NCQA Releases Draft Standards for Nation's First Privacy Certification Program for Business Associates

12/16/2002

From: Brian Schilling or Barry Scholl, 202-955-5104 or 202-955-5197 Both for the National Committee for Quality Assurance

WASHINGTON, Dec. 16 -- The National Committee for Quality Assurance (NCQA) today released for public comment the draft standards for its new Privacy Certification for Business Associates (PCBA) program. The program is the nation's first and only program to certify that "business associates" (e.g., disease management organizations, software vendors, data collection firms) have processes for handling protected health information (PHI) that are consistent with new federal requirements to safeguard such information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) introduces penalties for "covered entities" such as health plans, providers and health care clearinghouses that fail to act when they are aware that such information is not adequately protected. HIPAA calls for covered entities to obtain "satisfactory assurances" from their business associates that PHI is safeguarded appropriately.

"In the electronic era, privacy is everybody's business," said NCQA President Margaret E. O'Kane. "Our new certification program will help covered entities identify business associates they can trust with protected health information, and it will help them keep this information out of the wrong hands."

Increased incidents of unauthorized access to and improper handling of PHI, particularly information stored and sent electronically, gave rise to the HIPAA privacy regulations. Examples of such incidents include a Michigan-based health system posting thousands of patients' medical records to the Internet and a health plan distributing e-mails containing sensitive patient information to the wrong recipients.

NCQA's PCBA program will closely track with the final HIPAA privacy regulations. Proposed program requirements relate to: - privacy protections for oral, written and electronic PHI - processes and practices for the storage, use and disclosure of PHI - employee training in PHI protections - consumer access to PHI - contracting between covered entities and their business associates.

The PCBA program will use NCQA's online Accreditation/Certification platform, which will allow much of the review to be conducted off-site. Organizations undergoing a review will first complete a Web-based self-assessment (which allows applicants to determine their readiness for a review) and submit these results online. Following the on-site portion of the review, NCQA will deliver a pass/fail decision, with "pass" results remaining valid for two years.

"This new certification program meets an urgent need created under the HIPAA privacy regulations," said Jim Bradley, Chief Executive Officer, RxHub and Chair-Elect, NCQA Board of Directors. "Participants will demonstrate nationally that they safeguard the privacy of protected health information and will distinguish themselves in the increasingly competitive health care marketplace."

Any business associate that handles PHI for health plans, providers or health care clearinghouses is eligible for the program. Such entities include, but are not limited to, software firms; health care IT firms; data collection, analysis and processing firms; practice management firms; third-party administrators; disease management firms and survey vendors.

To help inform the development of the PCBA program, NCQA convened a Privacy Certification Advisory Committee (see attached). Final certification standards will be available in spring 2003, with surveys scheduled to begin in July. HIPAA regulations were released in December 2000, and the deadline for compliance is April 14, 2003, although covered entities have until April 14, 2004 to obtain necessary satisfactory assurances.

NCQA is accepting applications for "early adopters" through December 31. The first 10 applicants that agree to submit their self-assessment results to NCQA within six months of the release of final program standards (scheduled for May 2003) will be eligible for a 20 percent discount on their introductory survey. In addition, these organizations will receive a complimentary Webcast educational program addressing all program requirements, which will assist them in preparing for their review. All organizations that register for early adopter status before December 31 will be listed in a forthcoming press release and a future issue of NCQA Update, which is delivered to major covered entities. To date, four organizations-three disease management organizations and a survey vendor-have committed to participate.

The draft standards can be downloaded from NCQA's Web site, www.ncqa.org. NCQA will accept comments on the standards through January 31.

NCQA is a private, non-profit organization dedicated to improving health care quality. NCQA accredits and certifies a wide range of health care organizations, including managed care organizations, preferred provider organizations, medical groups and individual physicians. NCQA is committed to providing health care quality information through the Web and the media in order to help consumers, employers and others make more informed health care choices.

------ PRIVACY CERTIFICATION FOR BUSINESS ASSOCIATES ADVISORY COMMITTEE MEMBERS

- Lesley Berkeyheiser, The Clayton Group - Roger Gates, DSS Research - Debra Hopkinsen, Electronic Healthcare Network Accreditation Commission (EHNAC) - Sam Karp, California HealthCare Foundation - Wilma Kidd, Anthem Blue Cross Blue Shield - T. Lane MacAlester, RxHub - Richard Marks, Davis Wright Tremaine, L.L.P. - Deanna McFadden, Caremark - Susan Miller, The Kearny Group, L.L.C. - Dena Rus, AdvancePCS - Ben Steffen, Maryland Health Care Commission - Margaret Van Amringe, Joint Commission on Accreditation of Healthcare Organizations (JCAHO)