URAC, a healthcare accreditation and education organization, is holding a public comment period for revisions to the HIPAA Privacy and Security standards.
Purchasers, policy makers, consumers, healthcare providers, healthcare management organizations, health plans, electronic medical records and software companies are being urged to review the revised standards and provide feedback now through August 3, 2009.
"In order to establish effective standards that protect consumers' most intimate information, URAC wants to leverage the expertise of key stakeholders that can help us better understand current practices and challenges within the industry," said Doug Metz, chair of URAC's Health Standards Committee (HSC) and executive vice president and chief health services officer for American Specialty Health. "The Health Standards Committee completed its review of the changes last month, and now we want to provide the public an opportunity to comment."
URAC was required to update its HIPAA Privacy and Security standards to ensure that URAC accredited companies would meet the new ARRA privacy provisions, which are either presently, or will be in effect by February 17, 2010.
Under the ARRA provisions, business associates, such as attorneys, third party administrators, regional health information exchanges, data analysts, claims processors, or billing benefits managers for healthcare providers, must also comply with 32 security standards, as well additional privacy standards depending upon their access to electronic protected health information through the services they provide to covered entities such as a healthcare provider or health plan.
The proposed ARRA revisions also include civil and criminal penalties, which require organizations to provide training on the various penalties, the fine amount and under what circumstances they apply. ARRA outlines specific guidelines expanding the enforcement powers of State Attorneys General, in which they will have the authority to work on behalf of state's residents to bring civil actions, stop violations, or obtain monetary damages. Although state action is limited while federal action is pending, this applies to all covered entities, business associates and individuals, with access to private patient information.
"We know how difficult it is to navigate all of the requirements for HIPAA compliance," said Bill Braithwaite, member of URAC's HIPAA Accreditation Committee. "That is why URAC is committed to helping educate our clients and ensuring that by meeting our high quality standards, they are positioned to gain HIPAA compliance. We also want consumers to feel confident sharing their most personal health information. By working with industry leaders to continually improve our standards, we are also giving consumers that degree of security and comfort."
The revised URAC HIPAA Privacy and Security standards are available for review and comment at http://www.urac.org/publiccomment/.
Final draft standards and measures are expected to be reviewed by URAC's board of directors in October 2009.
