Core 4.0 Pre-release
C-CPE 1-1: Privacy and Security of Consumer Health Information
This standard, which bears a strong resemblance to Core 16 in the previous versions of Core, describes the requirements for the protection of consumer health information (PHI and IIHI in non-workers compensation organizations):
- BAAs with all business associates;
- Clear description of the responsibility of individuals and entities that have access to PHI and IIHI to protect that information;
- Policies that describe how PHI and IIHI are protected in the event that individuals or entities that are in the vicinity of consumer health information; and
- Policies describing how the organization detects, contains, and corrects violations of privacy and security.
We recommend that, for vendors that touch PHI or IIHI, you ensure that you have both an executed business associate agreement and a vendor agreement that explicitly addresses how the vendor will protect consumer health information.
Be sure your policies address both:
- individuals and organizations that have access to consumer health information and
- individuals and organizations that work in the vicinity of such information.
Submit the following documents, at a minimum:
- Business Associate Agreement template or sample
- Detailed policies that address protection of consumer health information from vendors with access or incidental contact with consumer health information. Be sure to address even accidental exposure to such information in your policies.
- Policies addressing, in detail, how your organization detects, contains, and corrects violations of privacy and security.
The URAC reviewer will interview members of the management team involved in privacy and security, including the compliance officer, IT staff, and others.
The reviewer also will tour areas in your offices that have consumer health information to ensure that you are adequately safeguarding that information. They might even check your garbage cans to make sure there's no PHI in them.
Front line staff members may be interviewed to assess their understanding of privacy and security requirements.
On the day of the validation review, be sure that you have ready for the reviewer all of the BAAs and vendor agreements with individuals and entities with access to or proximal contact with consumer health information.
The reviewer also will want to see, for each vendor that touches or is near consumer health information, documentation demonstrating that you have made it clear to the vendor the responsibility to protect consumer health information. In addition, the review will want to see documentation of how you confirm that the vendor is honoring its responsibility for such protection.