• E-mail
• Print
• RSS

JCAHO/NCQA to focus BA certification on "business units"

HIPAA Weekly Advisor, September 26, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Business associates are behind covered entities in efforts to protect PHI, according to William Tulloch, director of product development for the National Committee for Quality Assurance (NCQA). But noncompliance in one department doesn't have to prevent another department from being certified by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and the NCQA.

Business associates can determine which business units or departments they want certified, Tulloch said during a September 23 teleconference outlining the JCAHO and NCQA's privacy certification program for business associates. "A business unit is an area of a business associate that is using or disclosing PHI on behalf of a covered entity in delivering a product or service to that customer or on behalf of that customer." For example, an organization that handles utilization management and disease management would have separate business units because it uses PHI in different ways for different purposes, he explained. "But [information technology] and [human resources] would go across all business units, so they would only need to be surveyed once."

The program, which is targeted at business associates that are not covered entities, promotes the proper handling and security of PHI, said Tulloch. Standards are based on the privacy and security regulations. Certification provides one method for providing covered entities with the satisfactory assurances required by the privacy rule, he said.

See the June 23 issue of HIPAA Weekly Advisor or go to http://www.ncqa.org/communications/news/pcba-eas.htm for more information on the certification program.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive