The Basics

Core 22 is what I call the "mini-HIPAA" standard, even though it predates HIPAA's privacy rules.  It requires that the organization describe how Individually Identifiable Health Information ("IIHI") will be used and limit that use to those people for whom the use is necessary for business purposes.  The organization must identify who will have access to IIHI and for what purposes, to mandate anyone who might touch IIHI (employees, contractors, committee- and board-members) to keep IIHI private, and to require such people to sign a confidentiality statement.

URAC Accreditation Tips

Your HIPAA P&Ps and evidence of training on those P&Ps will suffice for purposes of the AccreditNet submission. However, one word of caution -- make sure that you don't limit this to employees. The most common mistake we've seen in our clients' applications is to have the privacy P&Ps apply to employees only, leaving out members of the governing board and/or non-employee members of committees (e.g., quality management and credentialing). Note that subsections (e) and (f) are quite specific about this.

One other thing about (f) -- this refers to patient confidentiality, not the confidentiality associated with proprietary information.  Make sure your documentation -- particularly the training and signed statements -- is clear on this point. 

The onsite review will involve an interview with the privacy officer, a close examination of signed confidentiality statements from employees, committee members, and board members, and training and other documentation regarding implementation of your privacy P&Ps.

Note that this is a mandatory standard -- no getting accredited without this one!