Riding the HIPAA compliance train can be bumpy for many covered entities, but health care accrediting giant URAC hoped to keep CEs from derailing when it announced the creation of two new HIPAA accreditation programs.
The Utilization Review Accreditation Commission (URAC) Jan. 16 announced its plans to create a compliance program specifically addressing many of the provisions of the Health Insurance Portability and Accountability Act. URAC’s new “HIPAA strategy” will offer two new accreditation programs: HIPAA Privacy Accreditation and HIPAA Security Accreditation, the organization announced.
Organizations can seek either one of the programs or both, and URAC says it is designing its programs to accommodate all types of CEs, including business associates. URAC president and CEO Gary Carneal said health care organizations have invested vast amounts of their resources in their efforts to become compliant with HIPAA, and claims URAC’s new certification program will “assure customers they have followed good practices to protect patient information.”
The certification programs will look for the existence of policies and procedures CEs have in place with regard to HIPAA compliance. URAC will scrutinize those policies and procedures.
Take the security rule, for example. Although the requirements may change with the muchanticipated release of the final rule, the fundamental fact is that the draft rules ask CEs to implement ongoing security risk management within their organizations, says Lisa Gallagher, URAC senior vice president for Information and Technology Accreditation.
“That’s really what we’re going to look at. Are those [risk management] policies in place as a fundamental process on an ongoing basis to support their HIPAA compliance?” Gallagher asks.
That’s the key inquiry URAC’s accreditation assessment teams will ask: Has the CE implemented policies and procedures that will support ongoing HIPAA compliance? That goes for both for privacy and security matters. In other words, if you have the fundamental systems in place to continually support your compliance needs, you’re in great shape for certification.
But accreditation comes with a cost. Gallagher says the process will naturally be scalable to account for the specific needs, including the size, of a CE seeking accreditation in one or both of the programs. She tells Eli that small providers could expect to pay several thousand dollars for certification, while larger CEs could receive a bill for $10,000 or more.
URAC isn’t wasting any time with getting its program operational. The organization hopes to be ready to begin its programs in early February. “We’ll release copies of the [privacy rule] standards
on [Feb. 10], and for the security standards, we’re aiming for the end of February,” Gallagher anticipates.