Last year, URAC, an accreditation organization for health and managed care organizations, released its HIPAA Privacy and Security Accreditation standards.

The URAC HIPAA accreditation standards are designed to help health care organizations demonstrate that they have adopted the necessary policies and procedures to ensure that health information within their organization is secure, private and handled in accordance with HIPAA regulations.

Full accreditation through URAC is a complete, third-party assessment in which URAC reviews documentation and performs on-site reviews, including review of the organization's policies and procedures to ensure ongoing compliance with HIPAA rules. HIPAA accreditations are available for HIPAA covered entities and business Associates.

"Both accreditation standards are voluntary assessments of an organization's ongoing compliance posture and we are seeing a lot of interest from covered entities and business associates alike," Lisa A. Gallagher, senior vice president in URAC's health information technology department, said.

Need for assessment
Typically, an organization's approach to HIPAA compliance includes many activities, such as PHI flow analysis, training, policy and procedure refinement, and other self-assessment activities. URAC recommends -- similarly to other accrediting organizations -- that providers and health plans first perform gap and risk analyses, and based on the results of those activities determine what they need to do to comply with the HIPAA privacy and security rules. After all of these activities and a thorough self-assessment, many organizations find value in a third-party assessment. The resultant accreditation can provide them with a convenient compilation of documented and demonstrated due diligence, thereby supporting their organization's overall risk management efforts.

"These accreditations help clearly identify an organization as being in the forefront of compliance implementation and addressing the use of technology," Gallagher said.

Accreditation benefits
More than 40 companies have achieved HIPAA privacy accreditation through URAC, which recently announced its first accreditations under the security standards.

"[Achieving] URAC HIPAA security accreditation demonstrates that each company has designed and implemented a quality-based HIPAA compliance program," said Garry Carneal, JD, MA, URAC's president and CEO. "URAC recognizes the need to promote security practices and safeguards in health care, and to provide a process, through accreditation, that allows health care organizations to document to their customers and other third parties that they are following good practices to protect patient information."

Companies recently accredited include American Specialty Health, Inc. (a covered entity and business associate) and its nine subsidiaries, and MedRisk, Inc. (a business associate)

George DeVries, chairman, president and CEO of American Specialty Health, said in a statement that his organization wants to provide quality health services and "HIPAA accreditation reflects ongoing efforts to ensure our members' needs are being met."

Jerry Poole, COO of MedRisk, added, "As a manager of specialty medical networks, we need to safeguard the personal health information of our clients' claimants. As a provider of expert systems to health insurers, we need to ensure that our information technology is reliable and secure. URAC's HIPAA accreditation is the 'gold standard' that demonstrates our achievement with these objectives."

Option for small providers
In addition to the privacy and security accreditation programs, URAC has developed a HIPAA solution for small providers or organizations that might have difficulty "resourcing" a full-blown accreditation effort. "We wondered how we could serve the small provider, small pharmacy and small health plan that might want a measurable benefit from its HIPAA implementation," Gallagher said. "We developed the HIPAA Small Provider Registry to aid these organizations in asserting their efforts to comply with the HIPAA Privacy and Security Regulations." 

The HIPAA Small Provider Registry is not an accreditation program; rather, it's a URAC-hosted registry of HIPAA compliance self-attestations by small organizations. URAC does not perform third-party reviews in this abbreviated registrar category. The intent is solely to give small organizations a venue to assert the results of their good faith efforts to comply with the HIPAA rules.

The Registry program is provided through URAC-approved registrars, who supply the tools to help an organization or provider get through the HIPAA implementation process. "Basically, the organization can use the tools from one of our registrars and determine gaps," Gallagher said. "The tools are also helpful in writing the policies and procedures."

Once an organization or provider completes the necessary implementation steps based on identified gaps, then an organization's corporate officer (e.g., CEO, COO, HIPAA compliance officer) can attest to the steps that have been taken to address the HIPAA privacy and security regulations. An organization is then registered on URAC's Web site.

The privacy and security pieces of the Registry are based on analysis of the organization's ever-changing risks, and re-calculating controls and adjustments. The registry is voluntary and shows the organization's good faith effort in complying with the rule. It's not a third-party assessment by URAC or the tool vendor.

Incentives for smaller organizations
"Small providers may feel that it's not worth their time or effort because they think there may not be rigorous enforcement of the HIPAA regulations. There is really no way to see an immediate return on their investments, but they want to remain proactive to their patients and customers, once they have made good-faith efforts," Gallagher said. "Our concern was that smaller providers would not be implementing a HIPAA plan due to a lack of funding, a lack of understanding of the HIPAA regulations, a lack of incentives/drivers to comply. This registry attests to their good-faith efforts to comply with the regulation," she added.

"Organizations want to comply with the rule, but they may be facing issues such as staff who don't fully understand the regulation," she said. "When the Privacy deadline passed and there was a great sigh of relief that the sky hadn't fallen, HIPAA became less of a priority than other costs/drivers in organizations. Most of the small providers have done some HIPAA preparations, Gallagher added. "I wouldn't say, however, that they've done a comprehensive gap analysis. They need to be encouraged to do that. URAC feels that the Registry is one way to do that."

Mr. Mitchell is managing editor of ADVANCE for Health Information Executives.