Firms Accreditation Revoked Amid Data Privacy Concerns

Firms Accreditation Revoked Amid Data Privacy Concerns

Written By Christopher A. Parrella, J.D., CHC, CPC, CPCO


A behavioral health consulting firm lost its accreditation as an independent review organization after it was determined the firm failed to maintain required data integrity and security practices.

At a time when healthcare data breaches are at an all-time high, having consumer data privacy protection protocols in place has become an increasingly important aspect of the accreditation process. And, this most recent accreditation revocation makes it clear that companies that don’t have such protections in place face the prospect of losing that accreditation.

The case involved BHM Healthcare Solutions, Inc., a behavioral health consulting firm based in Tampa, Fla., that provides medical review services to health insurance plans, healthcare systems, and related administrators and management organizations.

BMH first became accredited by URAC Inc., a Washington, D.C.-based nonprofit accreditor of healthcare companies’ standards, in 2012. In August 2017, URAC advised BMH that it had learned of “concerns about the quality of services, edits of clinical determinations on reviews completed by peer reviewers.”

Following an investigation that included interviews with BMH employees, including its then medical director for behavioral health, URAC determined that BHM was non-compliant with several core requirements including:

  • Failing to file its annual report for incorporation in Florida.
  • Failing to provide system demonstration or policy or procedure that support reviewer decisions were not being changed.
  • Failing to conduct a quality check, and if a review does not meet the organization’s quality standards, then each issue and its outcome are documented.

BMH disputed each of the findings and sought to stop URAC from revoking its accreditation through a preliminary injunction in U.S. District Court. In its court filing, BMH argued that URAC applied its review standards arbitrarily and capriciously, violated BHM’s common law due process rights and breached the implied covenant of good faith and fair dealing,

BHM claimed that URAC’s findings all derived from a misunderstanding of BHM’s systems and terminology, which would have been avoided had URAC interviewed the Chief Information Officer or conducted an exit conference instead of clinical specialists and an outgoing medical director when reviewing data integrity issues.

In a July 20 ruling, U.S. District Judge Trevor McFadden denied BHM’s request for an injunction noting that URAC “followed its written procedures” to review accreditation “throughout this process, involving: receiving a grievance, conducting a preliminary investigation, starting a for cause review, conducting a site visit, making a determination, and considering and resolving an appeal.” He went on to determine there was “no evidence of bias against BHM at any point throughout the proceedings.”

Although the details of this case are specific to the parties involved, it should serve as a warning to all companies seeking or holding accreditation that data security concerns are becoming of increasing importance and should be subject to rigorous standards.

The information presented in these blogs is strictly informational and not meant to be a substitute for professional advice. Readers are responsible for making their own assessment of the information presented here and any use of our products based on such information.