The Basics

This standard requires that your organization implement written policies and procedures addressing confidentiality and security of the paper and electronic information systems.  Those policies should demonstrate that your organization:

• assesses its risks and vulnerabilities concerning confidentiality, integrity, and availability of information systems;
• prevents breaches of confidentiality and security; and
• detects, contains, and corrects violations of confidentiality and security rules.

Management Tips

Things that you can expect to include in your policies and procedures should include:

• the user access levels;
• limited access to PHI;
• the designation of the particular individual responsible for corporate compliance regarding confidentiality and security of information;
• control of computer terminals and any portable media devices;
• policies for telecommuters regarding information confidentiality and security; and
• fax machine protocols.

URAC Accreditation Tips

The risk assessment element is weighted 3; the other two elements are mandatory.

For the desktop review, you want to submit confidentiality and security risk assessments and the key policies and procedures addressing confidentiality and security.

During the on-site review, the reviewer will review your full set of policies and procedures regarding IT.  In addition, he/she will interview management and staff members about information systems, and tour and observe equipment and data centers on-site for compliance with this standard.