C-CPE 1-1: Privacy and Security of Consumer Health Information
This standard, which bears a strong resemblance to Core 4 in the previous versions of Core, describes the fundamental aspects of an effective compliance program:
- Tracking applicable laws and regulations. This is an ongoing process of tracking existing laws and regulations and keeping up with changes in those laws and regulations. So, you need to identify -- in a clear and specific policy and procedure -- who is tracking laws and regulations, current and changing, and how they are doing that tracking.
- Internal monitoring, auditing, and reporting. Your organization needs to think through and document what the best approach for ensuring and verifying compliance is for an organization in your line of work.
- Responding promptly to issues. URAC’s expectation is that your organization define what “prompt” means, and that your approach is comprehensive with respect to risks, problems, and incidents that relate to compliance.
- Corrective actions to present future issues. This is a new requirement for URAC, and requires that, whenever your organization encounters compliance issues, not only does it fix it (as required by the previous element), but it also conducts an analysis of why it happened and how to prevent similar issues from happening in the future.
- A clear identification of the organization’s compliance officer. PHARM Core v. 3.1 has this requirement, as does the compliance standard for health plans. By adding it here, URAC is now declaring that all organizations subject to the Core standards must identify a compliance officer to oversee the compliance program.
The least well-understood aspect, among first-time applicants, of this standard is the first element. Think about it this way: if you were to be hired by your organization as the Compliance Officer, with the instructions, “make sure we don’t break the law,” your first questions should be, “which laws apply to us?” The first element of this standard is, very simply, the process that your organization has in place to answer that question, both today and going forward. Be sure to break it into two pieces:
- How do I track the laws and regulations that apply to us today? And
- How will I keep up to date with changes in those laws and regulations?
Be sure to cover all the laws that apply to your organization, including laws prohibiting discrimination, privacy and security laws (e.g., HIPAA, HITECH), FWA, state clinical practice, consumer protection, consent, and anything else that governs how your organization operates, or at least that part of your organization that is going through URAC accreditation.
A good way to address the monitoring and auditing element is to draft up a policy or portion of the compliance program description that identifies each law or regulation that applies and, for each, explains how your organization will monitor compliance with that law or regulation.
For the third element, be sure you define, with specificity, the time frames under your definition of “prompt”. It will not suffice to say that your organization promptly responds to identified issues.
Submit the following documents, at a minimum:
- Compliance program description or collection of compliance P&Ps that address all the elements of this standard; and
- Compliance officer job description.
In addition, if needed to demonstrate compliance with this standard’s five elements beyond the above two documents, submit a combination of bylaws, screenshots, meeting minutes, graphs, dashboards, etc. Be sure that whatever you submit is an official company document, not merely something written up to explain your compliance program to URAC. Also, be certain that your documents are specific about who is charged with the functions and how staff will perform those functions.
We also recommend that you submit a sample Business Associate Agreement of the sort you would use for any vendors that touch PHI.
The URAC reviewer will interview members of the management team involved in compliance, including the compliance officer.
On the day of the validation review, be sure that you have ready for the reviewer the following logs, from which the reviewers will select a sample for closer review:
- All business licenses and registrations across all relevant jurisdictions;
- List of all vendors that touch PHI and/or IIHI. From this list, the reviewer will select vendors for which you should be prepared to provide the BAA and the vendor agreement, making sure that the vendor agreement is specific enough to explain how PHI/IIHI moves between your organizations, is stored, and, if applicable, destroyed.
The URAC reviewer also will review committee meeting agendas and minutes that relate to compliance. Be sure that all such minutes include any attachments referenced in the minutes.