost to the initial conversation.

Schedule a Free Discovery Session