Increased Exchange of PHI for ACO Participants; Beneficiaries Retain HIPAA Privacy Rights
April 6, 2011
This is part of Ober|Kaler's comprehensive overview of federal agencies' implementation of the Accountable Care Act's ACO and Shared Savings Program provisions:
Recently issued regulations and other notices for comments have given health care providers guidance on how to organize and operate accountable care organizations (ACOs) in order to be eligible to receive payments under Medicare’s Shared Savings Program. The Affordable Care Act (ACA), signed into law in March 2010, included incentives for the creation of ACOs. Congress established the ACO Shared Savings Program in the ACA to promote accountability of providers to patient populations and to coordinate services under Medicare as well as to encourage providers to make investments in infrastructure and to design care processes for high-quality, efficient service delivery. Almost a year later on March 31, 2011, several federal agencies (CMS, OIG, DOJ, FTC and IRS) jointly announced the release of proposed rule making and guidance regarding the ACO program. The proposed rule and related guidance is expected to remove the existing legal impediments in the areas of fraud and abuse, antitrust, tax and privacy to allow for the development of ACOs, and provide guidance on such issues as eligibility to participate, governance, legal structure, quality and privacy.
As mandated in 2009 under the Health Information and Technology for Economic and Clinical Health (HITECH) Act, CMS has established measurements and incentives for the meaningful use of electronic health records (EHR) that would allow for the sharing of information and reporting of data. Under the Shared Savings Program, which expects that providers will have the information they need to provide care to patients, EHRs will play a critical role in the collection and reporting of data. CMS’s goal is to have patient health information available to providers no matter where or when a patient seeks care. CMS’s proposed rule implementing the Shared Savings Program requires ACOs to have certified EHRs that enable the collection and evaluation of data by the ACO as well as the reporting quality data to the CMS. In addition, CMS foresees ACOs need for EHRs to facility real-time improvements at the point of care based off of this data. The proposed CMS rule also contemplates the use of technology for care coordination, such as telehealth, remote monitoring and electronic transition of health care records.
The ability to obtain and share patient-level information about the Medicare beneficiaries assigned to an ACO is at the heart of the Shared Savings Program. Much of this information will be protected health information (PHI) under the Health Insurance Portability and Accountability Act and accompanying regulations (HIPAA). Depending on its chosen legal structure, an ACO either will be part of a covered entity under HIPAA or will be a business associate of the participating covered entities. In either case, the proposed CMS rule depends heavily on the ability of covered entities, directly or through a business associate, to exchange PHI for certain health care operations purposes. Under the HIPAA privacy rule, covered entities who have or had a relationship with an individual may exchange PHI for health care operations that either consist of quality assessment and improvement activities and population-based activities relating to improving health or reducing health care costs or consist of reviewing the competence or qualifications of health care professionals, as those two activities are defined the HIPAA privacy rule definition of health care operations.
Receipt of Monthly Claims Data
In addition to aggregated/de-identified data, CMS will provide the ACO with a list of its expected assigned beneficiaries’ names, dates of birth, sex and health insurance claim numbers used in the ACO assignment process. Subject to three specific conditions, an ACO may obtain, on a monthly basis, additional detailed beneficiary identifiable claims data.
HIPAA places a number of limitations on the use of PHI for marketing purposes and marketing is broadly defined in the privacy rule to include a communication about a product or service that encourages the recipient to purchase or use that product or service. The proposed CMS rule would exempt from the HIPAA privacy rule definition of marketing (1) ACO communications that are customized or limited to a subset of beneficiaries, (2) materials that do not include information about the ACO or providers in the ACO, (3) materials that cover beneficiary-specific billing and claims issues or other specific health-related issues, (4) educational information on specific medical conditions such as flu shot reminders and (5) referrals for Medicare-covered items and services. All marketing materials and activities and changes to them must be approved by CMS before their use.
© 2013 Ober|Kaler All Rights Reserved.