NU Online News Service, Dec. 17, 9:55 a.m. – The National Committee for Quality Assurance, Washington, has released the draft of new standards for a Privacy Certification for Business Associates program.

The program would certify that health insurance company “business associates,” such as software vendors and disease management companies, meet the new federal personal health information privacy standards created to implement the Health Insurance Portability and Accountability Act of 1996.

HIPAA imposes harsh penalties for “covered entities” such as health insurers that fail to act when they are aware that personal health information is not adequately protected. HIPAA calls for covered entities to obtain “satisfactory assurances” from their business associates that personal health information is protected.

The NCQA certification program covers employee training; protection of oral, written and electronic health information; consumer access to health information; and contracting between covered entities and their business associates.

Under the draft standards, organizations undergoing a review could first assess whether they were ready for certification, then submit to a pass/fail review process.

Any business associate that handles personal health information for health plans, providers or health care clearinghouses would be eligible for the program.

Final certification standards should be available in early 2003, and the NCQA hopes to begin conducting the reviews in July 2003.

Covered entities must begin complying with the federal privacy standards in April 2003, but they have until April 2004 to obtain certification or other “satisfactory assurances” of compliance, the NCQA says.

The draft standards are available on the NCQA Web site at http://www.ncqa.org/Programs/Accreditation/Certification/BAC/BAC.htm