One day before the first of April, HHS published the much anticipated rules defining the creation and operations of Accountable Care Organizations (ACO) spanning 429 pages of business regulation, analysis of various options available, proposed solutions and ways to measure and reward (punish) success (failure) in achieving HHS seemingly incompatible goals of providing better care for less money. I am fairly certain that health policy experts, health care economists and the multitude of industry stakeholders will be dissecting and analyzing the hefty document in great detail in the coming weeks. I started reading the document with an eye towards the ACO implications for HIT, which as expected are many, but something on page 108 made me stop in my tracks. HHS is proposing to share personally identifiable health information (PHI) contained in Medicare claims with ACO providers unless patients “opt-out”.

Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:

  1. Aggregated Data, including ACO generated and non-ACO generated data, stratified and analyzed to obtain quality measures, population risk scores and indicative behaviors such as emergency room visits, hospital discharges, prescriptions and physician visits. Although this data is presumably de-identified, in a small ACO with 5000 patients, it shouldn’t be too difficult to attribute this data to particular patients. HHS proposes to provide such data to ACOs on a quarterly basis.
  2. Four Personal Identifiers – name, date of birth, gender and Medicare ID – for all historically ACO-assigned patients included in the aggregate data reports above. To circumvent the Privacy Act which prohibits Federal records systems from disclosing identifiable information without written permission, HHS is invoking the allowed exception for purposes of “routine use”, which requires a notice to this effect to be published in the Federal Register, after which these four identifiers may be released without consent.
  3. Personally Identifiable Claim Data – Here HHS is proposing to provide participating ACOs, upon request, Part A and Part B claim data on a monthly basis. The data elements that will be provided are: “procedure code, diagnosis code, beneficiary ID; date of birth; gender; and, if applicable, date of death; claim ID; the from and thru dates of service; the provider or supplier ID; and the claim payment type”. This data will be provided for patients who have had a visit with a primary care physician participating in an ACO during the performance year. Alcohol and substance abuse records are excluded from disclosure.
  4. Prescription Data – A subset of Part D medications claims data is also proposed to be disclosed similar to Part A and Part B data above. The minimum set includes “beneficiary ID, prescriber ID, drug service date, drug product service ID, and indication if the drug is on the formulary”.

The first two disclosures (aggregated data and the four identifiers) are proposed to occur regardless of patient consent or lack thereof. The ACO rules propose an opt-out mechanism for patients who want to prevent disclosures in items #3 and #4 above, and it seems that the opt-out option is not a legal requirement, instead it is based on a belief system at HHS: “Although we have the legal authority within the limits described previously to share Medicare claims data with ACOs without the consent of the patients, ………. We nevertheless believe that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program”. [Since the Medicare ACO model is intended to be adopted by payers other than CMS, one is left to wonder about the belief systems prevalent at those private organizations.]
The actual opt-out process proposed in the document consists of a conversation with a provider during which “the beneficiary would be given a form stating that they have been informed of their physician’s participation in the ACO and explaining how to opt-out of having their personal data shared. The form could include a phone number and/or email address for beneficiaries to call and request that their data not be shared”. So it’s not as simple as checking a box in your doctor’s office.

For over a year ONC’s Policy Committee has been grappling with privacy issues as evidenced by the tremendous work occurring both in the Privacy & Security Policy group and Privacy & Security Tiger Team. The issue of consumer/patient trust in Health Information Exchange (HIE) and Electronic Health Records (EHR) has been repeatedly recognized as a necessary ingredient to widespread HIT adoption, and much effort has been invested in devising policies and standards to allow consumers control of their medical records in general and sensitive parts of their medical records in particular. The recent report from the President’s Council of Advisers on Science and Technology (PCAST) includes recommendations to allow patients to attach privacy controls to each separate data element in their medical records. An ONC specially appointed workgroup tasked with analyzing the PCAST report has identified privacy as an issue of concern in a possible implementation of the PCAST recommendations.

What is the purpose of all this hard work, all these committees and workgroups, all expert testimonies and public comments, hearings and debates, if CMS, in its capacity as a payer, can assume legal authority to bypass all privacy controls embedded in EHRs and HIEs and disclose medical records information, as reflected in claims data, based solely on what CMS, or any other payer, believes is necessary and proper at a particular time?

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn

23 Responses for “The ACO Rules & Privacy”

  1. Janice Reverson, RN says:

    The government has gone too far. First, they should assure the safety and efficacy of the devices.

    The default must be that patients must opt in.

    Dr. Peale will be on this in a flash.

    • BobbyG says:

      I’m more interested in what HIT Policy Committee member Dr. Latanya Sweeney (and privacy defender) will have to say than the reflexively hyperventilating Deborah C. Peel.

      Not that I disagree with your “opt in” position.

      With respect to “safety and efficacy” of HIT, from what I’ve read of your comments on this blog, you seem to take the position that HIT is intrinsically unsafe, and I’m not sure people like you would ever be satisfied by any amount of net empirical evidence to the contrary. But, prove me wrong. What would YOU do to improve HIT? Specifically.

      BTW, the public review and comment period is now open for the ONC Strategic Plan, which contains provisions for addressing HIT “usability.” Avail yourself of it. This bus is now moving full speed. Help steer it.

  2. BobbyG says:

    The phrase “assigned beneficiaries” appears 78 times.

    Pg 158:

    ‘Section 1899(c) of the Act requires that Medicare FFS beneficiaries be assigned to “an ACO based on their utilization of primary care services” furnished by an ACO professional who is a physician, but it does not prescribe the methodology for such assignment, nor criteria on the level of primary care services utilization that should serve as the basis for such assignment. Rather, the statute requires the Secretary to “determine an appropriate method to assign Medicare FFS beneficiaries to an ACO” on the basis of their primary care utilization.”

    Jeez… is it too early to start drinking yet?

    The anti-ObamaCare lines just write themselves.

  3. “The phrase “assigned beneficiaries” appears 78 times”

    And patient-centered appears 28 times. I thought patient consent for disclosure was part of patient-centered.

    I can see how it is more efficient for providers to have all claim data for a patient they are supposed to manage and take financial risk for, and I can see why CMS wants to have a discouraging “opt-out” system, but if that’s what they want to do, just don’t call it patient-centered. I’m sure there are plenty of other more appropriate terms that are applicable.

    • Mike says:

      Like, say, “population-centered.”

      And of course the constituency for the well-being of “everybody” is typically “nobody”, plus a few public health and economics geeks.

      Or here is a nice term for population based decision making: “Patients-centered” care. Who would even notice that plural “s”?

      • This is too good, Mike…..

        Here is a quote from a post I am currently working on and hope to complete midweek:

        “….but is this truly patient-centered (singular) care, or should we add an “s” and refer to a plurality of patients-centered, or population-centered, care?”

  4. J. Stefan Walker, MD says:

    Thanks, Margalit, for properly amplifying this huge issue. The last statement of the article is a core theme of all HIT / HIE rollout efforts’ limitations in the current non-standardized methodology. Another is the lack of a ONC /CMS nationwide NPI or EPI, leaving it to dominant commercial players to consolidate in the present interim. I have a healthy optimism, however, that these (necessary?) contradictions and inconsistencies can and will be worked out in the comment period and as the system evolves. Regardless, whatever new system that emerges will be hugely better than the non-system we have now.

  5. Jonathan says:

    Well, I for one support CMS. This is an overblown issue by a committed core of privacy zealots. ACOs will not work if data is not shared. People have much lower rates of participation in opt-in programs than opt-out even when the difference is as simple as checking a box (the default becomes the bias normal option and people tend not to mess with it unless they feel strongly about it. Most do not). This is one of the basic results of behavioral choice research. So, going with opt-in is inviting the ACOs to fail.

    This of course is exactly what some people want.

    If you join a true integrated delivery system your PHI is in the system and available to any physician who treats you. Why should it be different with an ACO? It may be shared between multiple systems through a RHIO, but that is a mighty thin reed on which to hang doomsaying and hand-wringing hyperbole.

    People want their docs to have access to all the information relevant to treat them. They do express concerns about sharing health information electronically, especially when primed to have those fears by the survey questions themselves. It’s mostly about whether a person is focused on quality of care or potential abusive use of personal data. I’m really tired of fear mongering.

    • Jeff says:

      I have no problem with designating specific providers who may share my PHI to facilitate my care. This is 2014 and I have been just today notified by a friend of the very existence of ACOs, who for all I know may have made my PHI indiscriminately available to members of their system, whether or not involved in my care! This sneak attack is sadly typical of a situation where we are not considered mature enough to be informed of GMOs in our food. Corporations (now defined as persons) are the new Big Brother. ACOs, with their reliance on cookbook follow the code, so-called evidence based medicine, are part of the grand project of replacing physician integrity and competence with a rigid contact less systems approach.

  6. Jonathan,
    As I said above, I do understand the ACO’s need for the data. This is not a qualitative statement supporting or condemning either opt-in or opt-out or no opting whatsoever.

    However, if this is how it’s going to be, and CMS is making clear that they do have the legal authority to make it either way, then what is the purpose of the tax payer funded, and publicly advertised, committees and subcommittees and reports and advisory boards all busy setting policies and standards to the contrary?

  7. Jonathan says:

    Margalit, that is a good question. I don’t think it is hard to explain how the inconsistency arose, given that those committees sprang from different political and practical circumstances. But, yes, they have to get on the same page and it’s totally understandable how those on the privacy committees will feel like they’ve been wasting their time. I don’t think actively misled, since each track had its own momentum.

  8. I can certainly see both sides of the issue, but I’m with Jonathan.

    The disease management sector learned about the dramatic difference between opt-in and opt-out options. If my memory serves me, the expected enrollment rate for opt-out is 95%+, while the enrollment rate for opt-in can be lower than 50%.

    Bottom line, let’s ask what’s in the bests interests of patients.

    Not having patient data will be a deal killer to the ACO’s ability to coordinate care — no data, no point in having an ACO. We’d be back to today’s non-system.

  9. Margalit, thank you for your usual erudite and detailed analysis of HIT activities. I am not sure I can understand your drift entirely, BUT what is the big whoop? Insurance companies and my pharmacy have been collecting and using this data for years. CVS pharmacy knows more about my use of medications than my primary care doctor and certainly way more than the ER doc who might see me for an unexpected illness. If the ACO makes that data avialble to them that is good. Why be more paranoid about the federal government than about the profit-driven insurance companies.?Incompetency? Conspiracy? Political philosophy?

  10. Vince and Dr. Mathewson,
    This is not about the wisdom, or even the necessity, of sharing data with all providers of care. It is about confusing and largely contradictory messaging flowing out from HHS.

    We have an entire assortment of experts at ONC volunteering time and effort to define how patients can set privacy policies in their EHRs, PHRs or whatever. We have HIEs all over the country, funded by ONC, spending lots of time in committees trying to figure out how to do the same. The PCAST report is recommending that patient should be able to attach privacy policies at a data element level, which is a tall order indeed.

    The idea is that each patient will be able to control what various treating providers have access to. It may very well be a bad idea, but this is what ONC and HHS is telling folks that they will be able to do.
    And the entire HIT community is busy defining standards and again, a lot of money and efforts are being poured into privacy protection solutions.

    The same HHS then turns around and without further ado asserts that payers have the legal right to disclose all patient data in their possession without patient consent. Being a fair and enlightened payer, CMS will allow folks to opt-out, even if legally they don’t have to allow such thing.

    So why should a patient even bother to set those fancy policies in their EHR/PHR?

    Doesn’t this strike you as a major waste of time and money, at the very least?

    • BobbyG says:

      ‘this is what ONC and HHS is telling folks that they will be able to do.”

      They have to placate the GlennBeckIstanies. EHR calculating your BMI means Michelle Obama is comin’ with her celery sticks.

  11. propensity says:

    What is pathetic about the Rule and this discussion is that these are medical devices that result in death and injury amidst the hypothesized goodness; and not they are using them as the foundation for all medical care. Gag me!

  12. Jonathan says:

    Another twist. I just learned that both the Maryland and Delaware RHIOs, which are operational, use an opt-out model and neither allows granular privacy (all in or all out). How many other RHIOs have already adopted the same policies?

    • BobbyG says:

      Check this out:

      Nevada SB 43 (our pending HIE legislation)

      Sec 15(2). A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

      (a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
      (b) As otherwise required by a state law.
      (c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out of having his or her individually identifiable health information disclosed electronically.

      15(2)(c), Second class citizenry.

  13. Most HIE organizations are considering either opt-in or opt-out at this point, since the standards for implementing more granular privacy protections is still being debated and developed in those committees I mentioned above.

    There are states though, that have explicit policies regarding privacy of certain elements, such as HIV status, so I am not sure how that works. Massachusetts would be an example to look at…

    I hope that abominable proposal doesn’t become law in Nevada.

  14. Steve Drobnis says:

    This law is a sale of the rights of the citizens. I received this ACO from a company that I would not let my dog be serviced by. They said I have to opt out rather than opt in. This is outright abusive. This for profit hospital system is not my choice and they had no right to assign me to their system. I use doctors from many different hospital systems choosing only the best physicians to provide my services. Who the heck made the choice to allow this abusive for profit hospital to have my records and decide that they would give me less than three weeks notice, and what if the material had been lost in the mail and they had the access to my medical records to share with their business partners which is legal under the HIPPA laws.

  15. Vincent says:

    Sounds like another way for republicons to undermine National Health Care, which we NEED NOW!

Leave a Reply


Founder & Publisher

Executive Editor

Editor, Business of Healthcare

Contributing Editor

Contributing Editor

Business Development

Editor-At-Large, Wellness

Editor-At-Large, Europe



The Health Care Blog (THCB) is based in San Francisco. We were founded in 2003 by Matthew Holt. John Irvine joined a year later and now runs the site.


Interview Requests + Bookings. We like to talk. E-mail us.

Yes. We're looking for bloggers. Send us your posts.

Breaking health care story? Drop us an e-mail.


We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.


Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!


Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to

REPRINTS Questions on reprints, permissions and syndication to



Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Specialty practice
Emergency Medicine
Quality, Costs
Medical education
Med School
Public Health

Electronic medical records
Accountable care organizations
Meaningful use
Online Communities
Open Source
Social media
Tips and Tricks


Health 2.0
Log in - Powered by WordPress.