Claims Data Sharing and HIPAA Privacy Compliance: Key Components for ACOs and Other Provider Networks
On November 2, 2011, the Centers for Medicare & Medicaid Services (CMS) issued the long-awaited final regulations for Accountable Care Organizations (ACOs) participating in the Medicare Shared Savings Program (MSSP) under Section 3022 of the Patient Protection and Affordable Care Act (ACA). In the ACO final regulations, CMS adopted several requirements related to CMS sharing Medicare claims data with ACOs in accordance with the requirements of the HIPAA Privacy Rule and other laws affecting the disclosure of health care information. The final ACO regulations and other recent CMS initiatives highlight the importance for providers who participate in an ACO and other similar types of provider networks to be able to share HIPAA-compliant data and utilize electronic health records (EHRs) for meeting certain quality reporting requirements.
HIPAA Compliance for ACOs and ACO Providers
CMS addressed several laws in the proposed and final ACO regulations that affect the ability of CMS to share Medicare claims data with ACOs. For example, Section 1106 of the Social Security Act prohibits the disclosure of information collected under ACA without a Medicare beneficiary’s consent unless disclosure is otherwise permitted by a specific statute or regulation. CMS relied primarily on the HIPAA Privacy Rule as the legal authority under which CMS is permitted to disclose to ACOs any Medicare claims data that contains individually identifiable health information. Healthcare providers will also need to consider that CMS included several regulatory requirements in the final ACO regulations relating to data sharing that impose limits to uses and disclosures of Medicare claims data disclosed by CMS to ACOs beyond certain requirements and limitations in the HIPAA Privacy Rule.
In the final ACO regulations, CMS commented that the Medicare fee-for-service (“FFS”) program, providers and suppliers in ACOs, and an ACOs itself may at times be acting as a HIPAA covered entity as a “health plan” or a “healthcare provider” and there would be subject to any limitations regarding the disclosure of “protected health information” (PHI) under the HIPAA Privacy Rule. For example, healthcare providers participating in ACOs are HIPAA-covered entities to the extent they are healthcare providers and engage in one or more HIPAA standard transactions. An ACO may also itself be a HIPAA covered entity if the ACO is a healthcare provider and the ACO conducts one of the HIPAA standard transactions. In conducting quality assessment and improvement activities on behalf of ACO providers and suppliers, CMS takes the position that an ACO will also qualify as a business associate under the HIPAA Privacy Rule of ACO’s providers and suppliers.
Based on the relationship of an ACO and an ACO’s providers and suppliers under the requirements of the HIPAA Privacy Rule, CMS considers the disclosure of any beneficiary identifiable claims data to ACOs, and the use of such data by ACOs, to be a permitted use under the HIPAA Privacy Rule for “health care operations” purposes. A HIPAA covered entity, such as the Medicare FFS program, is permitted to disclose PHI to another HIPAA covered entity, such as an ACO, for the recipient’s healthcare operations purposes if both covered entities have or had a relationship with the individual whose PHI was to be disclosed, the PHI pertains to that relationship, and the recipient will use the PHI for a healthcare operations function. CMS also included in the final ACO regulations a requirement that an ACO certify that any beneficiary identifiable data requested by the ACO from CMS is the minimum necessary data to conduct healthcare operations work that falls within the first or second paragraph of the definition of “health care operations” in the HIPAA Privacy Rule.
CMS also addressed concerns in the final ACO regulations regarding whether the use by an ACO of any beneficiary identifying data elements to identify beneficiaries on the list of historically assigned patients and to contact beneficiaries would constitute marketing under the HIPAA Privacy Rule. CMS commented that these types of uses by an ACO would also include an ACO providing a description of the ACO’s available services to a beneficiary and for case management and care coordination purposes, and all of these uses would fall within the exceptions to the definition of “marketing” in the HIPAA Privacy Rule.
CMS had previously addressed in the proposed ACO regulations issued last spring how the disclosure of claims data by CMS to ACOs would be affected by other laws, such as the Privacy Act of 1974 and federal law which governs the disclosure of information from records created in connection with federally conducted or assisted substance abuse programs. CMS takes the position that the sharing of beneficiary identifiable information with ACOs is permitted under an exception to the Privacy Act of 1974 as a “routine use” because it would be a disclosure outside of CMS that is compatible with the purpose for which CMS collected the data. The final ACO regulations also provide that CMS will not share any beneficiary identifiable claims data relating to treatment for alcohol and substance abuse.
CMS Data Sharing with ACOs
Under the final ACO regulations, ACOs will be accountable for the quality, cost, and overall care of the Medicare beneficiaries that are assigned to an ACO. Although an ACO should eventually have complete information for the services that the ACO provides to its assigned beneficiaries, CMS commented that ACOs may not have access to information about all of the services that are provided to its assigned beneficiaries outside of the ACO by other non-ACO providers. To enable ACOs to have a complete picture about the care their assigned beneficiaries receive, CMS adopted regulations regarding the sharing of the following types of claims data between CMS and ACOs: (1) aggregated data reports from CMS; (2) limited identifying information about beneficiaries whose information serves as the basis for the aggregate data reports; and (3) certain beneficiary identifiable claims data unless a beneficiary had chosen to decline to share his or her data with the ACO.
Aggregate Data Reports from CMS
CMS will furnish ACOs with aggregate data reports at the start of an ACO’s three-year agreement period to participate in the Medicare Shares Savings Program. These reports will be based on data for those beneficiaries historically assigned to an ACO, and included in the calculation of an ACO’s benchmark. Aggregate data reports will also be provided to ACOs with yearly financial and quarterly performance reports provided by CMS to ACOs. The quarterly aggregate data reports will be based on their most recent 12 months of data from potentially assigned beneficiaries to an ACO. These aggregate data reports will include aggregated metrics on the beneficiary population and beneficiary data at the start of an ACO’s agreement period with CMS based on historical beneficiaries used to calculate an ACO’s benchmark.
CMS acknowledged in the final ACO regulations that aggregate data may not be provided in “real time” because of the delay between when a service is performed and when a claim is processed, as well as the time it takes to prepare claims level data to an aggregate level data set for aggregate data reports. CMS also commented that aggregate data reports will not be provided to an ACO until after CMS has received and approved an ACO’s application, and the ACO has signed a participation agreement and a Data Use Agreement (DUA) with CMS.
Identification of Historically Assigned Beneficiaries
An ACO may request CMS to provide the ACO with a list of four data identifiers consisting of beneficiary names, dates of birth, sex and health insurance claim number (HICN) regarding preliminarily prospectively assigned beneficiaries whose data was used to generate the aggregate data reports provided by CMS to an ACO. An ACO may request these four data identifiers from CMS at the beginning of an ACO’s three-year agreement period, quarterly, and the beginning of each performance year. CMS will also provide ACOs with listings of preliminarily prospectively assigned beneficiary names, dates of birth, sex and HICNs that were used to generate each quarterly aggregate data report.
An ACO must certify that the ACO is requesting these four data identifiers as either a HIPAA-covered entity or a business associate of its ACO providers and suppliers, and that the ACO’s request to CMS reflects the minimum data necessary for the ACO to conduct healthcare operations work within the first or second paragraph of the definition of healthcare operations in the HIPAA Privacy Rule. For example, an ACO would request the four identifiers as a HIPAA-covered entity when the ACO would use the data for its own healthcare operations. If an ACO performs work on behalf of its ACO providers and suppliers (i.e., conducting quality assessment and improvement activities), the ACO would request the four identifiers as the business associate of its ACO providers and suppliers. CMS considers these four data points the minimum data necessary for ACOs to begin the process of developing care plans in an effort to provide better care for individuals and better health for each ACO’s assigned beneficiary population.
Sharing Beneficiary Identifiable Data With ACOs
An ACO may also request beneficiary identifiable claims data on a monthly basis for the purposes of evaluating the performance of its ACO provider and suppliers, conducting quality assessment and improvement activities, and conducting population-based activities relating to improved health. CMS had previously proposed to limit the available claims data to beneficiaries who received a primary care service from a primary care physician participating in the ACO, and who have been given the opportunity to decline to have their claims data shared with the ACO. In the Final Rule, however, CMS includes a process under which an ACO may request beneficiary identifiable claims data for preliminarily prospectively assigned beneficiaries to the ACO and who are likely to be assigned to the ACO in the future.
As a condition for an ACO to receive any requested beneficiary identifiable data, an ACO must submit a formal data request to CMS in which the ACO explains how it intends to use the data to evaluate the performance of ACO providers and suppliers, conduct quality assessment and improvement activities, and conduct population-based activities to improve health of its assigned beneficiary population. An ACO must certify that it is requesting claims data about either its own patients as a HIPAA-covered entity or the patients of its HIPAA-covered entity ACO providers and suppliers, and that the request is for the minimum data necessary for the ACO to conduct its own healthcare operations work that falls within the definition of healthcare operations in the HIPAA Privacy Rule. This same certification requirement must be met by ACOs when requesting the four data identifiers of the beneficiaries whose claims data was used to generate the aggregate data reports that will be provided to ACOs.
CMS clarified that the list of minimum necessary Part A, Part B and Part D data elements in the final ACO regulations are provided by CMS as examples of the types of data elements that might constitute the minimum data necessary to permit an ACO to evaluate the performance of an ACO’s providers and suppliers and conduct quality assessment and improvement activities. An ACO may request additional data elements, however, if an ACO can demonstrate to CMS how the additional requested information would be necessary to perform the functions and activities of the ACO such that the additional data would be the minimum necessary data for the ACO’s purposes.
An ACO must also enter into a data use agreement (DUA) with CMS prior to the receipt of any beneficiary-identifiable claims data. Under the terms of the DUA, an ACO will be prohibited from sharing the Medicare claims data provided by CMS to an ACO with anyone outside of the ACO. The terms of a DUA will also require ACOs to agree not to use or disclose the claims data obtained pursuant to the DUA in a manner which a HIPAA-covered entity could not use or disclose the data without violating the HIPAA Privacy Rule. If an ACO misuses or discloses data in in a manner that violates any applicable statutory or regulatory requirements or is in non-compliance with the terms of the DUA, the ACO will not be able to receive any more data from CMS and the ACO may be terminated from participation in the Medicare Shared Savings Program.
The final ACO regulations require ACOs to notify beneficiaries in writing that the ACO may request their Medicare claims data from CMS for purposes of care coordination and quality improvement work, and the beneficiary must have the opportunity to decline to have his or her claims information shared with the ACO. An ACO is required to provide all beneficiaries with a written notice as part of their first primary care service office visit explaining their opportunity to decline data sharing with the ACO.
ACOs may also contact the Medicare beneficiaries that appear on a list of individuals being prospectively assigned to a given ACO for the purpose of notifying the patient of the provider’s participation in an ACO, and to request whether or not the patient wishes to “opt out” of data sharing with respect to his or her identifiable data. If the beneficiary does not opt-out within 30 days, the ACO will be able to request that beneficiary’s identifiable data from CMS. An ACO must still provide these beneficiaries with a form at their first primary care office visit with an ACO provider during the ACO’s agreement period explaining the beneficiary’s opportunity to decline data sharing.
In the data sharing provisions of the final ACO regulations, CMS focused on the sharing of data between CMS and ACOs, and CMS did not address the ACOs’ sharing of data internally or among an ACO’s providers and suppliers. ACOs, as with any type of provider network, will still need to identify and analyze federal and state laws that may affect an ACO’s internal data sharing. CMS had received several comments to the proposed ACO regulations requesting CMS to address privacy and security concerns with ACOs sharing data internally, and also the suppression of inappropriate data flowing to other sources (e.g., adolescent/minor data to a parent/guardian, beneficiary data to an ex-spouse, etc.). In response, CMS commented that ACOs will be subject to the HIPAA Privacy and Security Rules when an ACO receives data as either a HIPAA-covered entity or as a business associate of a HIPAA covered entity. In other words, an ACO must determine its own compliance requirements with the HIPAA Privacy and Security regulations. There is also some sentiment that CMS will address in future rulemaking the sharing of data internally by ACOs and its network providers
Clay Countryman is a partner with Breazeale, Sachse & Wilson, L.L.P.