The Joint Commission, which is a non-profit organization that publishes standards for healthcare organizations and runs  an accreditation program, is updating some of their standards for 2009, including some which impact information security.

The Joint Commission, previously known as JCAHO, is updating some of the standards and elements of performance relating to information management, privacy, and security. Many healthcare organizations seem to pay more attention to the Joint Commission standards than they do to HIPAA, because have JCAHO accreditation is very important to the organization's business performance. JCAHO accreditation is an independent measure of healthcare quality of performance, across many areas of their business (information management being one). Liability insurers look to JCAHO accreditation as a measure of quality and risk, so this tends to be a big deal.

Joint Commission information management standar
ds which are changing include:
IM 02.01.03, EP 5, which now reads "The hospital protects against unauthorized access, use, and disclosure of health information". The previous language just said "The organization implements the policy".

IM 02.01.03, EP 8, which now reads "The hospital monitors compliance with its policies on the security and integrity of health information".

The language is obviously not overly prescriptive in terms of how healthcare organizations are supposed to achieve these standards. One assumption is that the organizations will turn first to the HIPAA Security and Privacy Rules for guidance. Maybe they will also look at ISO27002 for more specific controls relating to information security.

These and the other changes to the JCAHO information management (security and privacy) standards are important because healthcare organizations now have the Joint Commission accreditation process at risk if they fail to adequately implement their information security program.

Jim