Core 4.0 Pre-release

C-RM 1-1: Regulatory Compliance and Internal Controls

Submited by: Tom Goddard

The Basics

This standard, which bears a strong resemblance to Core 4 in the previous versions of Core, describes the fundamental aspects of an effective compliance program:

  • Tracking applicable laws and regulations. This is an ongoing process of tracking existing laws and regulations and keeping up with changes in those laws and regulations. So, you need to identify -- in a clear and specific policy and procedure -- who is tracking laws and regulations, current and changing, and how they are doing that tracking.
  • Internal monitoring, auditing, and reporting. Your organization needs to think through and document what the best approach for ensuring and verifying compliance is for an organization in your line of work.
  • Responding promptly to issues. URAC’s expectation is that your organization define what “prompt” means, and that your approach is comprehensive with respect to risks, problems, and incidents that relate to compliance.
  • Corrective actions to present future issues. This is a new requirement for URAC, and requires that, whenever your organization encounters compliance issues, not only does it fix it (as required by the previous element), but it also conducts an analysis of why it happened and how to prevent similar issues from happening in the future.
  • A clear identification of the organization’s compliance officer. PHARM Core v. 3.1 has this requirement, as does the compliance standard for health plans. By adding it here, URAC is now declaring that all organizations subject to the Core standards must identify a compliance officer to oversee the compliance program.

Management Tips

The least well-understood aspect, among first-time applicants, of this standard is the first element. Think about it this way: if you were to be hired by your organization as the Compliance Officer, with the instructions, “make sure we don’t break the law,” your first questions should be, “which laws apply to us?” The first element of this standard is, very simply, the process that your organization has in place to answer that question, both today and going forward. Be sure to break it into two pieces:

  • How do I track the laws and regulations that apply to us today? And
  • How will I keep up to date with changes in those laws and regulations?

Be sure to cover all the laws that apply to your organization, including laws prohibiting discrimination, privacy and security laws (e.g., HIPAA, HITECH), FWA, state clinical practice, consumer protection, consent, and anything else that governs how your organization operates, or at least that part of your organization that is going through URAC accreditation.

A good way to address the monitoring and auditing element is to draft up a policy or portion of the compliance program description that identifies each law or regulation that applies and, for each, explains how your organization will monitor compliance with that law or regulation.

For the third element, be sure you define, with specificity, the time frames under your definition of “prompt”. It will not suffice to say that your organization promptly responds to identified issues.

Accreditation Tips

Desktop ReviewSubmit the following documents, at a minimum:

  • Compliance program description or collection of compliance P&Ps that address all the elements of this standard; and
  • Compliance officer job description.

In addition, if needed to demonstrate compliance with this standard’s five elements beyond the above two documents, submit a combination of bylaws, screenshots, meeting minutes, graphs, dashboards, etc. Be sure that whatever you submit is an official company document, not merely something written up to explain your compliance program to URAC. Also, be certain that your documents are specific about who is charged with the functions and how staff will perform those functions. 
We also recommend that you submit a sample Business Associate Agreement of the sort you would use for any vendors that touch PHI.
Validation Review
The URAC reviewer will interview members of the management team involved in compliance, including the compliance officer.
Document Review
On the day of the validation review, be sure that you have ready for the reviewer the following logs, from which the reviewers will select a sample for closer review:
  • All business licenses and registrations across all relevant jurisdictions;
  • List of all vendors that touch PHI and/or IIHI. From this list, the reviewer will select vendors for which you should be prepared to provide the BAA and the vendor agreement, making sure that the vendor agreement is specific enough to explain how PHI/IIHI moves between your organizations, is stored, and, if applicable, destroyed. 
The URAC reviewer also will review committee meeting agendas and minutes that relate to compliance. Be sure that all such minutes include any attachments referenced in the minutes.

  • Core 4.0 Pre-release / 12.31.2018

    C-RM 3-1: Information Systems Risk Assessment and Reduction

    URAC assumes that your organization has a comprehensive risk management program, and in this standard, requires that your information systems are a component of that system. Specifically, the IT component must address explicitly data storage, gathering, and transfer.Your organization must conduct risk assessment in these three areas, and that assessment must periodically include "an entity with th...

  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-3: Business Continuity Plan Testing

    Your organization must test its business continuity plan ("BCP") no less frequently than every two years. Notably, the BCP test can be a tabletop exercise, which URAC defines as:test of a Business Continuity Plan (BCP) that includes documentation of the following aspects of the test:A tabletop exercise simulates an incident in an informal, stress-free environment.The participants who are usually t...

  • Core 4.0 Pre-release / 12.26.2018

    C-RM 2-2: Pharmacy Emergency Management Plan

    Applicable only to organizations seeking accreditation in one of URAC's pharmacy modules, this standard requires that your business continuity plan describe an emergency management system that addresses how the organization will distribute medications in the event of an emergency. The description must address the organization's facilities, its services, and its products in some detail. As was the...