Accountable Care Organization Data Sharing

Health Law Alert

This Hinshaw Health Law Alert describing ACO data sharing rules is the third in a series of advisories regarding accountable care organizations (ACOs).

To facilitate Medicare beneficiary assignments and to ensure that ACOs have the baseline data required to evaluate and measure improvements in care, the ACO regulations propose various uses and disclosures of Medicare beneficiary data that is considered “protected health information” (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). Depending on its business structure, an ACO will be either part of a covered entity, or a business associate of the participating covered entities.

Health Care Operations

The proposed ACO regulations rely heavily on the ability of participating covered entities to exchange PHI for health care operation purposes. Under the HIPAA Privacy Rule, covered entities may share PHI for health care operations, where: (1) both covered entities have or had a relationship with the subject of the PHI to be disclosed; (2) the PHI is related to the relationship between the covered entities and beneficiary; and (3) the covered entity recipient of the data will use the PHI for health care operations. Health care operations include:

• conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines or protocols, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies
• population-based activities relating to improving public health or reducing health care costs
• case management and care coordination
• contacting of health care providers or patients with information about treatment alternatives;
• reviewing the competence or qualifications of health care professionals
• evaluating practitioner and provider performance;
• evaluating health plan performance;
• conducting training programs for students, trainees, or practitioners (health or nonhealth);
• accreditation, certification, licensing or credentialing activities;
• underwriting, premium rating and other activities relating to health insurance contracting;
• conducting or arranging for medical review, legal services, auditing functions or other compliance programs;
• business planning and development, cost-management and planning-related analyses;
• development or improvement of methods of payment or coverage policies;
• business management and general administrative activities of the entity;
• business activities relating to compliance with HIPAA;
• customer service, including the provision of data analyses for policyholders, plan sponsors or other customers (provided that protected health information is not disclosed);
• resolution of internal grievances;
• the sale, transfer, merger or consolidation of all or part of the covered entity to or with another covered entity or an entity that will become a covered entity as a result of the transaction, as well as the due diligence activities in connection with such transaction; and
• consistent with applicable HIPAA requirements, creating de-identified health information or fundraising for the benefit of the covered entity, and activities meeting the exceptions to the marketing rules.

Aggregate Data Sharing

CMS proposes to provide ACOs with aggregate data reports that would include, when available, aggregated metrics on the assigned beneficiary population, and beneficiary utilization data at the start of the agreement period based on historical data used to calculate the benchmark. The Centers for Medicare & Medicaid Services (CMS) further proposes to include such data in conjunction with the yearly financial and quality performance reports. Additionally, CMS proposes to provide quarterly aggregate data reports to ACOs based upon the most recent 12 months of data from potentially assigned beneficiaries.

Demographic Information

CMS proposes to make certain beneficiary-identifiable information available to an ACO at the beginning of the first performance year of the Shared Savings Program, and on an annual basis during the term of the ACO agreement with CMS. Specifically, CMS proposes to provide to each ACO the name, date of birth (DOB), sex, and Health Insurance Claim Number (HICN) of beneficiaries who would have historically been assigned to that ACO. Beneficiary consent or authorization for use of the demographic information (which is protected health information) will not be required as CMS has concluded that the use of such data is permissible as a “health care operation” under HIPAA. At the beginning of the agreement period, at the request of the ACO, CMS proposes to provide the ACO with a list of beneficiary names, date of birth, sex, and HICN derived from the assignment algorithm used to generate the three-year benchmark.

Claims History Data

CMS proposes to permit ACOs to obtain certain beneficiary-identifiable claims data on a monthly basis, in the form of a standardized data set, about the beneficiaries currently being served by the ACO participants and ACO providers/suppliers. CMS proposes to limit the beneficiaries covered by such data sets to those who have received a service from a primary care physician participating in the ACO during the performance year and who have not opted out of having CMS share their claims data with the ACO. ACOs would be required to use the claims history data to evaluate the performance of ACO participants, suppliers and providers; conduct quality assessment and improvement activities; and conduct population-based activities to improve the health of the assigned-beneficiary population. CMS proposes to limit the content of this data set to the minimum data necessary for the ACO to effectively coordinate care of its patient population.

Data Use Agreement. When an ACO is accepted to participate in the Shared Savings Program, CMS proposes to require ACOs to enter into a Data Use Agreement (DUA) prior to receipt of any beneficiary-identifiable claims data. Under the DUA, the ACO would be prohibited from sharing the Medicare claims data that CMS provides through the Shared Savings Program with anyone outside the ACO. In addition, CMS proposes to require in the DUA that the ACO agree not to use or disclose the claims data obtained under the DUA in a manner in which a HIPAA-covered entity could not without violating the HIPAA Privacy Rule. CMS proposes to make compliance with the DUA a condition of the ACO’s participation in the Shared Savings Program—noncompliance with this requirement would result in the ACO no longer being eligible to receive data, and could lead to termination from the Shared Savings Program or additional sanctions and penalties available under the law.

Legal Authority to Disclose Beneficiary-Identifiable Claims Data to ACOs. In order to receive data, ACOs would be required to attest in either their initial application or in their subsequent formal request for data if they failed to request data in the application stage, either that: (1) they are a covered entity or a business associate of covered-entity ACO participants and ACO suppliers/providers under the Shared Savings Program, (2) their business associate agreement with these ACO participants and ACO providers/suppliers authorizes them to seek PHI on behalf of the ACO participants and ACO providers/suppliers for one of the health care operations purposes laid out previously, (3) their request reflects the minimum data necessary to do that health care operations work, and (4) their use of this requested data would be limited to the Shared Savings Program activities related to one or more of the health care operations purposes laid out previously; or (1) they are a HIPAA-covered entity; (2) they are requesting the claims data about their own patients for one of the health care operations purposes laid out previously; (3) their request reflects the minimum data necessary to do that health care operations work; and (4) their use of these requested data would be limited to the Shared Savings Program activities related to one or more of the health care operations purposes laid out previously. CMS proposes to provide ACOs with the minimum Part D data necessary to permit the ACO to undertake evaluation of the performance of ACO participants and ACO providers/suppliers, conduct quality assessment and improvement activities with and on behalf of the ACO participants and ACO providers/suppliers, and conduct population-based activities relating to improved health for Medicare beneficiaries who have a primary care visit with a primary care physician used to assign patients to the ACO during a performance year.

Beneficiary Opportunity to Opt Out of Claims-Data Sharing. Notwithstanding the legal authority under HIPAA to share data for health care operations purposes, CMS proposes to require that the ACO inform beneficiaries of the ACO’s ability to request claims data about them if they do not object, and to advise the beneficiaries of their ability to opt out of sharing their protected health information with the ACO. The proposed rules indicated that beneficiaries must have a “meaningful opportunity” to opt out. In order to be “meaningful,” CMS indicates that the opportunity to make the choice about whether the beneficiary’s detailed information may be shared must: (1) allow the individual advance notice and time to make a decision; (2) be accompanied by adequate information about the benefits and risks of making the data available for the ACO’s proposed uses; (3) not compel consent; and (4) not use the beneficiary’s choice to permit his or her information to be shared for discriminatory purposes. In order to comply with the “meaningful opportunity” to opt out requirement, CMS proposes that the beneficiary would be given a form stating that they have been informed of their physician’s participation in the ACO, and explain how to opt out of having their personal data shared. If the beneficiary objects and opts out of claims-data sharing, the ACO must honor the request, but the opt-out applies only to claims data sharing, and would not affect the sharing of demographic information and aggregate data-sharing for calculating ACO benchmarks, costs, expenditures or quality performance.

Conclusion

The beneficiary opt-out right and the requirement for ACOs to enter into data use agreements with CMS will provide Medicare beneficiaries who enroll in ACOs with greater privacy law protections than that currently afforded by HIPAA. ACOs will need to be formed with the understanding that privacy and confidentiality obligations will exceed the general HIPAA requirements. It will be important to structure data flow into and outside of the ACO, and between ACO participants, providers and suppliers, to ensure that compliance with the enhanced privacy and confidentiality obligations may be achieved. ACO participants, providers and suppliers will need to update their privacy and security policies, procedures and practices to incorporate the additional requirements set forth in the ACO regulations.

Upcoming issues of the Hinshaw Health Law Alert will discuss the Shared Savings Programs and proposed waiver provisions.

For more information, please contact Michael A. Dowell or your regular Hinshaw attorney.

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.