The Basics

This subsection requires, quite simply, that the organization's IT system provide for confidentiality and security.  It is far broader than Core 22, which addresses only the preservation of the confidentiality of individually identifiable health information (IIHI).  This standard, in fact, goes beyond HIPAA Privacy and Security regulations, in that it is not limited to health information covered by HIPAA.

So, each employee in this area needs to be fully versed in the comprehensive array of P&Ps designed to keep all the organization's information out of the hands of people who should not have access to it, whether it be health information, trade secrets, or provider credentialing data.  This applies to electronic and paper storage media.

Management Tips

A comprehensive P&P or set of integrated P&Ps is our recommended approach to this requirement, so that like policies work seamlessly regardless of where information is located or by which department it is "owned."  The modern healthcare organization shares information across departments more fluidly than earlier organizations, and its P&Ps should reflect that integration.  It is acceptable to URAC, however, to address the various components of these issues in separate P&Ps, so long as nothing important falls through the cracks between them.

URAC Accreditation Tips

Documentation for this primary element of a mandatory standard focuses on the applicable P&Ps.  High-level program descriptions also will suffice.  There is no need to submit highly technical documents, however.  

The onsite review will focus on the interview of IT and operation management personnel and a tour.  Note that the tour will be not only of the server room(s), but the whole company, as this standard addresses fax machines, file cabinets, and other mechanisms that are relevant to how information comes into and flows out of the organization.