HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

URAC Releases Draft HIPAA Privacy Standards for Public Comment

February 10, 2003 -- Today URAC released a draft set of HIPAA Privacy Accreditation standards for public comment. When completed later this year, the new program will enable health care organizations to display a commitment to fair information practices, and to demonstrate that they have taken the necessary steps to protect health information privacy in accordance with the HIPAA Privacy Rule. Comments on the draft standards are due March 12.

"The purpose of this accreditation program is to verify that an organization has put in place the necessary infrastructure and implemented the necessary processes to comply with the HIPAA Privacy Rule," said Garry Carneal, URAC president and CEO. "URAC supports fair information practices, and recognizes the value that health information privacy adds to the health care process."

URAC health information Privacy Accreditation will provide value to health care organizations by:

  • Allowing internal verification of HIPAA privacy compliance efforts;
  • Providing a convenient source of industry best practices and certification by external reviewers;
  • Assuring customers/patients that appropriate steps are being taken to protect health information;
  • Demonstrating to current and potential business partners good faith efforts to meet HIPAA requirements;
  • Supporting the organization's risk management efforts;
  • Allowing the organization to demonstrate to regulators and other stakeholders that the organization has taken reasonable steps to achieve compliance with the HIPAA Privacy Rule; and
  • Providing evidence to potentially reduce penalties/sentences for organizations that experience a privacy event or breach.

"This accreditation program is designed to be relevant to all health care organizations expected to comply with the HIPAA Privacy Rule," added Carneal. "These include covered entities, business associates, and organizations that, while not legally subject to HIPAA, still wish to validate their HIPAA compliance program. Since different organization types need to comply with certain HIPAA requirements, we intend to take a situational approach in determining which of the HIPAA Privacy Accreditation standards apply."

In developing the draft standards, URAC tried to stay within the scope of the requirements of the HIPAA Privacy Rule. The goal was to articulate the HIPAA requirements as simply and directly as possible, in a manner that could then be verified through the accreditation process. In general, URAC avoided including requirements not explicitly stated in the HIPAA Privacy Rule, unless such requirements are strongly implied in the Rule itself.

URAC HIPAA Privacy Accreditation will last for two years, at which time the accredited organization will submit a reaccreditation application and be reviewed by URAC before accreditation is granted for another two years.

URAC is committed to having the broadest possible input into its standards development process, and strives to ensure that accreditation is meaningful to stakeholders across the health care spectrum, including consumers, purchasers, providers, regulators, and health care organizations. Public input is a very important part of this process, which is the public comment period. Email comments@urac.org to submit your comments regarding the HIPAA Privacy standards.

In addition to collecting public comment, URAC also evaluates its standards through a beta-testing process. Organizations interested in serving as beta-sites for this new accreditation program should contact Information and Technology Accreditation at (202) 216-9010 or ita@urac.org.

URAC's HIPAA Privacy & HIPAA Security standards, application guides and other information.

Go to TOP