Hospital and other healthcare organization accreditation is the granting of a “seal of approval” to a hospital by an independent accrediting body. The seal serves as a certification that the hospital or other healthcare organization has met specific quality standards. During the HIPAA accreditation review process, the healthcare organization is given the opportunity to establish its ability to meet both regulatory requirements as well as standards established by the accreditor.

Accreditation serves essentially as a marketplace differentiator; accreditation serves to reflect that the accredited organization demonstrates a higher level of patient care and performance. 

Accreditation activities may involve a healthcare organization’s disclosure of protected health information (PHI) to the accrediting body. HIPAA accreditation activities – that is, whether accreditation activities are regulated by HIPAA – are discussed below.

HIPAA Accreditation Activities: Are Accreditation Bodies Business Associates?

HIPAA accreditation activities – that is, whether accreditation activities are regulated by HIPAA – depends upon determination of the legal relationship between a covered entity and an accrediting body. 

Under the HIPAA Privacy Rule, organizations that accredit covered entities are considered  business associates of those covered entities.

Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.

Like other business associates, accreditation organizations provide a service to the covered entity, which requires the sharing of protected health information. 

Covered entities may satisfy the requirement to enter into a business associate agreement with a business associate accreditation entity by entering into a formal business associate agreement with the accrediting body.

As an alternative to the business associate contract, covered entities may disclose a limited data set of protected health information, not including direct identifiers, to an accreditation organization, subject to a data use agreement. 

If only a limited data set of protected health information is disclosed, the satisfactory assurances required of the business associate are satisfied by the data use agreement.

What is a Limited Data Set?

Under the HIPAA Privacy Rule, a limited data set is a set of identifiable healthcare information that covered entities are permitted to share with certain entities for research purposes, public health activities, and healthcare operations, without obtaining prior patient written authorization. Accreditation activities are included in the definition of “healthcare operations.”

“Healthcare operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities include (among others):

• Reviewing the competence or qualifications of healthcare professionals, evaluating provider and health plan performance, training healthcare and non-healthcare professionals, accreditation, certification, licensing, or credentialing activities.

A limited data set excludes specific direct identifiers (i.e., pieces of information that serve to directly identify) of the individual or of relatives, employers, or household members of the individual. 

What is a Data Use Agreement?

A data use agreement (DUA) is an agreement governed by the HIPAA Privacy Rule. The agreement may be entered into between a covered entity and an accreditation body. Under the data use agreement, the covered entity may disclose a limited data set to the accreditation activities, which, as noted above, are regarded as healthcare operations activities.