Healthcare's two leading accreditation agencies staked out turf in the broad new field of federal health privacy regulation last month, but they acknowledged that the ground might not be fertile for a while.
The National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations launched a joint certification program to assess whether organizations known as "business associates" meet requirements for safeguarding sensitive patient-specific health information entrusted to them by providers and insurance plans.
Those requirements are among a basketful of mandates and prohibitions that took effect in April to enforce information privacy provisions of the Health Insurance Portability and Accountability Act of 1996. Under HIPAA, a business associate is any outside organization that handles confidential health data in the context of providing or administering care. That would include everyone from utilization-review and data-analysis firms to healthcare information technology companies, disease-management companies hired to manage chronic conditions, and outside companies that audit for Medicare claims compliance.
Providers and health plans are not directly accountable for every breach of confidentiality committed by business associates, but they are required to obtain satisfactory assurances that their partners are appropriately protecting private health information. Under HIPAA rules, those assurances were supposed to be included in business-associate contracts by April 14, subject to some allowances for contracts coming up for renewal in the coming year.
The certification program aims to provide a "comfort level" for health plans, hospitals and other care-delivery organizations that their business associates are fulfilling their contracts regarding privacy, said JCAHO spokeswoman Margaret VanAmringe.
But faced with a slew of significant internal HIPAA mandates for handling medical data, healthcare organizations have concentrated on putting their own houses in order and complying with the requirements that are most obvious to the public (April 14, p. 4).
In a survey conducted for the Healthcare Information and Management Systems Society just prior to the April 14 deadline, only 60% of the responding providers said they had obtained all required business-associate agreements.
But the public eventually will become aware of the volume and sensitivity of that patient data handed off to outside firms, NCQA spokesman Brian Schilling said. The NCQA and JCAHO are counting on business associates to pay the $15,000 base price for the certification to "demonstrate their compliance in a public way," he said. Eight organizations have signed up; four of them are disease-management companies.
The venture also hopes for leverage from healthcare organizations seeking to reassure the public, VanAmringe said. A Pittsburgh-based insurer, Highmark Blue Cross and Blue Shield, is among the few speaking out about business-associate responsibilities and certification.
"Highmark works collaboratively with our key business associates in the design and implementation of our integrated condition (disease) management program," said Donald Fischer, Highmark's medical director of strategic physician relations, "and by earning certification, our business associates will demonstrate that they have the right systems and protections in place."
One of the companies applying for certification, Health Dialog, Boston, is a contractor associated with Highmark's disease-management program, a spokesman for the Blues plan said.