URAC

The organization has an ongoing training program that includes:

1. Initial orientation and/or training for all staff before assuming assigned roles and responsibilities;
2. Ongoing training, at a minimum annually, to maintain professional competency;
3. Training in current URAC Standards as appropriate to job functions;
4. Training in state and regulatory requirements as related to job functions;
5. Conflict of interest;
6. Confidentiality;
7. Training on identification and prevention of fraud and abuse, as appropriate to job functions;
8. Delegation oversight, if necessary; and
9. Documentation of all training provided for staff.

Question: Please advise on the frequency and types of training required to meet Core 7c, d, e, f and g. A review of the standard appears to indicate that training during the initial orientation and or general training of Core 7(c-g) is sufficient to meet the standard.  Core 7(b) clearly requires a minimum of annually regarding professional competency.  Is this interpretation correct?

Response: Orientation and ongoing training programs help to ensure that staff are kept up-to-date and have the knowledge and resources to provide quality program services. Training may vary by profession and the type of organization. The standard is silent on frequency of training.

Examples of training include: Obtaining continuing education credits in a relevant field. Attendance at meetings or conferences related to job functions In-house on performance of job functions. Ongoing training should be documented in personnel files. Regarding Core 7(c) and (d): Staff need only be trained in those URAC standards and regulations that apply directly to their job and not all standards and regulations that affect the organization.

The organization designates at least one senior clinical staff person who has:

1. Current, unrestricted clinical license(s) (or if the license is restricted, the organization has a process to ensure job functions do not violate the restrictions imposed by the state licensure board);
2. Qualifications to perform clinical oversight for the services provided; and
3. Post-graduate experience in direct patient care; and
4. Board certification (if the senior clinical staff person is an M.D. or D.O.).

A senior clinical staff person:

1. Provides guidance for all clinical aspects of program;
2. Is responsible for clinical aspects of program; and
3. Has periodic consultation with practitioners in the field.

Question: With regards to Core Standard 10 and 11, in the interpretive guide it indicates URAC generally expects that the organization providing general health services, products or management, that the senior clinical staff is a MD or DO.  We are sitting for accreditation for case management only. We do have a medical director, but he is contracted to provide services as needed.  We provide case management services; we are not an insurance company nor do we approve or deny services (i.e., perform utilization review).  Do we need to have an MD or DO on staff in the Senior Clinical position?

Response: Fore Case Management organizations, it is not required that the senior clinical staff person be a physician; however, the case management standards require that the case managers have access to a physician that has experience to the type of program under consideration. 

The senior clinical staff person for a Utilization Management program must be an MD or DO for general health and welfare review programs.  In addition, board eligible does not meet Core 10(d).  Though the senior clinical staff person may not work full time, work remotely, or may be a contracted individual instead of an employee, it is incumbent upon the organization to provide evidence that this individual is qualified pursuant to Core 10 and fulfills the accountabilities identified in Core 11.

The organization maintains signed written agreements with all clients describing the scope of the business arrangement.

Question: Do we need to submit a master list naming all of the clients with whom we do business, or are the sample template agreements enough?

The organization establishes and implements a policy and procedure to protect the confidentiality of individually-identifiable health information that:

1. Identifies how individually-identifiable health information will be used;
2. Specifies that individually-identifiable health information is used only for purposes necessary for conducting the business of the organization, including evaluation activities;
3. Addresses who will have access to individually-identifiable health information collected by the organization;
4. Addresses oral, written, or electronic communication and records that are transmitted or stored;
5. Address the responsibility of organization employees, committee members, and board members to preserve the confidentiality of individually-identifiable health information; and
6. Requires employees, committee members, and board members of the organization to sign a statement that they understand their responsibility to preserve confidentiality.

Question: Our board of directors (or senior management/CEO) never have access to PHI or IIHI. What should our policy say? What is required for the onsite visit?

The organization:

1. Establishes standards to assure that consumers or clients have access to services: and
2. Defines and monitors its performance with respect to the access standards.

Question: As a Health Plan when responding to standard Core 25 when discussing access, is it referring to: A) access to provider networks (MDs, etc.) B) access to our staff and services provided by our staff such as educational materials, information on complaint/appeal rights, etc. C) both of the above. Please clarify the term access as it applies to this standard.

The organization has a quality management committee that:

1. Is granted authority for quality management by the organization's governing body;
2. Provides on-going reporting to the organization’s governing body;
3. Meets at least quarterly;
4. Maintains approved minutes of all committee meetings;
5. If applicable, includes at least one participating provider or receives input from a participating provider committee (such as a Physician Advisory Group);
6. Provides guidance to staff on quality management priorities and projects;
7. Approves the quality improvement projects to undertake;
8. Monitors progress in meeting quality improvement goals; and
9. Evaluates the effectiveness of the quality management program at least annually.

Question: Does the standard require that the organization have one QMC or is it acceptable to have 2 committees, one that monitors operational performance and one that monitors clinical performance?

Standard:

CORE - All standards

Standard:

CORE 13 - Information Management

1. Provides for data integrity;
2. Includes a plan for storage, maintenance and destruction; and
3. Includes a plan for interoperability;
   
   1. Between internal information systems; and
   2. With external entity information systems.
      

The plan needs to address the information exchange between an organization’s internal information systems [Core (c)(i)].  It also needs to address the information exchange between its internal information systems and those of external entities [Core (c)(ii)]. 

As with any plan, a description of current information system structure is needed to show what is currently in place (how many systems do you have, do they need to talk to each other and if so, is that data exchange occurring as needed, etc.)  The same baseline analysis applies to the data exchange with external entities.  The plan should address the need to exchange data and the feasibility of making that occur – what resources would it take to make it happen and what are the inherent risks – both for and against – exchanging information both internally and externally? 

Standard:

CORE 14 - Business Continuity

1. Identifies which systems and processes must be maintained and the effect an outage would have on the organization’s program.
2. Identifies how business continuity is maintained given various lengths of time information systems are not functioning or accessible;
3. Is tested at least every two years; and
4. Responds promptly to detected problems and takes corrective action as needed.
   

Standard:

CORE 15 - Information Confidentiality and Security

1. Assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of information systems;
2. Prevention of confidentiality and security breaches; and
3. Detection, containment and correction of confidentiality and security violations.
   

Response: Core 15 addresses data confidentiality and security of both the electronic and paper information systems supporting the function covered by the accreditation.  In addition, “electronic” includes Web-based information systems and the use of portable media (e.g., portable computers, hand-held devices, flash drives, etc.)

Standard:

CORE 19 - Quality Management Program Requirements

1. Is approved by the organization’s appropriate oversight authority; 
2. Defines the scope, objectives, activities, and structure of the quality management program;
3. Is reviewed and updated by the Quality Management Committee at least annually;
4. Defines the roles and responsibilities of the Quality Management Committee; and
5. Designates a member of senior management with the authority and responsibility for the overall operation of the quality management program and who serves on the Quality Management Committee.
   

Standard:

CORE 27 - Staff Training Program

1. Initial orientation and/or training for all staff before assuming assigned roles and responsibilities;
2. Training in current URAC Standards as appropriate to job functions;
3. Conflict of interest;
4. Confidentiality;
5. Documentation of all training provided for staff; and
6. Ongoing training, at a minimum annually, to maintain professional competency.
   

Standard:

CORE 32 - Senior Clinical Staff Responsibilities

1. Provides guidance for clinical operational aspects of program;
2. Is responsible for oversight of clinical decision-making aspects of program;
3. Has periodic consultation with practitioners in the field; and 
4. Ensures the organizational objective to have qualified clinicians accountable to the organization for decisions affecting consumers. 
   

Standard:

CORE 35 - Consumer Complaint Process

1. process to receive and respond in a timely manner to complaints;
2. Notice (written or verbal) of final result with an explanation; 
3. Informs consumers of the avenues to seek further review if an additional complaint review process is available;
4. Evidence of meeting the organization’s specified time frame for resolution and response; and
5. Reporting analysis of the complaints to the quality management committee.
   

Standard:

CORE 36 - Coordination with External Entities

As for verification of compliance, on the desktop review, reviewers will look to see written policies and documented procedures (e.g., process flowcharts, guidelines, etc.) reflecting the organization’s process for sharing information and coordinating care for a health care consumer.  During the onsite review, staff will be interviewed and asked to discuss current procedure for care coordination and discuss instances where these procedures were implemented.  Case documentation exemplifying care coordination with external entities will also be examined. Applicants will be asked to pull cases illustrating implementation of its care coordination policy.  The scope of this standard covers coordination of the provision of clinical services to consumers.

Standard:

CORE 40 - Health Literacy

1. Requires consumer materials to be in plain language.
2. Assesses the use of plain language in consumer documents; and
3. Provides relevant information and guidance to staff that interfaces directly with, or writes content for, consumers.
   

The organization establishes and implements criteria for the number and qualification of reviewers.  At a minimum, such criteria will specify that, for each case, there is a reviewer who:

1. Has active licensure;
2. If an M.D. or D.O., has board certification by a medical specialty board approved by the American Board of Medical Specialties or the American Osteopathic Association;
3. If a D.P.M., has board certification by the American Board of Podiatric Surgery;
4. Is a clinical peer of the attending provider;
5. Has a scope of licensure and professional experience that encompasses the health service, treatment or issue under review;
6. Has at least five years experience providing clinical health care; and
7. Has the ability to evaluate alternatives to the proposed treatment.

Question: What are the licensure requirements for reviewers conducting reviews for an IRO?

Response: Revised standard 8 “Reviewer Qualifications” specifically states the credentials required for reviewers.  In addition to active licensure, if an M.D. or D.O., the reviewer has board certification by a medical specialty board approved by the ABMS or AOA.  If a Doctor of Podiatric Medicine, a board certification approved by the American Board of Podiatric Surgery is required.  The standard indicates that reviewers will have at least five (5) years of experience providing clinical health care to ensure a minimum of clinical experience treating patients.

The organization adheres to the following time frames for completing standard reviews:

1. Within a median duration of 5 business days for cases where the timeline is not regulated by state or federal regulation;
2. In no case longer than 20 business days unless otherwise defined by state or federal regulation; and
3. The time frame starts upon receipt of all of the information that has been forwarded to the organization, including any additional information that may be submitted by the covered person and/or referring entity.

Question:If a state or federal law requires a minimum time frame for processing a review, how does that affect the time line required by the standard for conducting independent reviews?

Response: Once all entities (referring entity, consumer, and attending provider) have been accounted for with regards to submitting additional information, whether additional information was received or it has been verified that it will not be submitted, the IRO must proceed with processing the case.  If the IRO has not been able to determine the intent by all parties and there is applicable state or federal law requiring a minimum time to wait for additional information, then it does not proceed until the minimum time frame has been met.  URAC will request evidence of the applicable regulation.

The organization has a documented plan addressing the delivery of health information to consumers:

1. Targeting one or more of a consumer’s information needs for the current episode of care;
2. Proactively providing health information to the individual consumer;
3. Supporting one or more of the following:  
   1. Informed decision making;
   2. Skill building and motivation for effective self-care and healthy behaviors related to the consumer’s information needs for the current episode of care; and
   3. Consumer comfort and acceptance.

4. Promoting the use of information tailored to the individual consumer’s specific needs and characteristics, including health literacy levels; and
5. Providing health information that is accurate, comprehensive, and easy to use;and 
6. Using community resources and other health care partners to provide health information to consumers.
   

Question: Do we have to have implemented a plan for the delivery of health information to consumers?

Response: No, applicant organizations need to have a documented plan, reviewed by the requisite leadership for disease management that indicates what structures and processes the organization needs to put into place in order to proactively provide health care information to consumers. 

As part of its documented plan addressing the delivery of health information to consumers, the organization provides health information that is accurate and appropriate for the population served by:

1. Having providers with current knowledge relevant to the information review it prior to its release and thereafter at least annually to ensure that it is based upon current clinical principles, processes and when available, evidence based information;
2. Having the medical director (or equivalent designate) or clinical director (or equivalent designate) approve the information to be released to consumers.

Question: Why does health information need to be reviewed prior to giving it to the consumer?

Response: Information provided to the health care consumer should be reviewed by providers with current knowledge of the subject matter to ensure that it is current and accurate.

The organization has policies and procedures to notify all subscribers:

1. Within 60 days of a material revision to its Notice of Privacy Practices; and
2. Periodically of its privacy practices at least every two (2) years.
   

Question: The standard regarding notice to subscribers of privacy practices seems to contradict the HIPAA regulation.  How do you explain that?  How are organizations to provide this notice?

Response: Standard HPCE 59 “Privacy Notice Provision” is consistent with HIPAA regulation; however, it is more stringent.  Though it is impractical to provide “Notice of Privacy Practices” to all subscribers at the time of enrollment (not just new ones), an organizations needs to provide notice at least every two (2) years in order to keep its membership informed.  So HPCE 59(b) was added and requires notice of privacy practices to all subscribers at least every two (2) years.  Organizations can use mass mailings, newsletters, member Web sites, etc., as ways to carry out this notice.

The organization has administrative policies and procedures that address the organization’s implementation of a Security Management Process to ensure the prevention, detection, containment and correction of security violations.  Such policies and procedures address:

1. Risk Analysis - Conduct periodic, accurate, and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity;
   1. Conduct a risk assessment as triggered by significant events, or at a minimum, every two years.
   2. Risk assessment must include portable media.
2. Risk Management - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
3. Sanction Policy - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity; and
4. Information System Activity Review - Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.

Question: What types of “significant events” would trigger a risk assessment?  What types of things should an organization consider when conducting a risk assessment involving portable media?

Response: Examples of a “significant event” as indicated in HS 2(a)(i), include a breach of information systems security, system reconfiguration or software update and merging information systems with another company.  This standard is consistent with the requirements set forth by the Center for Medicare/Medicaid Services (CMS); however, it is more stringent.  Organizations must be aware of their exposure to risk regarding portable media.  Either these devices should not contain personal health information or the devices should be encrypted.  Given that operating systems often allow for auto-populating passwords, devices containing personal health information, including portable media, should require end-users to enter a password or organizations should, at a minimum, implement second factor authentication.

The organization implements a written policy to provide a privacy awareness and training program for all members of its workforce (including management) that have access to protected health information as part of their function within the organization. The organization must: [M]

1. Provide training to all existing workforce members by the date of the application submission for URAC HIPAA Privacy Accreditation; [M]
2. Provide training to all new workforce members within a reasonable time period; [M]
3. At a minimum, provide annual training for workforce members appropriate to meet its duties as a covered entity and/or business associate as applicable; [M]
4. Provide training on its written policies and documented procedures as they apply to the HIPAA Privacy rule; [M]
5. Update training for all affected staff in the event of a material change in the organization’s privacy practices; [M]
6. Include a process to document training provided to workforce members; [M]
7. Explain the limited circumstances under which protected health information may be disclosed under “whistleblower” and “workforce member crime victim” exceptions; [M]
8. Address civil and criminal penalties for: [--]
   i. Unintended violations; [M]
   ii. Violations due to reasonable cause; [M]
   iii. Violations due to willful neglect; and [M]
   iv. Address the process for remediating a breach. [M]

Question: Why were the topics of civil and criminal penalties added to the standard on privacy training?

Response: The Privacy provisions outlined in President Obama’s economic stimulus package, the “American Recovery and Reinvestment Act” (ARRA) include civil and criminal penalties which require organizations to provide training on the various penalties, the fine amount and under what circumstances they apply.  In addition, ARRA has specific guidelines expanding the enforcement powers of State Attorneys General. Under the new regulations, State Attorneys General may work on behalf of state’s residents to bring civil actions, stop violations, or obtain damages. Although state action is limited while federal action is pending, this applies to all covered entities, business associates and now individuals, with access to private patient information.

The organization has documented appointment of a chief security official who has defined authority, oversight, and accountability, and who is responsible for the HIPAA security compliance program of the organization, including the development of any necessary policies and procedures. (Mandatory)

Question: The security standards for a Business Associate are now exactly the same as those for a Covered Entity.  Why were they combined into one set of standards for both types of entities?

Response: Section 13401 of the “American Recovery and Reinvestment Act” (ARRA)  indicates that a business associate of a covered entity will now be directly subject to provisions of the HIPAA Security Rule in the same way that covered entities are.  This will make all Security standards applicable to a business associate depending upon the business associate’s access to electronic protected health information through the services it provides to covered entities. This includes new breach notification provisions required by ARRA.

The organization implements a written policy to provide a security awareness and training program for all members of its workforce (including management). The organization’s training must address: [M]

1. Security reminders. Periodic security updates; [M]
2. Protection from malicious software. Procedures for guarding against, detecting and reporting malicious software; [M]
3. Log-in monitoring. Procedures for monitoring log-in attempts and reporting discrepancies; [M]
4. Password management. Procedures for creating, changing and safeguarding passwords; [M]
5. Security documentation.  Written policies and documented procedures as they apply to the HIPAA Security rule; [M]
6. Civil and criminal penalties. Penalties for: [--]
   (i) Unintended violations, [M]
   (ii) Violations due to reasonable cause, [M]
   (iii) Violations due to willful neglect; and [M]
7. Process for remediating a breach. [M]

Question: Why were the topics of civil and criminal penalties added to the standard on security training?

Response: The Privacy provisions outlined in President Obama’s economic stimulus package, the “American Recovery and Reinvestment Act” (ARRA) include civil and criminal penalties which require organizations to provide training on the various penalties, the fine amount and under what circumstances they apply.  In addition, ARRA has specific guidelines expanding the enforcement powers of State Attorneys General. Under the new regulations, State Attorneys General may work on behalf of state’s residents to bring civil actions, stop violations, or obtain damages. Although state action is limited while federal action is pending, this applies to all covered entities, business associates and now individuals, with access to private patient information.

Health Information Exchange entities conduct an interoperability analysis to ensure that they have: [--]

1. The definitions for the data to be captured; and [Mandatory]
2. A risk assessment of system(s) security interfaces. [Mandatory]

Question: Why did URAC add standards addressing “Health Information Exchange” entities and how is that defined?
Response: Based upon new requirements in the “American Recovery and Reinvestment Act” (ARRA) for “Health Information Exchange” entities, URAC has added two (2) new security standards. 

URAC has adopted the definition for a “Health Information Exchange” from the Health and Human Services (HHS) definition of terms (April 2008), which is as follows: The electronic movement of health-related information among organizations for the purpose of improving the health of a defined population.

Prior to full scale implementation of a data exchange, Health Information Exchange entities: [--]

1. Conduct a test of the information transfer with contracted parties; [Mandatory]
2. Correct identified system(s) issues; and [Mandatory]
3. Have documented the mechanism for and implementation of the training and education of their workforce handling the health information exchange. [Mandatory]

Question: How often does URAC expect a Health Information Exchange (HIE) entity to conduct pre-implementation systems testing?
Response: Pre-implementation systems testing pursuant to the standard should be conducted at least on an annual basis as well as on an as-needed basis (e.g., technology changes, additional security interfaces added, changes to the law/security rule, etc.)  This testing usually follows an interoperability analysis.

Question: URAC has added a new section to both the HIPAA Privacy and Security standards related to breach processing.  What was the impetus for this?
Response: The Privacy provisions outlined in President Obama’s economic stimulus package, the “American Recovery and Reinvestment Act” (ARRA) has specific guidelines regarding breach processing, including notification requirements.

Upon notification or discovery of a potential breach, the organization will: [‑‑]

1. Record the date that the suspected breach was known to the organization; [M]
2. Notify the privacy and security official; [M]
3. Determine if an actual breach occurred and if one occurred, then: [M]

• Mitigate the cause of the breach; and [M]
• If a business associate, then notify the covered entity of the breach within three (3) business days. [M]

Question: Under what circumstances does the “Breach Discovery Policy” apply?
Response: This standard applies to all situations where it is known that a breach might have occurred, which is the initial stage when the organization may not be sure whether a breach has actually occurred or not.

The organization must provide notice of the breach to the Department of Health and Human Services as required by federal law. [M]

Question: Does this standard apply if the organization determines that a breach did not occur?

Response: No.

An organization must take steps to prevent future breaches such that: [‑‑]

1. Once the organization takes the immediate and appropriate steps to mitigate the risks associated with the breach, it must investigate the cause of the breach and develop an appropriate prevention plan; [M]
2. The prevention plan must identify action items proportionate to the breach’s significance and determine whether it was a systemic breach or an isolated instance; [M]
3. The prevention plan must include the following: [--]
1. A security audit of both physical and technical security; [M]
2. A review of policies and procedures and any changes to reflect the lessons learned from the investigation and regularly after that (for example, security, record retention and collection policies); [M]
3. An evaluation of employee training practices; and [M]
4. A review of internal and/or external entities with which information is regularly shared. [M]

Question: What happens if the same breach occurs again?

Response: URAC will review the organization’s post-breach evaluation and remediation process to determine that it was done pursuant to the standard in both instances.

The organization verifies the following practitioner credentials using primary sources:

1. State licensure; and
2. Board certification, if applicable, or highest level of education.

Question: What are the acceptable sources of primary source verification (PSV) for Board Certification?

The ABMS has indicated that two products published by Elsevier Science, "The Official ABMS Directory of Board Certified Medical Specialists" and the CD "ABMS Medical Specialists Plus" as ones that are not to be used for primary source verification (PSV), in part since the complete physician date of birth has been removed from these sources.  I will refer you to the document entitled, “Official ABMS® Display Agent List” dated September 15, 2006, found on the ABMS website:

http://www.abms.org/Who_We_Help/Professional_Organizations/pdf/DisplayAgentList.pdf.  Of note, the ABMS recognizes Elsevier’s “BoardCertifiedDocs” as a service providing primary equivalent source data on behalf of the ABMS.  In addition, the ABMS indicates that it offers a number of alternate PSV source options and is prepared to assist organizations in selecting the one that is best suited for their needs.

Standard Module: Health Plan & Health Network

Module Version: 6.0

Standard Number: P/N-CR 12

Standard:

P/N-CR 12-Credentialing Time Frame

The organization does not submit for initial review any credentialing application that: [--]

1. Is signed and dated more than 180 days prior to credentialing committee review; or [4]
2. Contains primary or secondary source verification information collected more than six months prior to review. [4]

Question: We’ve heard that some accrediting bodies are allowing credentialing applications to be signed and dated up to 360 days prior to credentialing committee review.  Do URAC credentialing standards allow for credentialing applications to be signed/dated that far in advance of initial committee review?

Response: No, with the latest revision of the Health Plan and Health network standards, this timeline did not change, such that a credentialing application can not be signed and dated more than 180 days prior to initial credentialing committee review.

Standard Module: Health Plan & Health Network

Module Version: 6.0

Standard Number: P/N-CR 13

Standard:

P/N-CR 13 – Credentialing Determination Notification

The organization provides written notification to providers of the determination of the providers’ credentialing application within ten (10) business days of the determination. [4]

Question: Did URAC tighten up the time frames for notification of a credentialing determination?

Response: Yes, with the most recent version of the Health Plan and Health Network standards (version 6.0), standard P-CR 13/N-CR 13 changed from “60 calendar days” to “10 business days.”

Standard Module: Health Plan & Health Network

Module Version: 6.0

Standard Number: P/N-CR 17

Standard:

P/N-CR 17 – Credentialing Delegation

The organization complies with the Core Standards for any credentialing functions it delegates to another entity.  In addition, the organization: [--]

1. Retains authority to make the final credentialing determination regarding any provider; and [M]
2. At least every three years, conducts on-site surveys of each entity that performs credentialing functions on behalf of the organization. [4]

Question: Is it a requirement to conduct on-site surveys of entities delegated credentialing?

Response: Yes, the requirement is for an organization to conduct on-site surveys of delegated entities every three (3) years.

Standard Module: Health Plan

Module Version: 6.0

Standard Number: P-MR 2

Standard:

P-MR 2 – Consumer Information Disclosure

Information available to consumers includes: [--]

1. Descriptions of the processes the organization uses to provide information and support to consumers: [--]
   (i)  For whom English is not their primary language; and [4]
   (ii) With special needs, such as cognitive or physical impairments. [4]
2. List of providers that are in the provider network; [4]
3. Descriptions of participating provider compensation arrangements; [4]
4. The tools the organization makes available to assist in self-managing care; [4]
5. Consumer satisfaction statistics; [4]
6. Administrative requirements; [4]
7. Medical management requirements; [4]
8. How the health benefits program works; [4]
9. Financial responsibilities for consumers, including potential out-of-pocket costs, such as deductibles, co-pays, co-insurance, annual and lifetime co-insurance limits, and changes that could occur during the enrollment period; [4]
10. Health benefits decision-making responsibilities for consumers; [4]
11. Condition-specific criteria for benefits; and [4]
12. Coordination of benefits. [4]          

Question: Are there any requirements in the Health Plan standards related to consumers for whom English is not their primary language or who have special needs?

Response: Yes, the most recent version of the Health Plan standards requires applicant organizations to submit a description of how they accommodate consumers with those particular types of needs.  This would be confirmed during the on-site review through management and staff interviews for the customer support areas.

Standard Module: Health Plan

Module Version: 6.0

Standard Number: P-MR 3

Standard:

P-MR 3 – Consumer Communications Plan

The communications plan (required under Core 22) provides that at the time of enrollment, consumers are provided with materials that clearly explain: [--]

1. Instructions on how to receive assistance via e-mail, telephone, or in person; [4]
2. The scope of covered benefits; [M]
3. How to access covered benefits, including: [--]
   (i) Requirements for prior authorization; [M]
   (ii) Accessing emergency services and out-of-service-area services; and [M]
   (iii) On-going access to current drug formulary; [M]
4. Cost-sharing features under the benefits plan; [M]
5. How to obtain the cost of covered benefits; [L]
6.   Any obligations for consumers to cooperate with the organization’s medical
7. Coverage exclusions; [M]
8. How to obtain evidence-based health information and content for common conditions, diagnoses, and the treatment, diagnostics and interventions; [4] and
9. Complaint and appeals processes available to consumers. [M]

Question: Do Health Plans have to do anything additional as far as their consumer communications plan?

Response: Yes, for P-MR 3 they need to provide consumers with materials that clearly explain how to obtain evidence-based health information and content for common conditions and diagnoses, along with the treatment, diagnostics and interventions.

Standard Module: Health Plan

Module Version: 6.0

Standard Number: P-UM 1

Standard:

P-UM 1 – Independent Review Process

The organization has a mechanism for consumers to access an independent review process, after all internal appeal mechanisms have been exhausted, for clinical determinations relating to the necessity or appropriateness of medical services (including determinations that proposed medical services are experimental in nature). [4]
The independent review entities conducting the independent review process: [‑‑]

1. Must access and rely on appropriate clinical expertise in rendering independent review determinations; [4]
2. Must not have any direct financial interest in the organization or in the outcome of the independent review; [M]
3. Render determinations for non-urgent cases, within thirty calendar days from the date the consumer initiated the independent review; [4]
4. Render determinations for cases involving urgent care, within 72 hours from the date the consumer initiated the independent review; [4]

May not have been involved in the original determination under appeal. [M]

Question: The UM standard specific to Health Plans looks different, but reads the same.  Was there any change to the intent or language?

Response: No, P-UM 1 was simply reorganized to clearly show that the elements within the standard describe requirements for an independent review entity that the health plan would use for the independent review process.

Standard Module: Health Plan & Health Network

Module Version: 6.0

Standard Number: P/N-CR 18

Standard:

N-CR 18 – Credentialing Phase-In

The organization implements the credentialing program required by N-CR 1 according to time frames that are no longer than the following: [--]

1. At the time of the on-site review, the organization has completed the credentialing process for at least 100 practitioners; [M]
2. Credentialing of at least 50% of participating providers within the scope of the credentialing program will be completed within two years from the date the organization initially receives URAC accreditation; and [M]
3. Credentialing of all participating providers within the scope of the credentialing programwill be completed within three years from the date the organization initially receives URAC accreditation. [M]

Question: What happens if a network accreditation applicant comes up for re-accreditation in three years and has not completed credentialing of all providers within the scope of the credentialing program?

Response: Standard N-CR 18 is Mandatory; therefore, the applicant organization would not be meeting element (c) and as a result would not be eligible for a full accreditation.  Please note that this standard does not apply to Health Plan accreditation.

The organization implements a mechanism to resolve disputes with participating providers regarding actions by the organization that relate to a participating provider’s status within the provider network and any action by the organization related to a provider’s professional competency or conduct.  That mechanism: [M]

1. Specifies that all disputes are referred to a first-level panel consisting of at least three qualified individuals, of which at least one must be a participating provider who is not otherwise involved in network management and who is a clinical peer of the participating provider that filed the dispute; [M]
2. Includes the right to consideration by a second-level panel and the methods to request such consideration; and [M]
3. Provides for consideration to a second-level panel consisting of at least three individuals that comply with element (a) of this standard and that were not involved with the first-level panel. [4]

Question: Do the provider dispute resolution mechanisms found in P/N-NM 15 and 16 preclude having the same individuals involved in the original dispute reconsider the matter given additional input from the provider?

The senior clinical staff person:

1. Provides guidance for all clinical aspects of program;
2. Is responsible for clinical aspects of program; and
3. Has periodic consultation with practitioners in the field.

The organization maintains a system to receive and respond in a timely manner to complaints and, when appropriate, inform consumers of their rights to submit an appeal.

The organization maintains a formal appeal resolution process that includes:

1. Written notice of final determination with an explanation of the reason for the determination;
2. Notification of the process for seeking further review, if available; and
3. A reasonable, specified time frame for resolution and response.

The organization reports analysis of the complaints and appeals to the quality management committee.

The organization has a mechanism for consumers to access an independent review process, after all internal appeal mechanisms have been exhausted, for clinical determinations relating to the necessity or appropriateness of medical services (including determinations that proposed medical services are experimental in nature).  Independent review entities:

1. Must access and rely on appropriate clinical expertise in rendering independent review determinations;
2. Must not have any direct financial interest in the organization or in the outcome of the independent review;
3. Render determinations:
   (i) For non-urgent cases, within thirty calendar days from the date the consumer initiated the independent review; and
   (ii) For cases involving urgent care, within 72 hours from the date the consumer initiated the independent review;
4. May not have been involved in the original determination under appeal.

Individuals who conduct initial clinical review:
(a) Are appropriate health professionals; and
(b) Possess an active professional relevant license.

Question: Does the URAC Health UM, CM and DM accreditation include staff performing these functions that are telecommuting or working out of a client site?
Response: Yes, staff working offsite – either telecommuting or working at a client site – is included within the scope of the accreditation. URAC reviewers will examine staff files, QM oversight, etc. as it involves this type of staff and URAC reviewers may interview them either telephonically, have them come into the office, or even visit them at their off-site location.

Health professionals that conduct peer clinical review are available to discuss review determinations with attending physicians or other ordering providers.

When a determination is made to issue a non-certification and no peer-to-peer conversation has occurred:

1. The organization provides, within one business day of a request by the attending physician or ordering provider, the opportunity to discuss the non-certification decision:
   (i) With the clinical peer reviewer making the initial determination; or
   (ii) With a different clinical peer, if the original clinical peer reviewer cannot be available within one business day); and

2. If a peer-to-peer conversation or review of additional information does not result in a certification, the organization informs the provider and consumer of the right to initiate an appeal and the procedure to do so.

Question: Does URAC require the offering of a peer-to-peer conversation for retrospective medical necessity denials?
Response: No, standards HUM 15 and HUM 16 apply to the prospective and concurrent review processes where the request for certification is non-certified by a clinical peer reviewer.

As part of the appeals process:

1. The organization provides the patient, provider, or facility rendering service the opportunity to submit written comments, documents, records, and other information relating to the case, and
2. Takes all such information into account during the appeals process without regard to whether such information was submitted or considered in the initial consideration of the case, and
3. In instance of a first level appeal, the organization implements the decision of the first level clinical appeal if it overturns the initial denial.

Definition of Appeal:  Formal request for review of an organizational determination (i.e., services have been denied, reduced, etc.)  Note: Specific terms used to describe appeals vary, and are often determined by law or regulation. URAC’s UM Standards apply to first-level appeal.
Question: Is the UM appeal file review limited to first level appeal, or does it include all levels of appeals?
Response: The scope of URAC’s medical necessity appeal process is limited to the first level of review as indicated by the definition (above) and standard HUM 31(c) (above); therefore, the file review for Health Utilization Management accreditation will be limited to the first level of review.

Appeals considerations are conducted by health professionals who:

1. Are clinical peers;
2. Hold an active, unrestricted license to practice medicine or a health profession;
3. Are board-certified (if applicable) by:
   (i) A specialty board approved by the American Board of  Medical Specialties (doctors of medicine); or
   (ii) The Advisory Board of Osteopathic Specialists from the major areas of clinical services (doctors of osteopathic medicine);
   
4. Are in the same profession and in a similar specialty as typically manages the medical condition, procedure, or treatment as mutually deemed appropriate; and
5. Are neither the individual who made the original non-certification, nor the subordinate of such an individual.

Question: If new information is received with an appeal request, can a nurse reviewer approve the appeal if the new information meets criteria?
Response: Yes.  Though this process is not specifically addressed in the accreditation guide, it is not prohibited by the standards.  An organization must meet the timeframes required by the standards regardless of any additional steps it may conduct.

Appeals considerations are conducted by health professionals who:

1. Are clinical peers;
2. Hold an active, unrestricted license to practice medicine or a health profession;
3. Are board-certified (if applicable) by:
   (i) A specialty board approved by the American Board of  Medical Specialties (doctors of medicine); or
   (ii) The Advisory Board of Osteopathic Specialists from the major areas of clinical services (doctors of osteopathic medicine);
4. Are in the same profession and in a similar specialty as typically manages the medical condition, procedure, or treatment as mutually deemed appropriate; and
5. Are neither the individual who made the original non-certification, nor the subordinate of such an individual.

Question: What is appropriate specialty matching and does the standard of care in a community factor in?  For instance, in our community we have no endocrinologists so our PCPs generally care for their own diabetic patients, but if that patient is in a teaching facility they might be cared for by an Endo.  If there is an appeal by a specialist for a condition, which is generally treated locally by a PCP, who would URAC like to see reviewing the appeal?

Response: When selecting a physician to conduct a medical necessity appeal, first choice would be a specialist in the area of concern for the appeal, even if the physician requesting the appeal is not a specialist.  Physicians with more general practices (e.g., IM, PCP, FP, etc.) may conduct an appeal if they have experience treating the case under review.  When asked to do a review, physicians will tell you if it is not an area they typically treat, in which case you would select another physician to conduct the appeal.  Also, pursuant to the standard, the selected appeal reviewer is “…mutually deemed appropriate” by your organization and the physician requesting the appeal [HUM 32(d)].  So if there is some doubt, it is perfectly acceptable to discuss the selection with the requesting provider.  Also, general practitioners are not used for appeals and it is not appropriate to have a pediatrician review an adult case.

If an endocrinologist or a PCP is managing a diabetic case and has made an appeal, then an endocrinologist would be first choice to conduct the appeal, an IM or PCP with extensive experience in diabetes would be a second choice.  See additional scenarios below.

Scenario 2: Cardiothoracic surgeon performs CABG, patient is newly diagnosed with Diabetes, Endo was consulted and discharge left up to Endo.  Last day was denied and is being appealed.  What kind of specialist should review?  Endo, IM, FP or GP or Cardiothoracic surgeon?

Response: The issue keeping the patient in the hospital was diabetes, so an endocrinologist would review the appeal for the last day of inpatient stay, or IM/FP with extensive experience in diabetes.  General practitioners are typically not used for appeals.

Scenario 3: Pt. was admitted for Chest pain by IM/GP/FP.  Cardiology was consulted. Discharge by attending left up to consultant.  Day denied and appealed.  Who reviews, Cardiology or IM/ FP/GP?

Response: Medical issue could be reviewed by IM/FP or a cardiologist.  General practitioners are typically not used for appeals.

Scenario 4: Pt admitted with new onset of seizures by IM/FP/GP/Peds.  Neuro consult ordered.  Discharge by attending left up to consultant.  Day denied and appealed.  Who reviews, Neuro or IM/FP/GP/Peds?

Response: Neurologist would conduct the appeal since seizures were the reason for the last inpatient day.  If it was a pediatric patient with seizures, then a pediatrician with experience treating those types of patients could conduct the appeal.

Scenario 5: Can FP review for IM for inpatient appeals or does it have to be IM for IM and FP for FP, etc.  

Response: Internal Medicine should review for Internal Medicine, FP for FP.

Scenario 6: Does the matching have to be MD to MD or can it be MD reviewed by DO, etc?

Response: MD and DO can review for each other.

Scenario 7: Can a general surgeon review a case of a Vascular surgeon?

Response: Did the appeal turn on a vascular issue – such as was the vascular surgery necessary?  If yes, then a vascular surgeon would be appropriate to conduct the appeal.  If more of a general surgical issue, then a general surgeon could review the case.

Scenario 8: Do the reviewers just have to have knowledge in the field or truly be "specialty matched"?

Response: Start with the specialty match – you can’t go wrong there.  Then there are general surgeons and internal medicine where they may have extensive experience in a given area, and as such could be used for the appeal.

Scenario 9: IM admits for DVT.  An inpatient day is denied.  Who can review the appeal?  FP or Peds or does it have to be IM?

Response: IM would be best choice; PCP/FP could be used.  Most primary care doctors will tell you if they do not believe they have the background or experience to review a case.  Peds is not a good choice for adult cases.

Scenario 10: FP admits an adult with Pneumonia.  Day is denied.  Can a Pediatrician review?  Must it be FP?  IM?

Response: Pediatrician is not appropriate for an appeal on an adult case.  FP or IM could review the case.

Scenario 11: A 10-wk pregnant patient admitted with DVT by OB.  Vascular surgeon consults and follows, too.  Who can review case for denied days?  Can FP or Pediatrician review concurrently without consulting with a Like Specialist for advice?

Response: It depends upon the reason for the denial and why patient was kept – was there some other reason for the hospital stay?  If it was determined that the DVT condition no longer warranted inpatient stay, then a vascular surgeon, IM or FP could review.  If there was some other complication related to the pregnancy, then an OB would appear to be appropriate.

Scenario 12: Total abdominal hysterectomy performed by GYN surgeon.  Can general surgeon do the appeal review?

Response: If the general surgeon has experience with abdominal hysterectomies, then yes.

Scenario 13: Pulmonologist admits for pulmonary emboli.  Who must review appeal?  IM, FP, Peds or pulmonologist?

Response: Pulmonologist, IM or FP.  Peds should review for pediatric patients.

Scenario 14: Pancreatitis admitted by FP.  Consulted with a general surgeon, but treated medically.  Who should review appeal?

Response: IM or FP.

Scenario 15: GI hemorrhage admitted by GE.  No surgery was required, just scoping and watching. Who should review appeal?  GE, surgeon, IM, FP, Peds?

Response: GE, surgeon or IM.  FP if experience with these types of cases.  Peds should not review adult cases.

Scenario 16: Can a Pediatrician review cases on adults that were admitted by IM or FP or specialists?  Can FP do reviews on neonates being cared for by neonatologists?

Response: No to both scenarios. 

Individuals who directly supervise case management practices:

1. Have at least one of the following qualifications: (Primary)
   (i) A bachelors (or higher) degree in a health-related field and licensure as a health professional
   (where such licensure is available); or
   (ii) Certification as a case manager; or
   (iii) Professional certification in a clinical specialty and at least three (3) years experience as a
   case manager; and
2. If they have directly supervised the case management process for three or more years, hold a
   certification as a case manager.

Question: CM 4 Interpretive Information/Commentary states: "A list of acceptable 'certifications as
a case manager' will be posted on URAC's Web site at www.urac.org." I have searched the
URAC Web site
and cannot locate this list. I would like to be able to include it in our updated manual for Case
Management Staff.
Response: The link has been updated on the Web site to: http://webapps.urac.org/CMcertifications.asp

Individuals who directly supervise case management practices:

1. Have at least one of the following qualifications: (Primary)
   (i) A bachelors (or higher) degree in a health-related field and licensure as a health professional (where such licensure is available); or
   (ii) Certification as a case manager; or
   (iii) Professional certification in a clinical specialty and at least three (3) years experience as a case manager; and
   
2. If they have directly supervised the case management process for three or more years, hold a certification as a case manager.

Question: CM 4 certification requirement requires individuals who directly supervise case management practices, who have directly supervised the case management process for three or more years to obtain certification as a case manager. The questions are as follows:

1. If a supervisor has directly supervised the case management process for three or more years in another program that is not currently URAC accredited and that supervisor is subsequently assigned to the case management program that will come under URAC view in 2008, does the three years prior supervision count and therefore, certification as a case manager would be required, or does the assignment to the URAC case management program scheduled for review in 2008 count as the first year supervising the case management process?
2. Is “care manager certification” equivalent to case manager certification? Care manager certification is more often associated with licensed social workers and psychologists than with the certified case manager program.
   Response:
3. Pursuant to the Guide, “Points to Remember” second bullet: In CM 4 (b), the CM certification requirement applies to individuals who have held the position of a case management supervisor in the applicant organization for 3 or more years. If the individual has held the position of case management supervisor for less than 3 years at the time of application review, this standard is non-applicable.  
4. Care manager certification is not equivalent; the standard is specific to case management certification.   
   

The organization conducts reviews of the case management process through case review by the case management program director, advisor, or other supervisor to:

1. Promote achievement of case management goals as established in consumer specific case management plans; and
2. Report the findings to the quality management committee (See Core Standards, Quality Improvement/Management Section).

Question: Our organization recently went through a downsizing leaving us with one Nurse Case Manager who is our Case Management Supervisor. As a result, the Director of Quality Assurance assumed responsibility for auditing the Nurse Case Manager claims.  Is this arrangement sufficient for purposes of meeting the intent of CM 9?  If not, do you have recommendations for meeting the intent of this standard?
Response: It is acceptable for the Director of Quality to perform quality audits for case management.

Case managers have the following qualifications: [--]

1. Licensure or certification in a health or human services discipline that allows the professional to conduct an assessment independently as permitted within the scope of practice of the discipline; [M]
2. Two years full-time equivalent of direct clinical care to the consumer; and [4]
3.   At least one of the following: [M]
   (i)   Certification as a case manager from the URAC‑approved list of certifications; or [‑‑]
   (ii)  A bachelors (or higher) degree in a health or human services related field; or [--]
   (ii)  A registered nurse (RN) license. [--]

Question:What are the requirements for clinical experience for case managers and does it apply to just RNs?
Response:The requirement for direct clinical care to the consumer is two (2) years and it applies to all case managers, not just those that hold an RN license.  Staff hired prior to the organization seeking and obtaining accreditation may be grandfathered in if they do not meet the minimum two (2) years of clinical experience requirement and they possess a minimum of five (5) years case management experience.

Question:Which version of the standards includes measures for case management?
Response:Version 4.0.  There are two standards associated with the case management measures.  Reporting standard 1 requires that organizations have the resources and mechanisms to produce and report on a specified set of performance measures on a periodic basis.  The second reporting standard indicates that organizations will report on the measures.  There are six (6) measures where four are mandatory and two are optional as “leading indicators.”    

The organization: [--]

1. Establishes guidelines for reasonable case manager case load with supporting rationale; [4]
2. Applies an ongoing process to monitor case load based on guidelines developed by the organization; [4]
3. Consistent with the guidelines established in CM 2(a), employs/contracts with an adequate number of case management personnel to provide services to the consumers of the program; and [4]
4. The organization identifies those circumstances that trigger a review and possible change in its case load guidelines. [4]

Question:Does URAC specify what a case manager case load should be?
Response:URAC does not specify what a case manager case load should be; however, in standard CM 2, a new element was added whereby an organization identifies those circumstances that trigger a review and possible change in its case load guidelines. Caseloads are dynamic and books of business change; therefore, caseload guidelines should be reviewed periodically.    

Individuals who directly supervise case management practices: [‑‑]

1. Meet the qualifications for case manager as defined in CM 4; [M] and
2. If they have directly supervised the case management process for at least three (3) years with the organization, hold a certification in case management from the URAC‑approved list of certifications. [4]

Question:Does URAC require that case manager supervisors be certified in case management?
Response:Yes, if the applicant organization want to achieve full points for standard CM 6 “Case Manager Supervisor Qualifications,” then all supervisors must be certified in case management if they have directly supervised the case management process for at least three (3) years with the applicant organization.   

For each consumer during the initial or subsequent assessments, the case manager assesses and documents: [‑‑]

1. Current health status; [3]
2. Clinical history, including medications; [3]
3. Treatment plan; [3]
4. Medication safety, including medication knowledge, adherence and the need for medication reconciliation; [3]
5. Resources required to meet immediate needs for health care; [3]
6. Care coordination needs, including transitions of care; [3]
7. Psychosocial status; and [3]
8. Safety concerns. [3]

Question:Does URAC specify assessment categories for the assessments conducted by the case manager?
Response:Yes, starting in version 4.0, there is a requirement to address particular areas of assessment for each consumer.  Not all categories will necessarily be assessed at the initial or subsequent case management visits.    

Individuals who directly supervise case management practices: [‑‑]

1. Meet the qualifications for case manager as defined in CM 4; [M] and
2. If they have directly supervised the case management process for at least three (3) years with the organization, hold a certification in case management from the URAC‑approved list of certifications. [4]

Question:Does URAC require that case manager supervisors be certified in case management?
Response:Yes, if the applicant organization want to achieve full points for standard CM 6 “Case Manager Supervisor Qualifications,” then all supervisors must be certified in case management if they have directly supervised the case management process for at least three (3) years with the applicant organization.   

The organization establishes, implements, and educates case management personnel, no less than annually, on policies and procedures supporting the ethical framework for case management practice including:

1. Advocacy for consumer needs;
2. Guidance for professional relationships with consumers;
3. Prohibition of relationships that could compromise professional objectivity;
4. Resolution of conflicts of interest between the case manager, consumer, third party payer, provider or other entity;
5. Business, financial, and marketing practices;
6. Resolution of perceived lapses in quality of care resulting from actions by consumers, payers, case managers, providers, organizations or other entities affecting the case management process;
7. Policies that address case managers’ handling of consumer needs when such needs extend beyond the scope of the organization’s services;
8. Prohibition of discrimination against a consumer or group of consumers by the case manager or organization; and
9. Information on how policies regarding the ethical framework will be shared with staff, contractors, clients, and consumers.

Question: I am inquiring if URAC has a point of view or process guideline related to telephonic case managers who also perform formal state utilization review as part of their work in workers compensation cases. I know, for example, from a regulatory perspective case managers cannot do UR on their cases in Massachusetts, but was wondering what the professional/accreditation perspective was if there is not otherwise prohibited by the state.
Response: Pursuant to the URAC Guide “Interpretive Information/Commentary” for standard CM 12, if the Case Manager is involved in benefits determinations, safeguards should be put in place to assure that the role of advocacy is not compromised. Examples include conducting interviews and case file review.  Most organizations conduct an annual review of the organization’s ethical framework for case management practice (along with review of confidentiality policies).  This annual review, which must address all sub-elements in the standard, is documented in each case manager’s file or an attendance sheet is kept to document the review.

The organization establishes and implements a policy regarding consumers’ consent for participation in case management activities that:

1. Requires documentation of oral consent;
2. Requires at minimum an attempt to obtain written consent;
3. Indicates the time frame in which the consent(s) must be obtained; and
4. Indicates the duration of validity of the consent(s).

Question: We currently obtain oral consent from individuals we are case managing. This oral consent is documented in our system.  In order to comply with standard CM 16, do we also need to make an attempt to obtain written consent? If so, does URAC have an example of a consent form?
Response: Yes, you must also make an attempt to obtain written consent pursuant to CM 16(b).  Most organizations are meeting this standard by sending out a consent form for case management with an introductory packet. The organization must establish written guidelines for obtaining consent and may allow that consent is not obtained in every case.  If the organization allows exceptions from consent requirements, it should be prepared to justify those exceptions for quality of care, legal, or other valid reasons on a case-specific basis.  It is expected that this consent is obtained from the consumer (patient), but may be from a family member in extenuating circumstances, (e.g., patient is unconscious, a minor, or determined not legally competent).

Question:What is necessary to have in place for a CM re-accreditation survey in 2010 (CM version 4.0) as evidence for having systems in place to collect CM performance measure data?
Response: In order to demonstrate compliance with the standard, the organization should assign at least one person the responsibility for collecting, analyzing and reporting the measures.  The person’s job description should address this responsibility.  The organization should also have in place a written data collection plan that identifies the performance measures including the populations and departments or programs addressed, what data is collected, what constitutes the numerator and denominator, the method(s) of calculation,  and the analysis and reporting methodologies. During the onsite review, URAC reviewers will verify that the organization’s data collection plan to address the measurement standards has commenced.

Question: We are seeking accreditation under the URAC standards for the first time.  When the Reviewer visits our offices to conduct the onsite review, what can we expect as it pertains to the date range for selecting files for review?
Response: For organizations that are seeking initial accreditation in any given module, URAC expects the organization to have been in compliance with the standards since at least the date that the application was submitted.  Therefore, the file pull date range would be from the date of the onsite visit back to the date the application was submitted to URAC.

Disease management practices for each clinical condition are based on scientific evidence and includes input from clinical content expert(s) one of which must include a provider in the specialty area, that:

1. Is reviewed annually and updated as needed;
2. Review applicability of clinical practice guidelines to the specific program design;
3. References publicly available clinical practice guidelines and evidence-based reports that can be accessed by or provided to participating providers; and
4. Is the basis for establishing the disease management program's objectives for evaluation, clinical quality improvement, consumer education, and outcomes measurement and reporting.
5. If the program guidelines are modified, a content expert with expertise in the relevant clinical condition(s) must review the guidelines.

Question: Our URAC Workgroup would like a clarification of Disease Management Standard 2 Evidence-Based Practice. In the Scope of Standards section for DM 2 it states "…the applicant must be able to document compliance with this standard for every disease state for which it markets a ‘disease management program.’  The applicant may exclude disease states from the application if compliance cannot be demonstrated.”  Does this mean that only disease states listed on the application may be included in marketing materials?

Response: Standard DM 2 applies to all disease states included within the scope of the accreditation, which may or may not include all of those that your organization offers to the public.  An applicant may choose not to include every disease state program that it currently offers to the public (i.e., includes in its marketing materials).  Note that organizations cannot use the DM accreditation seal to market a disease state that is not within the scope of their accreditation.

The disease management program defines the allowable scope of activities for licensed or certified clinical staff and non-licensed or non-certified non-clinical staff in carrying out its disease management activities that:

1. Is consistent with standards of practice for licensed personnel;
2. If applicable, allows non-clinical staff to conduct intake, non-clinical data collection, and scripted clinical data collection using appropriate documented instructions and scripts;
3. Prohibits non-clinical staff from conducting evaluation or interpretation of individual clinical data; and
4. Provides for supervision of non-clinical staff in the disease management program by licensed or certified staff.

Question: Can a Disease Management program use certified health educators instead of registered nurses (RNs) in their counseling models?
Also, can non-clinical staff collect clinical information and complete general assessments?
Response: Scope of practice for any staff member must be consistent with state professional licensure regulations, certification standards of practice, and federal law. Telephonic programs that interact with callers from various states should determine whether or not additional state licensures are required for the clinical staff. Companies must define the scope of services for clinical and non-clinical staff, as well as the oversight process for staff. Companies that use staff with specialized training should develop criteria for use of these staff members. Specialized training may include board certification, or other certifications of training in health services delivery or health education, for example, nutritionists, certified diabetes educators, physical therapists, or child health specialists. Scope of practice for any staff member must be consistent with state professional licensure regulations, certification standards of practice, and federal law.
Per standard DM 6(b), non-clinical staff may only collect clinical data via “…scripted clinical data collection using appropriate documented instructions and scripts.”  Non-clinical staff may not conduct assessments pursuant to standard DM 6(c), where non-clinical staff is prohibited from conducting evaluation or interpretation of individual clinical data.  Non-clinical staff may not conduct general, free-form assessments and deviations from the script are not allowed.

The disease management program develops or adopts an outcomes measurement methodology for measuring condition specific and overall program performance using valid techniques that address:

1. Sources of data that will be used to calculate the measurements;
2. The baseline measurement period and time frame for analysis;
3. The formula by which the measurement is calculated;
4. Adjustments that will be made in calculating measures and reporting data; and
5. Frequency of reporting, which must be at least annual.

Question: What are the specifications for URAC's DM performance reporting on outcomes measures?
Response: URAC is not prescriptive as to the specific fields or format for performance reporting; however, the Disease Management Association of America (DMAA) has various publications for measuring outcomes www.dmaa.org.  For each condition, documentation of specific measurement objectives consistent with identified evidence-based guidelines is one of the expected types of information to be included in the reporting.  URAC will verify that the disease management program documents its general methodology for each type of performance measure and documentation for standard DM 8 should address the methodology for measuring performance in clinical, financial, consumer reported and provider performance domains.

The health carrier shall notify the covered person in writing of the covered person’s right to request an External review: [M]

1. At the same time the health carrier sends written notice of an adverse determination; [M]
2. If the commissioner prescribes by regulation the form and content of the notice, then the health carrier shall use that notice; [M]
3. Notification includes the conditions under which the covered person or covered person’s authorized representative may file a request for a: [--]
1. Standard External review; [M]
2. Expedited External review; and [M]
3. External review of experimental or investigational treatment adverse determinations. [M]
4. Descriptions of External review procedures shall include: [--]
1. The address and telephone number of the office of the insurance commissioner or other unit in the office that administers the External review program; [M]
2. Highlighting the provisions in the External review procedures that give the covered person or the covered person’s authorized representative the opportunity to submit additional information; [M]
3. That the covered person will be required to authorize the release of any medical records of the covered person that may be required to be reviewed for the purpose of reaching a decision on the External review. [M]
4. The authorization form used to authorize the health carrier and covered person’s treating health care provider to disclose protected health information (PHI), including medical records, pertinent to the External review; [M]
5. The form used by the covered person to designate an authorized representative; and [M]
6. Any other forms used to process an External review. [M]

Question: If the State in which a company does business requires exhaustion of a health carrier’s internal grievance process before allowing for an external review, is this standard applicable?
Response:Maybe.  If the State requires notice of the availability of an external review prior to a health carrier’s final adverse determination, then this standard is applicable even if the State also requires exhaustion of a health carrier’s internal grievance process before allowing an external review to occur. 

The health carrier has implemented written policies and/or documented procedures for gathering the following information to determine if a request for External review meets reviewability requirements as follows: [‑‑]

1. The individual is or was a covered person in the health benefit plan at the time the health care service was requested or, in the case of a retrospective review, was a covered person in the health benefit plan at the time the health care service was provided; [M]
2. The covered person is covered by the health benefits plan as of the request for External review that is under consideration; [M]
3. The covered person has exhausted the health carrier’s internal grievance process unless the covered person is not required to exhaust the health carrier’s internal grievance process; [M]
4. The covered person has provided all the information and forms required to process an External review, including the release form provided under standard UER 2(d)(ii); and [M]
5. The recommended or requested health care service or treatment that is the subject of the adverse determination or final adverse determination: [‑‑]
   
   1. Is not explicitly listed as an excluded benefit under the covered person’s health benefit plan with the health carrier; and [M]
   2. Is a covered benefit under the covered person’s health benefit plan except for the health carrier’s determination that the service or treatment is not covered because: [M]
      

1. It does not meet the health carrier’s requirements for medical necessity, appropriateness, health care setting, level of care or effectiveness; or [‑‑]
2. It is experimental or investigational for a particular medical condition. [‑‑]
   

Question: Health carrier’s typically forwards related case information to the independent review organization (IRO); what is the purpose of this standard?
Response:It is the intent of this standard for a health carrier to conduct a preliminary review of a request for External review to determine if the request is (1) complete and (2) eligible for External review.

The health carrier has implemented written policies and/or documented procedures for the expedited review process requiring that: [‑‑]

1. Upon receipt of the notice from the commissioner of the name of the independent review organization assigned to conduct the expedited External review, the health carrier or its designee utilization review organization shall provide or transmit all necessary documents and information considered in making the adverse determination or final adverse determination to the assigned independent review organization electronically or by telephone or facsimile or any other available expeditious method; and [M]
2. Upon receipt of written notice of the independent review organization’s decision reversing the adverse determination or final adverse determination, the health carrier immediately shall approve coverage of the recommended or requested health care service or treatment that was the subject of the adverse determination or final adverse determination. [M]
   

Question: How fast does the health carrier have to forward information to the independent review organization (IRO)?
Response:The word “immediate” is a defined term as follows: Performed with little or no delay.  When applied to a notification process for expedited review, then the most expeditious method of transmittal is used (e.g., electronically, by telephone, facsimile, etc.)

The health carrier has implemented written policies and/or documented procedures indicating that the health carrier meets External review reporting requirements such that it: [‑‑]

1. Maintains written records in the aggregate, by State and for each type of health benefit plan offered by the health carrier on all requests for External review that the health carrier receives notice of from the commissioner; [M]
2. Shall submit to the commissioner, upon request, a report that shall include in the aggregate, by State, and by type of health benefit plan: [‑‑]
1. The total number of requests for External review; [M]
2. From the total number of requests for External review reported under (b)(i) of this standard, the number of requests determined eligible for a full External review; and [M]
3. Any other information the commissioner may request or require; and [M]
3. The health carrier shall retain the written records required pursuant to this subsection for at least three (3) years. [M]

Question: What type of report is required by this standard and does it allow for variation among different States’ requirements?
Response:The report indicated by the standard is an aggregate report, generated by State for each type of health benefit plan offered by the health carrier.  The commissioner of a given State may specify the format for the aggregate reports that the health carrier must send into the State, which must include at least the data points identified in the standard.