Health Information Compliance Alert

Business Associates NCQA TO CREATE LIST OF WHO'S NAUGHTY AND WHO'S NICE

Are you certain your business associates have the necessary means for safeguarding protected health information? The NCQA is creating a program to certify business associates who handle PHI, and the organization is seeking your input to that end.

The National Committee for Quality Assurance Dec. 16 made public its plan to create a Privacy Certification for Business Associates (PCBA) program that would help health plans and other covered entities  find business associates that appropriately safeguard protected health information.

Proclaiming it the “nation’s first and only program to certify that ‘business associates’ have processes for handling [PHI]” consistent with the Health Insurance Portability and Accountability Act’s privacy  requirements, the program would demand: privacy protections for oral, written and electronic PHI; processes for ensuring proper storage, use and disclosure of PHI; employee training in PHI protections;  certain requirements relating to consumer access to PHI; and restrictions on contracting between CEs and their business associates.

“Our new certification program will help covered entities identify business associates they can trust with [PHI], and it will help them keep this information out of the wrong hands,” said NCQS President Margaret O’Kane in a release.

So, how will the program work? According to the watchdog organization, the NCQA’s program will consist of an online “Accreditation/Certification platform,” which calls for organizations seeking certification to undergo a self-assessment to determine if the applicant is ready for a review.

If the CE is prepared for the review, the results will be analyzed by NCQA and will result in a pass or fail decision. A “pass” will result in a valid certification for two years.

By undergoing certification review, a BA can “demonstrate to covered entities their willingness and ability to protect, use and disclose” PHI in full compliance with HIPAA, and CEs can use the certification in lieu of performing their own individual due diligence measures, according to the organization.

Minimum privacy standards would be set to aid covered groups understand how to step in line with compliance, and the draft standards will provide a scalable, flexible program that accommodates organizations of different size, location, complexity, et cetera.

NCQA believes certification will be a boon to business associates and will make them more marketable to CEs who seek reliable business partners.

“Participants will demonstrate nationally that they safeguard the privacy of [PHI] and will distinguish themselves” in the health care marketplace, said Jim Bradley, CEO of St. Paul, MN’s RxHub, a health care technology company.

Get a Contract

But even though the draft standards may alleviate some insecurity felt among CEs and BAs, some say the HHS has already made it clear that certification isn’t an issue for BAs. “HHS isn’t going to lend any  credence to certification,” says Robert Markette with Indianapolis-based Gilliland & Caudill.

Markette says that sentiment may change down the road, but at this juncture the HHS isn’t impressed by certification. “They want to see a contract in place,” Markette explains.

NCQA is accepting comments on the draft standards through Jan. 31. The program’s Privacy Certification Advisory Committee will oversee the development of PCBA, and surveys are slated to begin in July 2003. As of Dec. 16, four organizations had committed to participate in the program.

Editor’s Note: You can view the NCQA’s draft standards online at http://www.ncqa.org/Programs/Accreditation/Certification/BAC/finalPB.pdf

Other Articles in this issue of

Health Information Compliance Alert

View All