The Basics

This is what I call the "mini-HIPAA" standard, even though it predates HIPAA's privacy rules.  It requires that the organization describe how Individually Identifiable Health Information ("IIHI") will be used and limit that use to those people for whom the use is necessary for business purposes.  The organization must identify who will have access to IIHI and for what purposes, to mandate anyone who might touch IIHI (employees, contractors, committee- and board-members) to keep IIHI private, and to require such people to sign a confidentiality statement.

Management Tips

Make sure your P&Ps address any personnel (employees or agents) who might have access to IIHI, whether it be in electronic or paper format.  This standard also addresses how your organization notifies consumers of their privacy rights.  

Beware of state regulatory standards that may be more restrictive than federal or URAC requirements.  Your staff members need to be trained in the most restrictive requirements, wherever they come from.

URAC Accreditation Tips

Note that this has six mandatory elements -- no getting accredited without this one!

Your HIPAA P&Ps and evidence of training on those P&Ps will suffice for purposes of the AccreditNet submission. However, one word of caution -- make sure that you don't limit this to employees. The most common mistake we've seen in our clients' applications is to have the privacy P&Ps apply to employees only, leaving out members of the governing board and/or non-employee members of committees (e.g., quality management and credentialing). Note that subsections (e) and (f) are quite specific about this.

One other thing about (f) -- this refers to patient confidentiality, not the confidentiality associated with proprietary information.  Make sure your documentation -- particularly the training and signed statements -- is clear on this point. 

The onsite review will involve an interview with the privacy officer, a close examination of signed confidentiality statements from employees, committee members, and board members, and training and other documentation regarding implementation of your privacy P&Ps.