JCAHO, NCQA Establish Privacy Certification for Business Associates Program; Eight Organizations Commit to Surveys

6/16/2003

From: Charlene D. Hill of the Joint Commission on Accreditation of Healthcare Organizations, 630-792-5175; or Brian Schilling of the National Committee for Quality Assurance, 202-955-5104

OAKBROOK TERRACE, Ill., June 16 -- The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and the National Committee for Quality Assurance (NCQA) today announced that their new Privacy Certification Program for Business Associates (PCBA) will officially launch this month. Eight organizations have now committed to seek certification.

The new program is designed to assess whether organizations referred to as business associates under the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 are meeting essential requirements for safeguarding personally-identifiable health information. Certain protections for such information are required by sections of the HIPAA privacy and security regulations. These regulations establish specific expectations for "covered entities," like health plans and hospitals, which are in turn required to obtain satisfactory assurances that their business associates are appropriately protecting private health care information.

The standards for the new Privacy Certification for Business Associates address:

-- privacy protections for oral, written and electronic health information;

-- processes and practices respecting the use, disclosure, and secure storage of personal health information;

-- employee training in protecting personal health information;

-- consumer access to their own health information; and

-- contracting between covered entities and their business associates.

The program standards are based both on HIPAA and on state-of-the-art information practices in the health care industry. Any business associate that handles HIPAA protected information (PHI) for health care providers, health plans, or health care clearinghouses will be eligible for the program. Such entities include software firms; health care IT firms; data collection, analysis and processing firms; practice management firms; third-party administrators; disease management organizations; and survey vendors, among others.

"The appropriate and timely exchange of personal health information is essential to ensuring the provision of high quality care-and so is keeping that information safe," says Margaret O'Kane, president, NCQA.

"Personal health information must be carefully and effectively protected," says Dennis S. O'Leary, M.D., president, JCAHO. "The Privacy Certification for Business Associates underscores this fundamental business associate responsibility."

The early participants in the Privacy Certification for Business Associates program will include four disease management organizations, two Health Plan Employer Data and Information Set (HEDIS)(r) survey vendors, a health care information technology firm, and an imaging organization. The eight organizations are:

-- American Healthways Inc., Nashville, Tenn.

-- Center for the Study of Services, Washington, D.C.

-- DSS Research, Fort Worth, Texas

-- Health Dialog Inc., Boston, Mass.

-- National Imaging Associates Inc., Rancho Cordova, Calif.

-- PersonalPath Systems Inc., Upper Saddle River, N.J.

-- Renaissance Health Care Inc., Westminster, Colo.

-- Salem Health Solutions Inc., Winston-Salem, N.C.

"We want our members to be assured that their information will be used properly and that the appropriate safeguards are taken to ensure that information remains confidential," said Donald Fischer, M.D., medical director for strategic physician relations at Highmark Blue Cross Blue Shield in Pittsburgh. "Highmark works collaboratively with our key business associates in the design and implementation of our integrated condition (disease) management program and by earning certification, our business associates will demonstrate that they have the right systems and protections in place."

The eight organizations will initially use a Web-based tool to assess their compliance with the program standards. Once the requested materials have been submitted, a survey team will conduct an on-site review of the organization. Each review will yield a pass/fail decision, and "pass" results will be valid for two years. Actual on-site surveys are expected to begin in August. For more information about Privacy Certification for Business Associates, call William Tulloch, director of product development, at 202-955-5145, or Anthony Tirone at 202-783-6655.

------

Founded in 1951, the Joint Commission on Accreditation of Healthcare Organizations seeks to continuously improve the safety and quality of care provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. The Joint Commission evaluates and accredits nearly 17,000 health care organizations and programs in the United States, including approximately 9,000 hospitals and home care organizations, and 8,000 other health care organizations that provide long term care, assisted living, behavioral health care, laboratory and ambulatory care services. The Joint Commission also accredits health plans, integrated delivery networks, and other managed care entities. An independent, not-for-profit organization, the Joint Commission is the nation's oldest and largest standards-setting and accrediting body in health care.

NCQA is a private, non-profit organization dedicated to improving health care quality. NCQA accredits and certifies a wide range of health care organizations and manages the evolution of HEDIS(r), the performance measurement tool used by more than 90 percent of the nation's health plans. NCQA is committed to providing health care quality information through the Web and the media in order to help consumers, employers and others make more informed health care choices.