Overview

Each core program that applies for CARF accreditation must have a written description of its Technology and Information System Plan that is used to support information management and performance improvement activities.

Accreditation Requirement(s)

To conform to these accreditation standards, the organization must show evidence of the following:

• A Written Technology and Information System Plan
• The plan includes information on hardware, software, security, confidentiality, backup policies, assistive technology, disaster recovery preparedness, and virus protection

Implementation Tips

Some Implementation Tips provided, in part, by Robert Johnson at: www.accreditationnow.com.

• Programs that are part of a larger entity may be able to rely on and use technology information provided by the corporation or county.
  
  
• Programs may have most of the required information available in a variety of sources/materials such as policy and procedure manuals and planning documents. These can simply be edited and placed into one document.
  
  
• Programs do not need to be at any level of technology implementation. These standards apply to an organization that may have a complete electronic health record (EHR), a billing and dosing system for those who are totally reliant on manual systems but are thinking of implementing an automated approach to business practices, or somewhere in the middle. The comprehensiveness of the Written Technology and Information System Plan is dependent on the status of automation in the organization.
  
  
• A good place to start is assessing the program’s technology capabilities according to the eight subsections of the standard: hardware, software, security, confidentiality, backup policies, assistive technology, disaster recovery preparedness, and virus protection. From that assessment, the planning document is developed with an eye toward future needs.
  
  
  • Hardware refers to desktops, laptops, servers, routers, switches, modems, printers, personal digital assistants (PDAs), projection devices, etc.
    
    
  • Software may be any software pertaining to e-mail, dosing, billing, payroll, human resources, client assessment and treatment planning, and office productivity.
    
    
  • Security is maintaining the safety of the equipment, inventorying equipment, limiting access to computer equipment on a need to use basis, assessing security risk, complying with the Health Insurance Portability and Accountability Act (HIPAA), using firewalls, and designating a security officer.
    
    
  • Confidentiality is needed for protecting information from those not authorized to see it, protecting protected health information (PHI), managing passwords, encrypting information on servers, and designating a privacy officer.
    
    
  • Backup Policies describe data backup and storage processes.
    
    
  • Assistive Technology refers to technological aids such as phones for the hearing impaired, software that translates different languages, and voice recognition software.
    
    
  • Disaster Recovery Preparedness involves detailing the program’s response to a natural disaster or loss of power that includes staff responsibilities, critical functions, relocation of medication services, and retrieval of data.
    
    
  • Virus Protection is identifying software the program that is used to protect itself from invasive and unwanted computer infections.
    
    
• The sample HIPAA Security Risk Assessment document is not required by CARF. However, this is a tool that programs may find helpful in terms of assessing their organization’s capabilities and then using it to help write the Written Technology and Information System Plan.