HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

JCAHO, NCQA Establish Privacy Certification for Business Associates

WASHINGTON and OAKBROOK TERRACE, IL, June 17, 2003 – The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and the National Committee for Quality Assurance (NCQA) announced yesterday that their new Privacy Certification Program for Business Associates (PCBA) will officially launch this month. Eight organizations have now committed to seek certification.

The new program is designed to assess whether organizations referred to as business associates under HIPAA are meeting essential requirements for safeguarding protected health information (PHI). Certain protections for PHI are required by sections of the HIPAA privacy and security regulations. These regulations establish specific expectations for "covered entities," like health plans and hospitals, which are in turn required to obtain satisfactory assurances that their business associates are appropriately protecting private health care information.

The standards for the new Privacy Certification for Business Associates address:

  • privacy protections for oral, written and electronic health information;
  • processes and practices respecting the use, disclosure, and secure storage of personal health information;
  • employee training in protecting personal health information;
  • consumer access to their own health information; and
  • contracting between covered entities and their business associates.

The program standards are based both on HIPAA and on state-of-the-art information practices in the health care industry. Any business associate that handles PHI for health care providers, health plans, or health care clearinghouses will be eligible for the program.

The early participants in the Privacy Certification for Business Associates program will include four disease management organizations, two Health Plan Employer Data and Information Set (HEDIS) survey vendors, a health care information technology firm, and an imaging organization. The eight organizations are:

The eight organizations will initially use a Web-based tool to assess their compliance with the program standards. Once the requested materials have been submitted, a survey team will conduct an on-site review of the organization. Each review will yield a pass/fail decision, and "pass" results will be valid for two years. Surveys are expected to begin in August.

For more information about Privacy Certification for Business Associates, please call William Tulloch, Director, Product Development at (202) 955-5145, or Anthony Tirone at (202) 783-6655.