Increased Exchange of PHI for ACO Participants; Beneficiaries Retain HIPAA Privacy Rights

April 6, 2011

By: James B. Wieland and Sarah E. Swank

This is part of Ober|Kaler's comprehensive overview of federal agencies' implementation of the Accountable Care Act's ACO and Shared Savings Program provisions:

• CMS Proposed ACO Implementing Regulations
• Antitrust
• Fraud and Abuse
• Privacy
• Tax-Exempt Organizations

Recently issued regulations and other notices for comments have given health care providers guidance on how to organize and operate accountable care organizations (ACOs) in order to be eligible to receive payments under Medicare’s Shared Savings Program. The Affordable Care Act (ACA), signed into law in March 2010, included incentives for the creation of ACOs. Congress established the ACO Shared Savings Program in the ACA to promote accountability of providers to patient populations and to coordinate services under Medicare as well as to encourage providers to make investments in infrastructure and to design care processes for high-quality, efficient service delivery. Almost a year later on March 31, 2011, several federal agencies (CMS, OIG, DOJ, FTC and IRS) jointly announced the release of proposed rule making and guidance regarding the ACO program. The proposed rule and related guidance is expected to remove the existing legal impediments in the areas of fraud and abuse, antitrust, tax and privacy to allow for the development of ACOs, and provide guidance on such issues as eligibility to participate, governance, legal structure, quality and privacy.

As mandated in 2009 under the Health Information and Technology for Economic and Clinical Health (HITECH) Act, CMS has established measurements and incentives for the meaningful use of electronic health records (EHR) that would allow for the sharing of information and reporting of data. Under the Shared Savings Program, which expects that providers will have the information they need to provide care to patients, EHRs will play a critical role in the collection and reporting of data. CMS’s goal is to have patient health information available to providers no matter where or when a patient seeks care. CMS’s proposed rule implementing the Shared Savings Program requires ACOs to have certified EHRs that enable the collection and evaluation of data by the ACO as well as the reporting quality data to the CMS. In addition, CMS foresees ACOs need for EHRs to facility real-time improvements at the point of care based off of this data. The proposed CMS rule also contemplates the use of technology for care coordination, such as telehealth, remote monitoring and electronic transition of health care records.

The ability to obtain and share patient-level information about the Medicare beneficiaries assigned to an ACO is at the heart of the Shared Savings Program. Much of this information will be protected health information (PHI) under the Health Insurance Portability and Accountability Act and accompanying regulations (HIPAA). Depending on its chosen legal structure, an ACO either will be part of a covered entity under HIPAA or will be a business associate of the participating covered entities. In either case, the proposed CMS rule depends heavily on the ability of covered entities, directly or through a business associate, to exchange PHI for certain health care operations purposes. Under the HIPAA privacy rule, covered entities who have or had a relationship with an individual may exchange PHI for health care operations that either consist of quality assessment and improvement activities and population-based activities relating to improving health or reducing health care costs or consist of reviewing the competence or qualifications of health care professionals, as those two activities are defined the HIPAA privacy rule definition of health care operations.

Receipt of Monthly Claims Data

In addition to aggregated/de-identified data, CMS will provide the ACO with a list of its expected assigned beneficiaries’ names, dates of birth, sex and health insurance claim numbers used in the ACO assignment process. Subject to three specific conditions, an ACO may obtain, on a monthly basis, additional detailed beneficiary identifiable claims data.

• Certification. The first condition is that the ACO must certify that the requested data (1) is the minimum necessary, (2) relates to patients of the ACO’s covered entities; (3) will be used only for the two specified health care operations purposes and (4) will not be used to reduce, limit or restrict care for specific beneficiaries. Minimum necessary data for this purpose may include, for Medicare Parts A and B data, beneficiary ID, date of birth, gender, date of death, claim ID, the from and through dates of service, provider or supplier ID and the claim payment type and, for Medicare Part D data, beneficiary and prescriber ID, drug service date, drug product service ID, quantity dispensed, days supplied, gross drug cost, brand and generic name, drug strength and whether the drug is on the CMS designated formulary. CMS will exclude from claims data beneficiary information from federally conducted or assisted substance abuse programs, as required by federal law (42 USC 290dd-2).
• Opt-Out. The second condition is that the ACO gives beneficiaries subject to the claims level data request a “meaningful opportunity” to “opt-out” of having their claims data shared with the ACO. A meaningful opportunity exists if the beneficiary has been seen in the office of a primary care physician participating in the ACO within the current performance year, was informed of how the ACO intends to use beneficiary identifiable claims data to improve the quality and coordinate the care of the beneficiary and the beneficiary did not affirmatively opt-out of the claims data sharing by CMS. The ACO must supply beneficiaries with a form allowing them to opt-out as a part of an office visit with a primary care physician whose services may be used to assign the beneficiary to the ACO. The beneficiary may not opt-out of the provision by CMS of the beneficiary’s name, date of birth, sex and health insurance claim numbers.
• Data Use Agreements. The third condition is that the ACO must enter into a data use agreement with CMS under which the ACO (1) agrees to comply with the limitations on the use and disclosure of PHI imposed on covered entities by the HIPAA privacy rule as well as “all other applicable privacy and confidentiality requirements”; (2) agrees not to engage in any prohibited use of PHI received from CMS pursuant to the request and (3) acknowledges that if the ACO discloses or misuses the data received pursuant to the request in violation of the data use agreement or any other applicable statutory or regulatory requirement, the ACO will no longer receive the data, may be terminated from the Shared Savings Program, and may be subject to additional sanctions and penalties available under law.

Marketing

HIPAA places a number of limitations on the use of PHI for marketing purposes and marketing is broadly defined in the privacy rule to include a communication about a product or service that encourages the recipient to purchase or use that product or service. The proposed CMS rule would exempt from the HIPAA privacy rule definition of marketing (1) ACO communications that are customized or limited to a subset of beneficiaries, (2) materials that do not include information about the ACO or providers in the ACO, (3) materials that cover beneficiary-specific billing and claims issues or other specific health-related issues, (4) educational information on specific medical conditions such as flu shot reminders and (5) referrals for Medicare-covered items and services. All marketing materials and activities and changes to them must be approved by CMS before their use.