Core 3.2

CORE 15 - Information Confidentiality and Security

Submited by: Tom Goddard

The Basics

This standard requires that your organization implement written policies and procedures addressing confidentiality and security of the paper and electronic information systems. Those policies should demonstrate that your organization:

  • assesses its risks and vulnerabilities concerning confidentiality, integrity, and availability of information systems;
  • prevents breaches of confidentiality and security; and
  • detects, contains, and corrects violations of confidentiality and security rules.

Management Tips

Things that you can expect to include in your policies and procedures should include:

  • the user access levels;
  • limited access to PHI;
  • the designation of the particular individual responsible for corporate compliance regarding confidentiality and security of information;
  • control of computer terminals and any portable media devices;
  • policies for telecommuters regarding information confidentiality and security; and
  • fax machine protocols.
  • What intrusion detection software is being used?
  • Is there a program to encrypt emails to guard against unintentional breaches of confidentially information?
  • What virus protection is installed?
  • Does the organization's IT department block IP addresses?
There has been increasing interest by URAC reviewers in seeing thorough documentation of the risk assessment, or risk analysis, process. Be sure that this process is formalized and well documented.
To address the breach prevention issue, your policies must detail the organization's technical, and physical safeguards against breaches.
The detection component of this standard requires the implementation of P&Ps outlining what your organization does to monitor security access levels, detecting and containing breaches, and mechanisms to prevent recurrence of breaches once detected.

Accreditation Tips

Desktop Review
For the desktop review, you want to submit confidentiality and security risk assessments and the key policies and procedures addressing confidentiality and security.
Validation Review
The URAC reviewer will interview management and staff members about information systems, and tour and observe equipment and data centers on-site for compliance with this standard.
Document Review
During the on-site review, the reviewer will examine the breach/incident log, as well as documentation of the risk assessment process.