|
April 27‚ 2011
How ACOs Will Use and Disclose Protected Health
Information While Complying with HIPAA
By Dianne J. Bourque
The Centers for Medicare & Medicaid Services (CMS) has
released proposed regulations establishing Accountable Care Organizations
(ACOs) and creating the Medicare Shared Savings Program (the Program).
The Program will permit health care providers and suppliers to form
ACOs and to reward those that lower health care costs for Medicare
fee-for-service beneficiaries, while meeting quality of care performance
standards. The Program will also hold accountable ACOs that fail to
generate savings. CMS will assign beneficiaries to ACOs based on their
utilization of primary care services.
To facilitate beneficiary assignment and to ensure that ACOs
have the baseline data necessary to evaluate and improve care, Medicare is
proposing various uses and disclosures of beneficiary data constituting
protected health information (PHI). This PHI ranges from demographic
information to claims history, and all of it is protected by the privacy
regulations issued under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). This advisory discusses CMS's proposed
uses and disclosures of PHI in connection with the Program, its rationale
under HIPAA for using PHI, and additional protections proposed by CMS that
exceed HIPAA requirements.
Demographic
Information
CMS proposes to use beneficiary name, date of birth, sex, and
health insurance claim number in order to assign beneficiaries to ACOs and
to identify beneficiaries to ACO providers. Beneficiary permission or
authorization for this use of PHI will not be obtained because CMS believes
that the use of this data is permissible as a "health care operation" under
HIPAA.
Under HIPAA, a covered entity, such as the Medicare
fee-for-service program, is permitted to disclose PHI to another covered
entity (such as a provider) without a patient's authorization if both
entities have a relationship with the patient and if the disclosure is for
certain enumerated purposes, including population based activities relating
to improving health or reducing health costs, protocol development, case
management and care coordination. CMS has determined that the
disclosure of PHI to an ACO is consistent with this purpose. However, CMS
is seeking feedback on whether or how the chosen data points will support
the goals of the Program.
Claims History
CMS proposes making detailed Medicare claims information
available to ACOs, on a monthly basis, to support proactive care
coordination and to help ACOs track performance against defined performance
measures. However, access to claims data will not be unrestricted. CMS
proposes limiting available claims data to those beneficiaries who have
received services from a primary care physician participating in the ACO
during the performance year. Additionally, ACOs requesting claims data will
be required to justify their request and explain how they intend to use the
data to evaluate performance.
Protections
Beyond HIPAA Requirements
Although HIPAA's exception for health care operations would
likely permit the use and disclosure of claims data, CMS is proposing that
ACOs enter into "data use agreements" with CMS prior to receiving
identifiable claims data, but not in connection with disclosures of
demographic data used to identify beneficiaries. A data use agreement is an
agreement established under HIPAA between a covered entity and the intended
recipient of a "limited data set," which is a term used under HIPAA to
describe a limited amount of PHI. A data use agreement defines the ways in
which the recipient may use the data and how it must be protected. In this
case, a data use agreement would prohibit the sharing of claims data
outside of the ACO and would further prohibit any use of claims data that
would violate HIPAA. Data use agreement compliance will be a condition of
participation in the Program.
CMS is also proposing that each Medicare beneficiary receive
notice at the point of care that the provider is part of an ACO. The notice
would include the right to opt out of disclosures of PHI in connection with
the Program. ACOs will also be required to provide a form confirming that
the beneficiary has received notice of potential uses and disclosures of
their claims data and a simple process for opting out of information
sharing, such as a phone number or e-mail address.
The proposed regulations related to data use agreements,
beneficiaries' notices, opt-out rights, and documentation of compliance
with notice requirements arguably exceed HIPAA's requirements and have the
potential to create administrative burdens for ACO participants. For
example, ACOs will have to keep track of beneficiaries who have elected to
opt out of claims history disclosures to ensure that they are not included
in ACO care planning efforts. Also, a provider whose patients are assigned
to the provider's ACO will have to distinguish between permissible uses of
PHI in the ordinary course of care and uses of PHI in connection with ACO
activities for beneficiaries who have opted out.
Providers and others who are concerned about these
requirements or about the use of the PHI of Medicare beneficiaries
generally should consider submitting comments to CMS. Mintz Levin is
prepared to assist with analysis of how these requirements may affect the
administration and operation of ACOs and with the preparation of comments.
The deadline for submission of comments is June 6, 2011.
Click here to view Mintz
Levin's Health Care Reform attorneys.
*
* *
For up-to-date information regarding health
care reform‚ please visit
our Health Care Reform:
Analysis & Perspectives page.
Please click
here to learn more about our Health Care Reform practice.
|
