Core 4.0 Pre-release

C-CPE 1-1: Privacy and Security of Consumer Health Information

Submited by: Tom Goddard

The Basics

This standard, which bears a strong resemblance to Core 16 in the previous versions of Core, describes the requirements for the protection of consumer health information (PHI and IIHI in non-workers compensation organizations):

  • BAAs with all business associates;
  • Clear description of the responsibility of individuals and entities that have access to PHI and IIHI to protect that information;
  • Policies that describe how PHI and IIHI are protected in the event that individuals or entities that are in the vicinity of consumer health information; and
  • Policies describing how the organization detects, contains, and corrects violations of privacy and security.

Management Tips

We recommend that, for vendors that touch PHI or IIHI, you ensure that you have both an executed business associate agreement and a vendor agreement that explicitly addresses how the vendor will protect consumer health information.

Be sure your policies address both:
  • individuals and organizations that have access to consumer health information and
  • individuals and organizations that work in the vicinity of such information. 
Some of the ways you can address such business associates include training, attestations, contracts, etc.

Accreditation Tips

Desktop Review

Submit the following documents, at a minimum:

  • Business Associate Agreement template or sample
  • Detailed policies that address protection of consumer health information from vendors with access or incidental contact with consumer health information. Be sure to address even accidental exposure to such information in your policies.
  • Policies addressing, in detail, how your organization detects, contains, and corrects violations of privacy and security.

Validation Review


The URAC reviewer will interview members of the management team involved in privacy and security, including the compliance officer, IT staff, and others.

The reviewer also will tour areas in your offices that have consumer health information to ensure that you are adequately safeguarding that information. They might even check your garbage cans to make sure there's no PHI in them.

Front line staff members may be interviewed to assess their understanding of privacy and security requirements.

Document Review

On the day of the validation review, be sure that you have ready for the reviewer all of the BAAs and vendor agreements with individuals and entities with access to or proximal contact with consumer health information.

The reviewer also will want to see, for each vendor that touches or is near consumer health information, documentation demonstrating that you have made it clear to the vendor the responsibility to protect consumer health information. In addition, the review will want to see documentation of how you confirm that the vendor is honoring its responsibility for such protection.

  • Core 4.0 Pre-release / 12.31.2018

    C-RM 3-1: Information Systems Risk Assessment and Reduction

    URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with th...

  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-3: Business Continuity Plan Testing

    Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:A tabletop exercise simulates an incident in an informal, stress-free environment.The participants who are usually t...

  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-2: Pharmacy Emergency Management Plan

    Applicable only to organizations seeking accreditation in one of URAC's pharmacy modules, this standard requires that your business continuity plan describe an emergency management system that addresses how the organization will distribute medications in the event of an emergency. The description must address the organization's facilities, its services, and its products in some detail. As was the...