The ACO Rules & Privacy

One day before the first of April, HHS published the much anticipated rules defining the creation and operations of Accountable Care Organizations (ACO) spanning 429 pages of business regulation, analysis of various options available, proposed solutions and ways to measure and reward (punish) success (failure) in achieving HHS seemingly incompatible goals of providing better care for less money. I am fairly certain that health policy experts, health care economists and the multitude of industry stakeholders will be dissecting and analyzing the hefty document in great detail in the coming weeks. I started reading the document with an eye towards the ACO implications for HIT, which as expected are many, but something on page 108 made me stop in my tracks. HHS is proposing to share personally identifiable health information (PHI) contained in Medicare claims with ACO providers unless patients “opt-out”.

Beginning on page 108 and through 22 pages of tortured arguments, HHS makes the case for the legality and benefits of providing ACOs with PHI contained in Medicare claims, unless the patient actively withdraws consent for this type of transaction. The argument for the legality of claim data sharing rests on the nebulous HIPAA clause which allows disclosure of PHI for “health care operations” within a web of covered entities and business associates connecting the ACO with Medicare and other providers of health care services for a particular patient. HHS is proposing to make available four types of medical information to participating ACOs:

  1. Aggregated Data, including ACO generated and non-ACO generated data, stratified and analyzed to obtain quality measures, population risk scores and indicative behaviors such as emergency room visits, hospital discharges, prescriptions and physician visits. Although this data is presumably de-identified, in a small ACO with 5000 patients, it shouldn’t be too difficult to attribute this data to particular patients. HHS proposes to provide such data to ACOs on a quarterly basis.
  2. Four Personal Identifiers – name, date of birth, gender and Medicare ID – for all historically ACO-assigned patients included in the aggregate data reports above. To circumvent the Privacy Act which prohibits Federal records systems from disclosing identifiable information without written permission, HHS is invoking the allowed exception for purposes of “routine use”, which requires a notice to this effect to be published in the Federal Register, after which these four identifiers may be released without consent.
  3. Personally Identifiable Claim Data – Here HHS is proposing to provide participating ACOs, upon request, Part A and Part B claim data on a monthly basis. The data elements that will be provided are: “procedure code, diagnosis code, beneficiary ID; date of birth; gender; and, if applicable, date of death; claim ID; the from and thru dates of service; the provider or supplier ID; and the claim payment type”. This data will be provided for patients who have had a visit with a primary care physician participating in an ACO during the performance year. Alcohol and substance abuse records are excluded from disclosure.
  4. Prescription Data – A subset of Part D medications claims data is also proposed to be disclosed similar to Part A and Part B data above. The minimum set includes “beneficiary ID, prescriber ID, drug service date, drug product service ID, and indication if the drug is on the formulary”.

The first two disclosures (aggregated data and the four identifiers) are proposed to occur regardless of patient consent or lack thereof. The ACO rules propose an opt-out mechanism for patients who want to prevent disclosures in items #3 and #4 above, and it seems that the opt-out option is not a legal requirement, instead it is based on a belief system at HHS: “Although we have the legal authority within the limits described previously to share Medicare claims data with ACOs without the consent of the patients, ………. We nevertheless believe that beneficiaries should be notified of, and have meaningful control over who, has access to their personal health information for purposes of the Shared Savings Program”. [Since the Medicare ACO model is intended to be adopted by payers other than CMS, one is left to wonder about the belief systems prevalent at those private organizations.]
The actual opt-out process proposed in the document consists of a conversation with a provider during which “the beneficiary would be given a form stating that they have been informed of their physician’s participation in the ACO and explaining how to opt-out of having their personal data shared. The form could include a phone number and/or email address for beneficiaries to call and request that their data not be shared”. So it’s not as simple as checking a box in your doctor’s office.

For over a year ONC’s Policy Committee has been grappling with privacy issues as evidenced by the tremendous work occurring both in the Privacy & Security Policy group and Privacy & Security Tiger Team. The issue of consumer/patient trust in Health Information Exchange (HIE) and Electronic Health Records (EHR) has been repeatedly recognized as a necessary ingredient to widespread HIT adoption, and much effort has been invested in devising policies and standards to allow consumers control of their medical records in general and sensitive parts of their medical records in particular. The recent report from the President’s Council of Advisers on Science and Technology (PCAST) includes recommendations to allow patients to attach privacy controls to each separate data element in their medical records. An ONC specially appointed workgroup tasked with analyzing the PCAST report has identified privacy as an issue of concern in a possible implementation of the PCAST recommendations.

What is the purpose of all this hard work, all these committees and workgroups, all expert testimonies and public comments, hearings and debates, if CMS, in its capacity as a payer, can assume legal authority to bypass all privacy controls embedded in EHRs and HIEs and disclose medical records information, as reflected in claims data, based solely on what CMS, or any other payer, believes is necessary and proper at a particular time?

23 replies »

  1. I have no problem with designating specific providers who may share my PHI to facilitate my care. This is 2014 and I have been just today notified by a friend of the very existence of ACOs, who for all I know may have made my PHI indiscriminately available to members of their system, whether or not involved in my care! This sneak attack is sadly typical of a situation where we are not considered mature enough to be informed of GMOs in our food. Corporations (now defined as persons) are the new Big Brother. ACOs, with their reliance on cookbook follow the code, so-called evidence based medicine, are part of the grand project of replacing physician integrity and competence with a rigid contact less systems approach.

  2. Sounds like another way for republicons to undermine National Health Care, which we NEED NOW!

  3. This law is a sale of the rights of the citizens. I received this ACO from a company that I would not let my dog be serviced by. They said I have to opt out rather than opt in. This is outright abusive. This for profit hospital system is not my choice and they had no right to assign me to their system. I use doctors from many different hospital systems choosing only the best physicians to provide my services. Who the heck made the choice to allow this abusive for profit hospital to have my records and decide that they would give me less than three weeks notice, and what if the material had been lost in the mail and they had the access to my medical records to share with their business partners which is legal under the HIPPA laws.

  4. Most HIE organizations are considering either opt-in or opt-out at this point, since the standards for implementing more granular privacy protections is still being debated and developed in those committees I mentioned above.

    There are states though, that have explicit policies regarding privacy of certain elements, such as HIV status, so I am not sure how that works. Massachusetts would be an example to look at…

    I hope that abominable proposal doesn’t become law in Nevada.

  5. Check this out:

    Nevada SB 43 (our pending HIE legislation)

    Sec 15(2). A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

    (a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
    (b) As otherwise required by a state law.
    (c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out of having his or her individually identifiable health information disclosed electronically.

    15(2)(c), Second class citizenry.

  6. Another twist. I just learned that both the Maryland and Delaware RHIOs, which are operational, use an opt-out model and neither allows granular privacy (all in or all out). How many other RHIOs have already adopted the same policies?

  7. Thanks. Use it in good health… or should I say in good population health?

  8. This is too good, Mike…..

    Here is a quote from a post I am currently working on and hope to complete midweek:

    “….but is this truly patient-centered (singular) care, or should we add an “s” and refer to a plurality of patients-centered, or population-centered, care?”

  9. Like, say, “population-centered.”

    And of course the constituency for the well-being of “everybody” is typically “nobody”, plus a few public health and economics geeks.

    Or here is a nice term for population based decision making: “Patients-centered” care. Who would even notice that plural “s”?

  10. ‘this is what ONC and HHS is telling folks that they will be able to do.”

    They have to placate the GlennBeckIstanies. EHR calculating your BMI means Michelle Obama is comin’ with her celery sticks.

  11. It would be helpful were you able to quantify the risks. Beyond simply generalized theoretical and anecdotal speculation.

  12. What is pathetic about the Rule and this discussion is that these are medical devices that result in death and injury amidst the hypothesized goodness; and not they are using them as the foundation for all medical care. Gag me!

  13. Vince and Dr. Mathewson,
    This is not about the wisdom, or even the necessity, of sharing data with all providers of care. It is about confusing and largely contradictory messaging flowing out from HHS.

    We have an entire assortment of experts at ONC volunteering time and effort to define how patients can set privacy policies in their EHRs, PHRs or whatever. We have HIEs all over the country, funded by ONC, spending lots of time in committees trying to figure out how to do the same. The PCAST report is recommending that patient should be able to attach privacy policies at a data element level, which is a tall order indeed.

    The idea is that each patient will be able to control what various treating providers have access to. It may very well be a bad idea, but this is what ONC and HHS is telling folks that they will be able to do.
    And the entire HIT community is busy defining standards and again, a lot of money and efforts are being poured into privacy protection solutions.

    The same HHS then turns around and without further ado asserts that payers have the legal right to disclose all patient data in their possession without patient consent. Being a fair and enlightened payer, CMS will allow folks to opt-out, even if legally they don’t have to allow such thing.

    So why should a patient even bother to set those fancy policies in their EHR/PHR?

    Doesn’t this strike you as a major waste of time and money, at the very least?

  14. Margalit, thank you for your usual erudite and detailed analysis of HIT activities. I am not sure I can understand your drift entirely, BUT what is the big whoop? Insurance companies and my pharmacy have been collecting and using this data for years. CVS pharmacy knows more about my use of medications than my primary care doctor and certainly way more than the ER doc who might see me for an unexpected illness. If the ACO makes that data avialble to them that is good. Why be more paranoid about the federal government than about the profit-driven insurance companies.?Incompetency? Conspiracy? Political philosophy?

  15. I can certainly see both sides of the issue, but I’m with Jonathan.

    The disease management sector learned about the dramatic difference between opt-in and opt-out options. If my memory serves me, the expected enrollment rate for opt-out is 95%+, while the enrollment rate for opt-in can be lower than 50%.

    Bottom line, let’s ask what’s in the bests interests of patients.

    Not having patient data will be a deal killer to the ACO’s ability to coordinate care — no data, no point in having an ACO. We’d be back to today’s non-system.

  16. Margalit, that is a good question. I don’t think it is hard to explain how the inconsistency arose, given that those committees sprang from different political and practical circumstances. But, yes, they have to get on the same page and it’s totally understandable how those on the privacy committees will feel like they’ve been wasting their time. I don’t think actively misled, since each track had its own momentum.

  17. Jonathan,
    As I said above, I do understand the ACO’s need for the data. This is not a qualitative statement supporting or condemning either opt-in or opt-out or no opting whatsoever.

    However, if this is how it’s going to be, and CMS is making clear that they do have the legal authority to make it either way, then what is the purpose of the tax payer funded, and publicly advertised, committees and subcommittees and reports and advisory boards all busy setting policies and standards to the contrary?

  18. Well, I for one support CMS. This is an overblown issue by a committed core of privacy zealots. ACOs will not work if data is not shared. People have much lower rates of participation in opt-in programs than opt-out even when the difference is as simple as checking a box (the default becomes the bias normal option and people tend not to mess with it unless they feel strongly about it. Most do not). This is one of the basic results of behavioral choice research. So, going with opt-in is inviting the ACOs to fail.

    This of course is exactly what some people want.

    If you join a true integrated delivery system your PHI is in the system and available to any physician who treats you. Why should it be different with an ACO? It may be shared between multiple systems through a RHIO, but that is a mighty thin reed on which to hang doomsaying and hand-wringing hyperbole.

    People want their docs to have access to all the information relevant to treat them. They do express concerns about sharing health information electronically, especially when primed to have those fears by the survey questions themselves. It’s mostly about whether a person is focused on quality of care or potential abusive use of personal data. I’m really tired of fear mongering.

  19. Thanks, Margalit, for properly amplifying this huge issue. The last statement of the article is a core theme of all HIT / HIE rollout efforts’ limitations in the current non-standardized methodology. Another is the lack of a ONC /CMS nationwide NPI or EPI, leaving it to dominant commercial players to consolidate in the present interim. I have a healthy optimism, however, that these (necessary?) contradictions and inconsistencies can and will be worked out in the comment period and as the system evolves. Regardless, whatever new system that emerges will be hugely better than the non-system we have now.

  20. “The phrase “assigned beneficiaries” appears 78 times”

    And patient-centered appears 28 times. I thought patient consent for disclosure was part of patient-centered.

    I can see how it is more efficient for providers to have all claim data for a patient they are supposed to manage and take financial risk for, and I can see why CMS wants to have a discouraging “opt-out” system, but if that’s what they want to do, just don’t call it patient-centered. I’m sure there are plenty of other more appropriate terms that are applicable.

  21. The phrase “assigned beneficiaries” appears 78 times.

    Pg 158:

    ‘Section 1899(c) of the Act requires that Medicare FFS beneficiaries be assigned to “an ACO based on their utilization of primary care services” furnished by an ACO professional who is a physician, but it does not prescribe the methodology for such assignment, nor criteria on the level of primary care services utilization that should serve as the basis for such assignment. Rather, the statute requires the Secretary to “determine an appropriate method to assign Medicare FFS beneficiaries to an ACO” on the basis of their primary care utilization.”

    Jeez… is it too early to start drinking yet?

    The anti-ObamaCare lines just write themselves.

  22. I’m more interested in what HIT Policy Committee member Dr. Latanya Sweeney (and privacy defender) will have to say than the reflexively hyperventilating Deborah C. Peel.

    Not that I disagree with your “opt in” position.

    With respect to “safety and efficacy” of HIT, from what I’ve read of your comments on this blog, you seem to take the position that HIT is intrinsically unsafe, and I’m not sure people like you would ever be satisfied by any amount of net empirical evidence to the contrary. But, prove me wrong. What would YOU do to improve HIT? Specifically.

    BTW, the public review and comment period is now open for the ONC Strategic Plan, which contains provisions for addressing HIT “usability.” Avail yourself of it. This bus is now moving full speed. Help steer it.

  23. The government has gone too far. First, they should assure the safety and efficacy of the devices.

    The default must be that patients must opt in.

    Dr. Peale will be on this in a flash.

Leave a Reply

Your email address will not be published. Required fields are marked *